Security Policy

Drfocused approach to security

drfocused is on a mission to make doctors working lives better. To help us achieve this, we need to make sure, that your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.

Organizational security

At drfocused we are creating and maintaining a platform that is based on world’s best data protection and security standards at all levels. We are registered with ICO and comply with IG SoC. drfocused is actively preparing to comply with the new european directive - GDPR (General Data Protection Regulation) from the 25th of May 2018. drfocused has established an industry-leading security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned to the ISO 27000 standards and is regularly audited and assessed by third parties and customers.

Personnel security

drfocused personnel practices apply to all members of the drfocused workforce (“workers”)—regular employees and independent contractors—who have direct access todrfocused internal information systems (“systems”) and / or unescorted access to drfocused office space. All workers are required to understand and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

Upon termination of working at drfocused, all access to drfocused systems is removed

immediately.

Security and privacy training

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow drfocused information security policies at least annually. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Dedicated security professionals

drfocused has defined roles and responsibilities to delineate which roles in the organization are responsible for operating the various aspects of our Information Security Management System (ISMS). The responsibilities of each role are detailed in drfocused security documents.

At the center of administering our ISMS is drfocused Security Team. drfocused has appointed a Chief Security Officer (CSO) with overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of drfocused Security Team, which currently consists of over a dozen security professionals with more than 100 years of combined experience, focusing on Product Security, Security Operations, Computer Security Incident Response, and Risk and Compliance.

Together, these teams divide responsibilities for key aspects of drfocused security program, as follows:

Product Security

● Establish secure development practices and standards

● Ensure project-level security risk assessments

● Provide design review and code review security services for detection and removal of

common security flaws

● Train developers on secure coding practices

Security Operations

● Build and operate security-critical infrastructure including drfocused public key

● infrastructure, event monitoring, and authentication services

● Maintain a secure archive of security-relevant logs

● Consult with operations personnel to ensure the secure configuration and

● maintenance of drfocused production environment

CSIRT (Computer System Incident Reporting Team)

● Respond to alerts related to security events on drfocused systems

● Manage security incidents

● Acquire and analyze threat intelligence

Risk and Compliance

● Coordinate penetration testing

● Manage vulnerability scanning and remediation

● Coordinate regular risk assessments, and de ne and track risk treatment

● Manage the security awareness program

● Coordinate audit and maintain security certifications

● Respond to customer inquiries

● Review and qualify vendor security posture

These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Audits, compliance, and 3rd party assessments

drfocused operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards. Please contact your Account Executive, or Support, for more information about the security standards with which drfocused companies and to request copies of available reports and certifications.

Audits

drfocused evaluates the design and operation of its overall ISMS for compliance with internal and external standards. drfocused engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.

Penetration testing

drfocused engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with drfocused management. drfocused Security Team reviews and prioritizes the reported findings and tracks them to resolution. Customers wishing to conduct their own penetration test of drfocused application may request to do so and should contact their account representative to obtain permission from both drfocused and drfocused hosting provider.

Legal compliance

drfocused employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements. drfocused also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals.

Secure by design. Secure Development Lifecycle

drfocused assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, drfocused undertakes an assessment to qualify the security risk of the software changes introduced.

This risk analysis leverages both the OWASP Top 10 and the experience of drfocused Product Security team to categorize every project as High, Medium, or Low risk. Based on this analysis, drfocused creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the drfocused web application, drfocused Security Team operates continuous automated static analysis using advanced tools and techniques.

Signi cant defects identified by this process are reviewed and followed to resolution by the Security Team.

Protecting customer data

The focus of drfocused security program is to prevent unauthorized access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

Data encryption in transit and at rest

drfocused transmits data over public networks using strong encryption. This includes data transmitted between drfocused clients and the drfocused service. drfocused supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES 256 encryption, and SHA 2 signatures, as supported by the clients.

drfocused monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

Data at rest in drfocused production network is encrypted using FIPS 140-2 compliant encryption standards. This applies to all types of data at rest within drfocused systems-relational databases, i.e. stores, database backups, etc. drfocused stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.

The drfocused service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the drfocused service.

These service providers are responsible for restricting physical access to drfocused systems to authorized personnel.

Each drfocused customer’s data is hosted in drfocused shared infrastructure and segregated logically by the drfocused application. drfocused uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

drfocused divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting drfocused production website. Customer data submitted into the drfocused services is only permitted to exist in drfocused production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to drfocused production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of drfocused service to its users are open at drfocused perimeter. drfocused deploys mitigations against distributed denial of service (DDoS) attacks at its network perimeter. Changes to drfocused production network configuration are restricted to authorized personnel.

In drfocused hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, drfocused logs, monitors, and audits system calls and has developed alerts for system calls that indicate a potential intrusion.

Classifying and inventorying data

To better protect the data in our care, drfocused classifies data into different levels and specifies the labeling and handling requirements for each of those classes. drfocused ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. drfocused inventories hardware, software and data assets at least annually to maintain correct data classification levels. drfocused restricts the flow of data to ensure that only appropriately

classified systems may contain Customer data.

Authorizing access

To minimize the risk of data exposure, drfocused adheres to the principle of least privilege-workers are only authorized to access data that they reasonably must handle in order to

fulfill their current job responsibilities. To ensure that users are so restricted, drfocused employs the following measures:

● All systems used at drfocused require users to authenticate, and users are granted unique identifiers for that purpose.

● Each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Workers may be granted access to a small number of internal systems, such as the corporate drfocused instance, by default upon hire. Requests for additional access follow a documented process and are approved by the responsible owner or manager.

Authentication

To further reduce the risk of unauthorized access to data, drfocused employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, drfocused uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

drfocused requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

System monitoring, logging, and alerting

drfocused monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in drfocused production network are logged.

drfocused Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

Endpoint monitoring

drfocused workstations run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behavior. drfocused Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

Mobile device management

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet drfocused security standards.

Responding to security incidents

drfocused has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by drfocused dedicated Computer Security Incident Response Team. drfocused defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Data and media disposal

Customer data is removed immediately upon deletion or message retention expiration. drfocused hard deletes all information from currently running production systems (excluding team and channel names, and search terms embedded in URLs in web server access logs). Backups are destroyed within 14 days. drfocused follows industry standards and advanced techniques for data destruction.

drfocused defines policies and standards requiring media be properly sanitized once it is no longer in use. drfocused hosting provider is responsible for ensuring removal of data from disks allocated to drfocused use before they are repurposed.

Protecting secrets

drfocused has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Workstation security

All workstations issued to workers are configured by drfocused to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software, and be tracked by drfocused endpoint management solution. drfocused default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software and mobile storage devices.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.

Controlling change

To minimize the risk of data exposure, drfocused controls changes, especially changes to production systems, very carefully. drfocused applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, drfocused production network is subject to additional safeguards against malware.

Server hardening

New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying drfocused custom configuration settings to each server before use.

File change management

drfocused maintains the configuration of its production servers by using a configuration management system (CMS) that runs frequently to check that only the authorized version of key files are deployed. This CMS will overwrite files found on servers that don’t match the correct version stored in a change controlled repository.

Disaster recovery and business continuity

drfocused utilizes services provided by its hosting provider to distribute its production operation across four separate physical locations. These four locations are within one geographic region, but protect drfocused service from loss of connectivity, power infrastructure and other common location-specific failures. Production transactions are replicated among these discrete operating environments, to protect the availability of drfocused service in the event of a location-specific catastrophic event. drfocused also retains a full backup copy of production data in a remote location more than 2500 miles from the location of the primary operating environment. Full backups are saved to this remote location once per day and transactions are saved continuously. drfocused tests backups at least quarterly to ensure they can be correctly restored.

3rd party suppliers

To run its business efficiently, drfocused relies on sub-service organizations. Where those sub-service organizations may impact the security of drfocused production environment, drfocused takes appropriate steps to ensure its security posture is maintained. drfocused establishes agreements that require service organizations adhere to confidentiality commitments drfocused has made to its users. drfocused monitors the effective operation of the organization’s safeguards by conducting reviews of its service organization controls before use and at least annually.

Data security, international transfers and breaches

Security policy

drfocused has an information security policy supported by appropriate security measures.

International transfers

drfocused ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Union.

Breach notification

drfocused has effective processes to identify, report, manage and resolve any personal data breaches.