Information Security Within The PASSsystem
This provides information for everyLIFE customers about the security of information held within The PASSsystem.
What is The PASSsystem?
The PASSsystem is a digital care planning, monitoring and inclusion solution that has been developed by everyLIFE Technologies. It is available for care providers to purchase to manage their care business. When a care business buys The PASSsystem, they maintain all care records on the system instead of paper records.
At everyLIFE, we take the security of personal information very seriously and have taken technical and organisational measures to ensure the security of the information that we hold. We are registered with the Information Commissioner’s Office (ICO) and adhere to their information governance standards as demonstrated through self - assessment and submission of the IG Toolkit. All our employees have received the NHS Digital Data Security Awareness Training which meets the minimum mandatory requirement set out by the ICO. We are ISO 27001 certified / accredited, having achieved compliance for the last two consecutive years. ISO 27001 is the international standard which is recognised globally for manging the risks to the information that you hold. This includes, inter alia, having in place policies and procedures for establishing, implementing and monitoring an information security management system. In addition, we take the following measures to protect the information contained within the PASSsystem. These include:
- Access control for care workers that is differentiated between that afforded to care managers
- We have had an independent penetration test of our system performed by Portcullis, who are an IT Security Company part of Cisco
- The database is not public facing and access is secure due to its location behind two highly protected gateways that would need to be overcome to gain access
- We take a backup, 5 times per 24hr period and store one of these in a geographically separate data centre
- We have cluster infrastructure which means that if the database were to ‘break’, another would kick in within a matter of seconds
Data confidentiality means that it must not be possible for any unauthorised users to view your data. To achieve this all data must be encrypted in transit and at rest.
- In transit refers to anytime data is transmitted between server and database, or over a network between our servers and a care worker's mobile application, for example.
- At rest refers to anytime data is stored on our servers or databases.
Security & Confidentiality – Data in Transit
All data transmitted to and from the web and mobile applications is encrypted using industry standard secure https connections. We use SSL certificates to verify the identity of the server the data is sent to. This is the same type of encryption used to secure internet banking details and is proven to be secure.
Security & Confidentiality – Data at Rest
Particularly sensitive data at rest on our servers is also hashed. Hashing is different from encryption, as encrypted data can be decrypted with the encryption key. Hashed data can never be reversed to reveal the original input data. We hash all passwords in addition to our transport encryption, so not even authorised users with access to the database could ever discover a user's password. everyLIFE are responsible for securing access to your data in our cloud infrastructure. Security of the cloud infrastructure itself is provided by Amazon who are the market leaders in cloud web services. For more information on the security provided for our services by Amazon, see https://aws.amazon.com/security/ for more details. Amazon are also audited by an independent third party to verify they are providing the services they state with specific regard to security, availability and confidentiality. See https://aws.amazon.com/compliance/soc-faqs/ for more details.
Data integrity means verifying that no-one can edit or manipulate data they should not have access to. This requires effective access management. At everyLIFE, we have a process for managing access to information within The PASSsystem, ensuring that only those individuals whose job role requires them to have access to information can do so.
We architect The PASSsystem for high availability. This means that we expect hardware failures to occur and build our platform with this in mind. Many elements of our service span data centres called Availability Zones and The PASSsystem can continue to run in the event of a hardware failure or even the sudden loss of an entire Availability Zone. All customer data is backed up regularly and stored on highly durable storage in a separate physical location from the source of the backup. The IG Toolkit is an online system which allows organisations to assess themselves or be assessed against information governance policies and standards and sets out what health and care organisations must do to look after information properly. It also allows members of the public to view participating organisations’ IG Toolkit assessments.
Information and changes updated and passed to frontline staff immediately – a fantastic piece of IT.