fbpx

Security

This page provides information for everyLIFE customers about the security of information held within PASS. Below that, you will find a useful checklist to help you prepare for an inspection.

What is PASS?

PASS is a digital care planning, monitoring and inclusion solution that has been developed by everyLIFE. It is available for care providers to purchase to manage their care business. When a care business buys PASS, they maintain all care records on the system instead of paper records.


Security

At everyLIFE, we take the security of personal information very seriously and have taken technical and organisational measures to ensure the security of the information that we hold. We are registered with the Information Commissioner’s Office (ICO) and adhere to their information governance standards as demonstrated through self-assessment and submission of the IG Toolkit. All our employees have received the NHS Digital Data Security Awareness Training which meets the minimum mandatory requirement set out by the ICO. We are ISO 27001 certified / accredited, having achieved compliance for the last two consecutive years. ISO 27001 is the international standard which is recognised globally for manging the risks to the information that you hold. This includes, inter alia, having in place policies and procedures for establishing, implementing and monitoring an information security management system. In addition, we take the following measures to protect the information contained within PASS. These include:

  • Access control for care workers that is differentiated between that afforded to care managers
  • We have regular (at least yearly) independent penetration tests of our system performed by approved testers such as Portcullis and Cobalt
  • The database is not public facing and access is secure due to its location behind two highly protected gateways
  • We take a backup, 5 times per 24hr period and store one of these in a geographically separate data centre
  • We have Highly-Available (HA) clustered infrastructure which means that if our application or database were to ‘break’, another would kick in within a matter of seconds seamlessly
  • This infrastructure is hosted by Amazon Web Services (AWS), whom provide significant physical security layers to their data centres.

All customer data is stored at data centres in the UK, with a back-up of this data stored separately in Ireland.


Confidentiality

Data confidentiality means that it must not be possible for any unauthorised users to view your data. To achieve this, all data must be encrypted in transit and at rest.

  • ‘In transit’ refers to when data is transmitted between server and database, or over a network between our servers and a care worker’s mobile application, for example.
  • ‘At rest’ refers to data that is stored on our servers or databases.

Security & Confidentiality – Data in Transit

All data transmitted to and from the web and mobile applications is encrypted using industry standard secure https connections. We use SSL certificates to verify the identity of the server the data is sent to. This is the same type of encryption used to secure internet banking details and is proven to be secure.

Security & Confidentiality – Data at Rest

Particularly sensitive data at rest on our servers is also hashed. Hashing is different from encryption, as encrypted data can be decrypted with the encryption key. Hashed data can never be reversed to reveal the original input data. We hash all passwords in addition to our transport encryption, so not even authorised users with access to the database could ever discover a user’s password. everyLIFE are responsible for securing access to your data in our cloud infrastructure. Security of the cloud infrastructure itself is provided by Amazon who are the market leaders in cloud web services. For more information on the security provided for our services by Amazon, see https://aws.amazon.com/security/ for more details. Amazon are also audited by an independent third party to verify they are providing the services they state with specific regard to security, availability and confidentiality. See https://aws.amazon.com/compliance/soc-faqs/ for more details.


Integrity

Data integrity means verifying that no-one can edit or manipulate data they should not have access to. This requires effective access management. At everyLIFE, we have a process for managing access to information within PASS, ensuring that only those individuals whose job role requires them to have access to information can do so.


Availability

We architect PASS for high availability. This means that we expect hardware failures to occur and build our platform with this in mind. Many elements of our service span data centres called Availability Zones and PASS can continue to run in the event of a hardware failure or even the sudden loss of an entire Availability Zone. All customer data is backed up regularly and stored on highly durable storage in a separate physical location from the source of the backup. The IG Toolkit is an online system which allows organisations to assess themselves or be assessed against information governance policies and standards and sets out what health and care organisations must do to look after information properly. It also allows members of the public to view participating organisations’ IG Toolkit assessments.

Inspection Ready Checklist

The following outline checklist has been prepared in association with a consultant to the care sector who works with care companies to help them prepare for, and successfully negotiate regulatory audits.

If you are considering an audit, we can help you make sure that you have made the right preparations. Audits not only ensure compliance with the CQC and other regulators, such as Care Inspectorate Wales and Care Inspectorate Scotland, but also makes sure that your company is being run as effectively as possible. A successful audit can maintain or improve your reputation in the community, help increase confidence in management, and can be used as a “due diligence” review for current or potential investors.

Evidence is the key to passing any inspection. This provides proof that you are following the correct policies and procedures and that you are fully compliant. Digital systems ensure continuous evidence.

You can pursue a self-audit or use specialist consultants but in both cases you need to make sure you meet the standards for your next inspection. The questions and information below will help you to achieve a smooth and successful audit. Feel free to talk to us for further advice. Just call us on 03300 940 121. We are happy to help.

Please provide all details before submitting