Security & Service Statement

Revision 4.0 - updated April 27, 2017

Purpose

SMART-TRIAL strives to achieve a high degree of data and communication security as sensitive information may be stored in relation to the usage of SMART-TRIAL. To ensure all stakeholders of SMART-TRIAL that efforts have been implemented, this document clarifies which measures have been taken in design and production of SMART-TRIAL - in relation to data-storage, -backup, -security, -privacy, and international and country-specific regulations which have to be complied with, when handling personal identifiable information or other sensitive healthcare related data

Application

This document applies to all actors and users of the SMART-TRIAL system as a whole. SMART-TRIAL is owned, developed, and maintained by MEDEI ApS (VAT NR: DK35139710) [1]. MEDEI ApS serves as an independent legal identity and is the copyright owner of SMART-TRIAL.
All users of SMART-TRIAL are direct customers of MEDEI ApS and shall therefore only be bound to usage and license terms, and data processing agreements with MEDEI ApS.

References

  1. https://www.medei.dk
  2. SMART-TRIAL license agreement - english version is available here
  3. https://azure.microsoft.com/en-us/support/trust-center/compliance/
  4. https://azure.microsoft.com/en-us/support/legal/sla/summary/
  5. https://azure.microsoft.com/en-us/support/trust-center/privacy/
  6. https://azure.microsoft.com/en-us/support/trust-center/security/
  7. https://azure.microsoft.com/en-us/support/trust-center/security/monitor-log-report/
  8. http://www.datatilsynet.dk/ Danish Data Protection Agency
  9. Danish law order nr 528 since 15/06/2000 with changes (nr 201 since 22/03/2001) - Sikkerhedsbekendtgørelsen
  10. https://www.microsoft.com/en-us/TrustCenter/Privacy/Responding-to-govt-agency-requests-for-customer-data
  11. https://azure.microsoft.com/en-us/documentation/articles/storage-redundancy/#locally-redundant-storage
  12. https://azure.microsoft.com/en-us/regions/

Terms

May
Used to describe a permissible way to achieve compliance
PII
Personal Identifiable Information
Shall or must
Compliance is mandatory
Should
Compliance is recommended, but not mandatory
SOP
Standard Operating Procedure
User/customer
Used to describe a person which has a user profile on SMART-TRIAL

Security Statement

1. MEDEI ApS Policies and Procedures

1.1. Information Security Management

MEDEI ApS has a set of standard operation procedures (SOP) which state how information security shall be managed within MEDEI ApS. This covers not only general internal information security, but product specific information security as well, such as those regarding SMART-TRIAL and SMART-TRIAL’s customers.
The SOPs specify how all employees and subcontractors should conform with information security and data management at MEDEI ApS, and is highly influenced by the ISO/IEC 27002

1.2. Data Protection Officer

MEDEI ApS has appointed a Data Protection Officer which handles all data protection issues and queries regarding MEDEI ApS and SMART-TRIAL. This is according to the EU regulation 2016/679, required by MEDEI ApS. The data protection officer can be contacted via e-mail. Any enquiries regarding data protection, and data policy, will be handled and responded to in a timely manner, according to the specifics noted in the 2016/679 EU regulation.

1.3. Human Resources and Education

All personnel that have access to, or administrate production environments, which contain PII, are educated in the concepts of information security and relevant technologies, and must adhere to all relevant SOPs within MEDEI ApS.
Only employees who have been certified by MEDEI’s CTO and/or CEO, can gain access to perform administrative operations on production environments for SMART-TRIAL. This however does not enable employees to gain direct access to any PII.

1.4. Access Control

Access to any security critical systems of SMART-TRIAL, such as databases management systems, servers, or other production environment technologies, are only provided to specific employees on a need-to-know basis. Access to each of these systems is handled in coherence with the internal information security management SOPs. A record of system access is kept for compliance purposes and reviewed accordingly

1.5. Production Monitoring

All production systems and servers are monitored for malicious activity and maintained accordingly – both manually and via automatic monitoring. Access logs to servers, and production service environments are reviewed on a regular basis

1.6. Design and Development Standards

SMART-TRIAL is designed and developed in conformance with the IEC-62304 standard while following MEDEI’s quality management system, which is designed according to the ISO-13485

1.7. SMART-TRIAL Development Stack

SMART-TRIAL is primarily coded in JavaScript, HTML, CSS. Both application and database management systems run on combinations of Linux and Windows servers.

1.8. Coding Standards

Development and software programming is performed according to MEDEI ApS quality management system standards. Code styles used are in coherence with Google’s coding styles and all development follows specific workflow guidelines. All production code is subject to regular code inspection/review and testing

2. Hosting Services and Data Policy

2.1 Hosting Service Provider

Microsoft is the only hosting service provider for SMART-TRIAL. Microsoft are bound by a data processing agreement with MEDEI ApS (MicrosoftOnlineServiceTerms - Vilkår for Online Tjenester) which prohibits Microsoft to provide any information or data in relation to SMART-TRIAL to third parties[4][5].

2.2 Infrastructure – Microsoft Azure

All data, and production environments for SMART-TRIAL are stored and hosted on MEDEI ApS’s private and secure hosting services within Microsoft Azure. No third party has access to any data on MEDEI ApS hosting services [5].

2.3 Data Ownership and Limits to Data Sharing

All data in relation to a specific project created within SMART-TRIAL is owned by the project creator/owner and its participants. Data can be delivered in raw format to the project owner by request at any time. Project creator/owner can export all relevant data from within the system using the available data export functions.
All other data stored with Microsoft Azure in relation to SMART-TRIAL is owned by MEDEI ApS, and any government and law enforcement request to access data is performed in coherence with the appropriate legal process – see [4] and [5] for more details.

2.4 No-Direct-Data Access Policy

MEDEI ApS has designed SMART-TRIAL to adhere to a “No-Direct-Data Access Policy”. This means that SMART-TRIAL cannot be used by MEDEI ApS administrative staff to access customer data without direct permissions given from data-owners (study owners). In any case, a project owner is always responsible for giving out permission to those users who should be able to view/access their data, which can only be done via the platform itself.

2.5 Data Access in Case of Unforeseeable Events

As long as MEDEI ApS has legal ownership of SMART-TRIAL and its production environments and hosting services SMART-TRIAL customers shall be able to access their data via the SMART-TRIAL platform. Only upon special requests can data be acquired directly from MEDEI ApS, i.e. if data cannot be acquired from SMART-TRIAL.
Microsoft will never revel any data directly to SMART-TRIAL customers or other third parties [4][5] without explicit permission from MEDEI ApS, as long as MEDEI ApS is an established legal identity.

In the case of where MEDEI ApS is no longer an established legal identity, or a business organization of any sort which allows MEDEI ApS to maintain or withhold SMART-TRIAL and its data as described within this statement and SMART-TRIAL license agreements, the following procedures will unfold.

  1. MEDEI ApS will release a formal notice to all SMART-TRIAL users to inform them of the specific circumstances and why they have unfolded.
  2. MEDEI ApS will ensure that all users will be able to receive a copy of all relevant study data, by either requiring all study owners to export them directly from SMART-TRIAL, or by delivering raw data exports of each study to its legal data controller.
  3. MEDEI ApS will ensure that any data stored within SMART-TRIAL is not removed or deleted until all customers and data owners have been informed of these procedures.
  4. MEDEI ApS will enable all SMART-TRIAL customers to retrieve their data from SMART-TRIAL within a specific period of time defined in the formal notice – from hereon called the “retrieval period”.
  5. After the specific retrieval period, MEDEI ApS will ensure that all data is safely deleted and after which will inform all customers of this operation. Thereby no PII data will be longer contained within any identity of MEDEI ApS or its hosting service providers, and thereby only with data owners.

However, these procedures do not unfold if another legal identity accepts, or overtakes the legal data responsibilities of MEDEI ApS in regards to SMART-TRIAL and its customer’s data – in this case, all SMART-TRIAL customers will be informed beforehand.

2.6 Hosting Service Security Certificates and Standards

The Microsoft Azure platform itself and Microsoft data centers are certified with a broad set of international and industry-specific standards such as: ISO/IEC:27001, ISO/IEC:27018, FedRAMP, and SOC 1 and SOC 2. Microsoft Azure cloud services also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses (i.e. EU Data Protection Directive 95/46/EC), UK G-Cloud. In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, validate the adherence of the Azure cloud services to the strict requirements these standards mandate.
The complete list of compliance standards, certificates, third party audit reports, and whitepapers for Microsoft Azure its datacenters can be found in [2].

2.7 SMART-TRIAL Data and Hosting Location

All data in relation to SMART-TRIAL is stored on secured Microsoft Azure hardware located in the EU, i.e. Dublin, Ireland [12]. Due to security measures, and conformity regulations with international and country-specific standards, Microsoft does not disclose the details of a physical addresses to its data centers to any of its customers, including MEDEI ApS. Therefore, MEDEI ApS cannot, and will not, require Microsoft to disclose the physical location in more detail. However, MEDEI and Microsoft ensure that all data is stored and backed up within this same geographical location.

MEDEI ApS highly values its customers’ data privacy and security, and therefore highlights that information such as a physical street address or housing of data servers is non-relevant in this case of data privacy and security and will only be regarded as a security-risk if revealed.

Since MEDEI ApS is a legal identity within the kingdom of Denmark, MEDEI ApS must conform to Danish and EU legislation and regulations regarding data privacy and data processing. According to both the Danish data-protection agency (Datatilsynet) [8] and the Danish law order for security and protection of PII, which are handled by public legal identities (sikkerhedsbekendtgørelsen) [9], it is NOT required by data processors, such as MEDEI ApS, to reveal more detailed information of a physical addresses of data service providers and data servers, other than country or city/state specifics.

It is therefore up to the data processor, to decide if customers are required to be informed of such information or not. If required by law, for any SMART-TRIAL customer to access his data from a physical address, without having to acquire it via MEDEI ApS, Microsoft will accept law enforcement request to access customer data and will be handled as described in [5] and [10].

3. System Availability

3.1. Service Uptime

The services and interfaces of SMART-TRIAL follow the hosting provider’s availability and uptime guarantees. This means that clients using SMART-TRIAL can receive and process requests at minimum 99.95 % of the time (usually around 100%), as Microsoft Azure promises a server uptime of minimum 99.95 % per [3]. MEDEI ApS strives to keep uptime of all SMART-TRIAL services as high as possible, and are notified continuously if any downtime is experienced. Uptime is defined as the amount of time the SMART-TRIAL system is up and running and available for use. Uptime is measured per month, and is calculated from the following formula: % uptime each month = 100 x ((24 x number of days in the month) – total downtime in month) / (24 x number of days in the month).

3.2. Service Downtime

Downtime is defined as the number of hours the SMART-TRIAL system is not up and running and available for use during one month. However, the following conditions do not represent the system being out of reach, and thus not included in the definition of downtime:

  • - Maintenance and migration at SMART-TRIAL or its hosting provider
  • - Errors and crashes for any reason, that occurs on the user’s own network, power- or IT-system, hardware, including system software, as well as lack of access to the user’s network and an active internet connection
  • - Errors and crashes for any reason that occur because of an incompatibility between the user’s IT system and the SMART-TRIAL system, such as incompatible browsers. See 5.15 for a list of supported browsers.
Per definition, all service windows are included in the uptime guarantee, if notified at a minimum of 3 days in advance. In cases that are to be classified as emergencies, which require an extraordinary service window, services or maintenance windows are announced at least 24 hours in advance.

Emergency service windows are only announced in cases where security issues are discovered.

3.3. Service Failure

SMART-TRIAL makes use of multiple services to serve/store data from users, such that if any service becomes unavailable, the system will be able to re-initiate operation without serious inconvenience, or loss of any data. SMART-TRIAL utilises a specific replica-set technology, to distribute data between secure servers that enables consistent and high availability of all data stored in SMART-TRIAL.
If a server becomes unavailable, the SMART-TRIAL personnel is immediately notified such that a resolution can be found as quickly as possible. Server failures should not affect performance of SMART-TRIAL interfaces and users should in most cases not be affected by any server failures – see 3.1 and 3.2

3.4. Data Backup

Backup of all data stored in databases is performed regularly such that data can be restored in case of any critical failures. Backup is performed by multiple machines, where data is continuously replicated multiple times 24/7/365. In addition, continuous file system backups are made on all data and stored separately. Backups have however a maximum lifetime of 7 days. Due to the fact that if any project data is requested to be deleted by a SMART-TRIAL customer, backup data must be deleted as well. All backup data, and backup to any services used by SMART-TRIAL is kept within the geographical location of Dublin Ireland (EU) as previous mentioned in 2.7 and documented and described by Microsoft in [11] and [12].

3.5 Updates and Service Maintenance

For every new SMART-TRIAL version rollout, all users of SMART-TRIAL are informed afterwards, with information on changes and potential feature updates. In most cases, a version rollout should not affect users in critical ways. If such critical releases are required, all users will be informed of the specifics timely, to prepare for any inconvenience which they might experience.

4. Infrastructure Security

4.1. Threat Management

Microsoft Azure provides threat management in relation to services hosted by Azure, and as such SMART-TRIAL and the underlying network used to link SMART-TRIAL services together is subject to threat management as described in [5], hereunder techniques for DDoS prevention, intrusion detection, injection preventions, and anti-malware

4.2. Network Connection

The servers running SMART-TRIAL services are locked on all ports except for the ones used by the system internally, and only accepts requests from the internal service IP addresses. The public web-interface servers only accepts connections on port 443 (HTTPS) and port 80 (HTTP), however access on HTTP will always redirect to HTTPS in order to ensure full network encryption between all services and SMART-TRIAL customers and clients.

4.3. Segregation of Testing Environment

All new system functionality and design changes are verified and validated per MEDEI ApS SOP (system functionality and security testing) in a separate testing environment fully separated from the SMART-TRIAL production environment before being made available to the public production environments.

4.4 Logging, monitoring and reporting

Access to any services hosted by Microsoft Azure is subject to audit logging [6] and as such all attempts to access any servers used SMART-TRIAL are logged for security analysis and monitoring. Any server failure is automatically reported to the SMART-TRIAL personnel as well.

5. SMART-TRIAL Operation- and User-Security

5.1. Communication Encryption

All communication between users of SMART-TRIAL and the system is encrypted with use of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) technologies, which ensures that ALL data sent between clients and the SMART-TRIAL system is obscured from outside parties. Furthermore, SSL and TLS makes use of data encryption and server verification, which implies that data only can be interpreted by the intended parties.
The SMART-TRIAL system is split into different entities to ensure availability. All communication between the internal entities of SMART-TRIAL is performed via secure SSL/TLS connections as well, such that data may not be interpreted by third parties during internal system communication.
All encryption standard for SMART-TRIAL, for both communication and data encryption, is at minimum AES-256 (i.e. the AES algorithm using 256 bit keys).

5.2. General User Security

To collect and view data, or access a project in SMART-TRIAL users must create a user account with an associated strong password, which shall be used to authenticate with the system. Users shall provide the following information and accept usage terms [2] before being able to authenticate against the system.

  • Full Name
  • Password
  • Mobile number
  • E-mail address

E-mail address is used as a unique identifier for user profiles, as well as username to login. Mobile number and password are used to validate authentication of each user profile. In addition to these information, the following are optional and can be required collaborators by SOP in individual projects.

  • Organisation
  • Staff ID
  • Department
  • Address (Street, Country, Zip etc.

5.3. Two Step Verification and Authentication

To perform any security critical actions within the system, a user must be authenticated. SMART-TRIAL implements two-step authentication for every log in, i.e. users must log in to the system using their created credentials and confirm their authentication with a unique one-time code sent to their mobile phone or e-mail address. In addition, user can also ask the system to call them directly for confirming the one-time code. On successful authentication, SMART-TRIAL creates a unique user-session that is used to identify the authenticated user. The session contains no information about the user’s password or other personal identifiable information and is valid for a limited time only. When the session expires, a user can choose to prolong his session by re-authenticating against the system - this is however only possible for 15 minutes. If a user does not prolong his session within this 15-minute time frame, the system automatically disables the user session and logs him out of the system, requiring him to perform a complete two step authentication against the system.

SMART-TRIAL does not accept any interface or data requests that do not have a valid session.

5.4. User Password Standard

SMART-TRIAL requires user passwords to conform with a high level password security to limit the possibility of brute-force attacks. A user password is stored with individual salt values and hashed multiple times. Passwords cannot be recovered in clear text and do require users to create new passwords in case of a lost password.
SMART-TRIAL’s password policy is strict, and every user must create a password that must consist of at least all of the following

  1. 8 Character Long
  2. One upper and one lower case character
  3. One number
  4. One special character

5.5. Login Brute Force Defence

SMART-TRIAL is protected against user profile brute force attacks, by utilizing two-step verification as described in 5.3 “soft-lockout”, and “hard lockout”. “Soft-lockout” enables captcha verification to be performed after 3 unsuccessful login attempts and user profile “lockout” is activated after 5 unsuccessful login attempts. This requires a user to contact SMART-TRIAL support directly for unlocking the user profile. All unsuccessful login attempts are logged – see 5.7

5.6. Password Protection Policy

Even though security measures are employed in regards to passwords, users are still responsible for defining their own secure passwords, and not sharing their passwords with anyone. MEDEI ApS recommends that individual organizations confirm with the ISO/IEC 27001 and 27002 standards for information security management. SMART-TRIAL does not require users to change their passwords, but as a recommendation, they should be changed regularly for security measures.

5.7. Access logging

All non-successful authentication and unauthorized requests tries, are logged within the system and only accessible by SMART-TRIAL system administrators. These access logs are reviewed regularly as described in 1.4. If suspicious activity is noted, the specific user profiles will be analyzed in detail and the owner of the user profile will be contacted.

5.8. User Permissions and Roles

SMART-TRIAL makes use of permission based access to every data created/collected in relation to projects. Only the owner of a project, and users that have been given explicit access by the project owner via the system, may gain access to the project’s data. Each project owner is therefore solely responsible for keeping track of all collaborators (i.e. users that have been given any type of access to the project), their roles, and permissions. All manipulation of user permissions to studies is logged in the study audit log (see 5.12).

5.9. SMART-TRIAL Administrative Staff Access

SMART-TRIAL administrator/support users have no access to any of the projects created within the system. Administrative users can therefore only gain access to a project and its data, if a project owner gives an administrative user profile explicit access to their project.

5.10. Encryption of Sensitive Data

Specific sensitive data attributes stored in relation to user profiles, subject profiles, and form answers are stored in an hashed format, and may only be decrypted with the corresponding encryption key and system specific methods. The encryption keys are stored securely and only available to the system internally and cannot be used by any administrative staff or other users solely to decrypt information in case of security breach – due to the “No-Direct-Access Data Policy” see 2.4.

5.11. Data Separation

SMART-TRIAL stores project specific data in separate databases, such that all data for individual projects are clearly separated. Each project database is fully encrypted and only accessible by the project owner/creator via SMART-TRIAL and the SMART-TRIAL system internally. This allows for clear data separation and ensures that cross-querying between projects is not possible.

5.12. Data Export

SMART-TRIAL allows users to export project specific data (including audit logs, medication records, form answers etc.) at any time for statistical purposes – as long as users have permissions from project owner to do so. This functionality is separately protected and requires two-step verification. A user must request and verify a one-time password via SMS before being able to export data from the system. As soon as any data has been exported from SMART-TRIAL, the corresponding user is responsible for complying with country-specific laws and regulations of PII. MEDEI ApS cannot be held reliable in any way, if exported data is mistreated by users which exported the data. MEDEI ApS is solely responsible for secure storage of PII data, as long as the data is kept within SMART-TRIAL.

5.13. Audit- and Transaction-logging

All critical actions performed by users of SMART-TRIAL are logged both in relation to general operations (e.g. user creation/edit) and project specific operations. Project owners may review operations performed on data in relation to their own project and even export specific audit/transaction logs. Audit logging ensures that all operations performed by users can be traced. The project specific audit/transaction logs contain information about the following:

  1. User which performed the operation
  2. Time/date of operation
  3. Affected subject/object
  4. What information was changed or which operation was performed
  5. Old information values (if applicable)
  6. New information values (if applicable)

System specific logs are kept indefinitely and always accessible by SMART-TRIAL administrative staff.
Study specific logs are kept within the specific study databases until the study owner explicit requests for study data (database) to be deleted. However, study owners can choose not to delete their study from within SMART-TRIAL.

5.14. Deletion of Data and Study Specific Logs

Project data and its logs are kept indefinitely and securely within SMART-TRIAL, as long as project owner does not explicitly request for data deletion (database deletion).
When a project owner requests for a project to be deleted, SMART-TRIAL registers a “delete date” for the project - which shall be 10 days after delete request is made. After 10 days, the project specific database is deleted completely from all SMART-TRIAL production services and project owner is informed of successful deletion. Any backups of the project data are kept for maximum 7 days after the database has been deleted (see why in 3.3). Afterwards, project data cannot be recovered in ANY way.
MEDEI ApS has verified and validated this deletion method, and if requested, documentation of this can be requested if needed.

5.15. Supported Browser

Usage of SMART-TRAIL should always be performed through a supported browser. The supported browsers are:

  1. Google Chrome version 50 and above
  2. Mozilla Firefox version 50 and above
  3. Microsoft Edge version 38 and above
  4. Safari version 10 and above
  5. Internet Explorer 11 (not recommended)

The public part of SMART-TRIAL, such as subject form fill out, is furthermore supported on Internet Explorer 10.
Due to performance and security issues it’s recommended that users avoid the use of Internet Explorer and choose any of the other supported browsers.
It’s recommend to use the newest version of any of the above browsers, since they will contain the most up-to-date security patches.

6. Project Data Collection

Data collection in relation to a project conducted with SMART-TRIAL is secured by only allowing users with explicit permission in a project to complete forms for a subject. Furthermore, forms that should be filled out by subjects participating in a project can only be done by following a random generated unique link sent to each subject via e-mail or SMS. E-mail/mobile verification can also be enabled on process level in relation to subject form fill out, to further validate subject identity.

7. Breach of Security

MEDEI ApS incorporates the newest technologies for secure computing and data storage in cooperation with Microsoft Azure. However, data transmission over the internet and data storage can never be guaranteed 100% secure. As such, if a security breach should occur, the affected customers of SMART-TRIAL will be informed via personal e-mail sent to each individual user/customer. If customers do not respond to this formal notice within 3 days, contact will be taken via telephone.
A formal notice will contain the type of security breach the system was subject to and what measures have been taken to ensure minimal data breach. In addition, MEDEI ApS will inform all users of which actions to take to minimize any risk of inconvenience.
All security breach incidents are reported and documented in a standardized way, as described in MEDEI ApS internal security management procedures.

8. User's Responsibility

For a closer explanation of which aspects of the system are outside the responsibility area of MEDEI ApS and SMART-TRIAL please refer to [1].

Are we missing something?

If you have any questions regarding security, data privacy, technical documentation, validation, or SOPs, you are always welcome to contact us via: support@SMART-TRIAL.co