Security and Privacy

What are the measures taken for pseudonymization and encryption of personal data at Qure?

Qure does not need Protected Health Information (PHI) data. Hospitals would anonymize all PHI data before sending them to Qure.

If hospitals lack the technological know-how to anonymize on their end, based on the project requirements, the Qure DCMIO module can be used to anonymize all PHI data within DICOM files before sending data out for processing.

What are the measures for the protection of data during transmission?

All data is sent to Qure via HTTPS using RSA with 2048-bit keys. Unless otherwise specified, TLSv1.2 (or higher) is used as the default SSL protocol version.

What are the measures for the protection of data during storage?

All data stored in Qure is encrypted at rest using AES-256-GCM. It is a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys, an industry standard for secure encryption.

What are the measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services?

To achieve availability and resilience, Qure makes sure that all application servers are running in an active-active configuration. Additionally, servers are configured using features offered by the cloud provider in various availability zones. To ensure enough capacity for storage and processing needs, all servers are continuously inspected.

What are the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident?

Data is backed up on a regular basis. Data restoration tests are conducted twice a year to ensure the correctness of such backups.

What are the processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing?

Qure maintains an ISO 27001 certification, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements.

What are the measures for user identification and authorization?

Access control policies defined as part of ISO 27001 requirements require that access to Qure applications. The access must be granted based on "need to know" and "least privilege" principles, as well as business reasons.

In addition, the policy also addresses requirements for the access management lifecycle including access provisioning, authentication, access authorization, removal of access rights, and periodic access reviews. Documentation of these requirements is recorded and provided to external auditors for security certification testing. All employees are sensitized to the need to ensure careful handling of all client data by conducting annual information security training.

What are the measures for ensuring the physical security of locations at which personal data are processed?

Qure relies on measures provided by Amazon Web Service (AWS) (or equivalent cloud providers) to ensure that suitable controls are in place so that the physical security of locations is adequately maintained. Qure periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data center controls.

Additional controls are also maintained at all Qure office locations like having biometric access and ID card controls at all entry points and CCTV-based monitoring of office spaces.

What are the measures for ensuring event logging?

Logging of service, user, and security events (application server logs, database logs) is enabled and retained centrally using tools like AWS CloudWatch and Graylog.

Qure restricts access to audit logs to authorized personnel based on job responsibilities. Logs are retained for a period of one year. Audit logging procedures are reviewed as part of external audits for security standards.

What steps are taken to ensure system configuration, including the default configuration?

Qure hardens its server infrastructure using a hardening standard based on a common industry standard. Recommendations provided by tools like AWS Inspector are also used in this regard. Qure applies security patches to its servers in accordance with its vulnerability management procedure.

What are the procedures for internal IT and IT security governance and management, process and product certification, and assurance?

Qure performs an annual internal review of all security management policies and procedures to ensure compliance with the ISO 27001 standard. External auditors perform an annual review of these policies and procedures as well.