RxPhoto Security Protocols

Data management

  • All data collected for registration and services are hosted on Amazon Web Services (AWS).
  • Data in transit is encrypted via SSL/TLS and data at rest is encrypted at AWS.
  • Management access and data transfers are done via SSH.
  • RxPhoto database backups are taken multiple times every day.
  • Photo files are replicated and synced on different locations in real time.
  • The development environment is separated from the website: access to the website environment does not grant access to the development environment or patient data.

Risk assessments

RxPhoto’s security team performs quarterly risk assessments including security auditing, penetration testing, vulnerabilities assessment, and account auditing. Based on the assessment, security recommendations are made to the relevant organizational departments, and security patches and software upgrades are performed. If vulnerabilities are discovered, security updates and/software updates are performed immediately, and do not wait for the scheduled security assessment period. An investigation into any resulting breaches is immediately performed as per the RxPhoto Data Breach Policy below.

Restricted Access Control

The access to information is managed based on business requirements and using the following strategies:

  • Access Control Policy – Access to systems is granted based on an analysis of business requirements and on a need to know basis;
  • Ongoing Access Management – Access is managed in order that access privileges correspond with users’ changing requirements;
  • Network Access Controls are deployed to ensure that information is not subject to unacceptable risks due to insecure network connections;
  • Operating System Access Controls are implemented to ensure that only authorized users can log onto the system and that their levels of access are appropriate to their requirements;
  • Application Access Control – Where appropriate, access controls have been deployed within applications to further reduce access to sensitive information;
  • System Monitoring – System access is monitored to provide an audit trail traceable to individual users and that evidence gained is legally admissible;
  • Mobile Computing and Teleworking/Home Computing are subject to specific guidelines to ensure that sensitive information is afforded appropriate levels of protection regardless of site location

Firewalls & Security Software

  • Security groups and secure management ports are enabled on all of our instances.
  • All staff and contractor devices have up to date anti-virus and anti-malware software.

Accounts

RxPhoto conducts a quarterly review of all the privileged accounts in the technology stack. Terminated users and/or staff accounts are disabled and privileges are revoked immediately upon departure or end of contract.

Login Security

All account changes are monitored and logged, and alerts are sent to notify users in case of changes in their account access credentials. RxPhoto encourages all staff to change all their login credentials bi-annually.

Third Party Access

All contractors who require access to the technology stack must sign RxPhoto’s Non-Disclosure Agreement. Only contractors directly working on program implementation and support can request such access. No third party access to RxPhoto’s technology stack or data is otherwise granted, including for commercial purposes.

Security Awareness

  • RxPhoto provides in-house training to all staff about data security and protection, and all privacy policies and procedures are presented to incoming RxPhoto staff and contractors.
  • All staff and contractors who have access to user data must sign a Non-Disclosure Agreement.
  • IT staff are additionally trained on complying with the Rxphoto’s security standards and making users aware of policies and procedures regarding appropriate use of networks, systems, and applications.

RxPhoto Data Breach Policy

RxPhoto takes the management of any and all customer data very seriously. This RxPhoto Data Breach Policy is designed to help us manage any personal data breaches, should they occur, in a timely and effective manner.
Additionally, per the European Union’s new 2018 General Data Protection Regulations (GDPR) Regulations, companies that process any EU customer data that could fall under the GDPR category of “personal data”, must have clear plans in place outlining their policies in the event of a breach of that data.

The term “data breach” generally refers to any unauthorized access of data. As RxPhoto processes personal data for a variety of business purposes from both customers in the EU and around the world, RxPhoto is required to make reasonable security arrangements to protect that personal data to prevent such unauthorised use, access or disclosure.

Scope

This policy is designed to help our customers understand our policies, and the implementation and fulfillment applies to all RxPhoto employees, including contractors. All employees and contractors must read this policy and comply with its terms. Any amendments or modifications to this policy will be circulated to all employees and contractors prior to adoption.
Our Data Protection Officer (DPO) has responsibility for the implementation of this policy.

Risk Assessment and Incident Prevention

Preventing incidents is less costly than reacting to them after they occur. Thus, in addition to automated detection capabilities, as part of RxPhoto’s incident prevention policy, the security team will conduct quarterly risk assessments under the direction of the IT Director and in conjunction with RxPhoto’s DPO.
The assessment will include a review of baseline activity logs and the security of all data repositories, ports, anti-virus products, application activity, usage data, email security, and intrusion detection.
Based on the outcome of the risk assessment, RxPhoto will determine the presence of incident precursors and the need for security enhancements or reversal to a clean OS image.
If indicators of a breach are discovered, the risk assessment and the supporting documentation shall be fact specific and address:

  • Assess the accuracy of the indicators discovered and the presence of a breach
  • Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
  • The type and amount of data involved;
  • The cause of the breach, and the entity responsible for the breach, either User, RxPhoto, Partner or Sub-Contractor.

Discovery of Breach

A breach shall be treated as “discovered” as of the first day on which such a breach is known to RxPhoto, or, by exercising reasonable diligence would have been known to RxPhoto (includes breaches by RxPhoto’s users, partners, or subcontractors). RxPhoto shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or partner of RxPhoto.

For an acquisition, access, use or disclosure of data to constitute a breach, it must constitute a violation of the RxPhoto Privacy Policy. A use or disclosure of data that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper procedures would not be a violation of the Privacy Policy and would not qualify as a potential breach. RxPhoto has the burden of proof for demonstrating that all notifications to appropriate users or that the use or disclosure did not constitute a breach.

Breach Investigation and Containment

Following the discovery of a potential breach, including unauthorized access to user data or unauthorized access to the technology stack, RxPhoto shall:

  • Apply containment measures immediately
  • In conjunction, launch an investigation and risk assessment
  • Begin the process to notify each user affected by the breach.
  • Determine what external notifications are required or should be made.

The Incident Response Team, constituted by the IT Director and the DPO, shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others within or outside RxPhoto as appropriate to contain, eradicate, and recover from the breach. They will identify other staff and departments within RxPhoto who may need to participate in the investigation or its resulting response, including relationship managers and communication managers. They will also assess whether outside consultation with specialized expertise is required to complete the investigation, assess the breach, or provide the necessary security measures.
Incident prioritization is done by the IT Director and the DPO. Prioritization is done on the basis of safety and security of users, confidentiality and integrity of user data, and impact on organizational function.

Timeliness of Notification

Upon discovery of a breach, notice shall be made to the affected RxPhoto users no later than 72 hours after the discovery of the breach. Incidents will also be reported to relevant stakeholders, including donors and board members, and to the relevant authorities.

Content of the Notice

The notice shall be written in plain language and must contain the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of protected information that were involved in the breach, if known;
  • Any steps the user should take to protect user data from potential harm resulting from the breach.
  • A brief description of what RxPhoto is doing to investigate the breach, to mitigate harm to individuals and users, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.

Methods of Notification

RxPhoto users will be notified via email within the timeframe for reporting breaches as outlined above.

Maintenance of Breach Information Log

If any organizational or user data is compromised, the following information will be collected and logged for each breach:

  • The current status of the incident
  • A summary of the incident
  • Indicators related to the incident
  • Other incidents related to this incident
  • Actions taken by all incident handlers on this incident
  • Impact assessments related to the incident
  • Contact information for other involved parties (e.g., system owners, system administrators)
  • A list of evidence gathered during the incident investigation
  • Comments from incident handlers
  • Next steps to be taken

Recovery

The security team will determine the best course of action for recovery. These include restoring systems to normal operation, confirming that the systems are functioning normally, and remediating vulnerabilities to prevent similar incidents. Recovery may involve restoring systems from clean OS backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, or tightening network perimeter security

Post-Incident Activity

A thorough analysis of each breach incident and handling process will be conducted by the security team in conjunction with RxPhoto’s leadership. Lessons learned will be shared with relevant staff and organizational departments, and used to build more robust security systems.

Complaints

Individuals who wish to make complaints concerning RxPhoto’s user privacy policies and procedures or its compliance with such policies and procedures can contact [email protected]

Retaliation

RxPhoto may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right.

Green X