healthR Technologies Ltd, (the “Company”, “we”, “us” or “our”), provides the website located at healthr.cloud (the “Website”) to support healthcare application or website providers by providing their end users with access to certain third party applications, programs, and/or devices that the end users may elect to connect to using the Website (collectively, the “Service”).
THE INFORMATION WE COLLECT
In this section, we provide you with details about some of the information we currently collect about users of our Website and of our Service (collectively, “User Data”).
HOW WE USE THE INFORMATION WE COLLECT
REVIEWING, UPDATING AND DELETING YOUR INFORMATION
EU individuals have the right to access their personal data. We provide your healthcare portal provider with the capability to review, update and delete your User Data, including your personal health data. We require your permission before any of your User Data (including your personal data) is accessed, retrieved or made available to your healthcare portal provider. You may change your level of permission at any time to enhance or limit the collection, use, and/or disclosure of your User Data (including your personal data). In addition, we provide your healthcare portal provider the ability to allow you to revoke permission to access your User Data (including your personal data) and will permanently delete any records that we have of your User Data (including your personal data).
LINKS AND ADVERTISING
You should also be aware that if you voluntarily disclose personally identifiable information in an email or other communications with any third party listed on the Website or in other materials, that information, along with any other information disclosed in your communication, can be collected and correlated and used by such third parties and may result in your receiving unsolicited messages from other persons. Such collection, correlation, use and messages are beyond our control.
The Website and the Service are for general audiences and neither is directed toward those under 18 years of age. We do not knowingly collect Personal Information from children under 13 without parental consent. If you become aware that a child has provided us with Personal Information, please contact our Privacy Officer at the email address in the Contact Information section. If we become aware that a child under 13 has provided us with Personal Information, we will take steps to remove such information and terminate the child’s account.
Please remember that your use of the Website and the Service is also governed by our Terms, which are available separately.
If you have questions or complaints regarding this Policy or our practices, please contact the Company at:
healthR Technologies Ltd
71-75 Shelton Street
DATA SECURITY POLICY IN BRIEF
healthR Technololgies Ltd. (“healthR”) focuses on security from the ground up. Our Data Centers, managed by Microsoft Azure, are SAS 70 Type II certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant, and feature proximity security badge access and digital security video surveillance. Our server environment can only be accessed via Two-factor Authentication over secure channels. We run monthly Vulnerability Assessments on our production environment. Additionally, all access to our web portal is secured over HTTPS using at least TLSv1.2 cryptographic protocols with AES-256 encryption. Only directors of the business have access to client data.
DEFINITION OF TERMS & SYSTEM USERS:
Client — A customer of healthR.
User — An individual with access to a healthR Application.
Member — A Client User whose account is provisioned through Client’s Web Portal or via the healthR API. A Member cannot login or otherwise access any healthR Application directly.
Developer — A User that can create vendor applications in healthR for the purpose of integrating mobile health applications and/or devices.
DATA CENTRE AND HARDWARE
All healthR application and database servers are physically managed by Microsoft Azure in secure data centres within the United Kingdom and United States. Our security procedures utilise industry best practices from sources including The Centre for Internet Security, Microsoft, Red Hat and more. All data centre facilities are certified SOC 2/HIPAA/HITRUST Compliant and have 24/7 physical security of data centres and Network Operations Centre monitoring.
Microsoft manages the physical access to the data centres. They control both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems, and other electronic means. healthR employees do not have access to physical server hardware.
Data Access and Server Management Security
healthR uses multi-factor authentication to access our hosting environment. Only directors of healthR can access the server network.
All Azure data centres are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible power supplies, and generators to provide back-up power for each physical site.
DATA STORAGE AND BACKUPS
All Member Data stored in our healthR platform is encrypted at rest using AES-256 encryption. healthR maintains numerous full backups of all Client data. These backups are stored in a geographically and logically separated environment.
Client Data Policies
Client data includes data stored by Clients in healthR applications, information about a Client’s usage of the application, data instances in the Customer Relationship Management system to which we have access, or data that the Client has supplied to us for support or implementation. When managing Client Data, we consider the following:
Destruction of Server Data
In order to maintain system integrity, Client Data that has outlived its use is retained for no more than 60 days before it is destroyed. The data may remain in our backup files for up to fourteen (14) months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
healthR security administrators will be immediately and automatically notified via email if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behaviour discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.
Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
Determining the Extent of an Incident
Security administrators will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and interviewing the incident victim to determine how the incident was caused. Only authorised personnel will perform interviews or examine evidence, and the authorised personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified via email within one (1) hour upon detection and confirmation of any incident that compromises access to the service, compromises data, or otherwise affects Users. Clients will receive a status update every four (4) hours and upon incident resolution.
All data transfer and access to healthR applications will occur only on Port 443 over an HTTPS connection using at least TLSv1.2 cryptographic protocols with AES-256 encryption.
System Updates and Security Patches
As a hosted SaaS solution, we regularly improve our system and update security patches. No Client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times. Critical application updates are performed ad hoc using rolling deployment to maximise system performance and minimise disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
Vulnerability and Security Testing
healthR performs Vulnerability Assessments and creates security reports of our production environment once a quarter. healthR also perform external penetration testing by a third party on at least an annual basis. Additional internal security testing is performed on the testing environment before code is checked into a master repository.
Member Login and Session Security
Members are not able to directly login to healthR application. All Member logins and sessions are authenticated via a secure access token.
Application Password Management
All healthR passwords must have at least twelve (12) characters with at least one number, one lowercase letter, one uppercase letter and one special character.
healthR maintains data stores mirrored across multiple geographic availability zones in Azure within the United Kingdom. While most data stores are kept in sync in near real-time, some are updated every six (6) hours. In a disaster situation, the full healthR platform will be recreated and available in a different region within six (6) hours of disaster declaration.
PHI Handling Policy
All healthR staff members are made aware of relevant external regulations as part of their onboarding and training process, and all staff who may encounter PHI are trained on our PHI handling processes.
healthR expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the Member’s consent to use their data in this way.
Where a Business Associate Agreement or similar contract relating to PHI is in place, staff members work under the terms of that agreement. Where no such agreement exists, the healthR PHI handling policy and process are followed.