Security

Protecting your data is our priority and we ensure safety and security at every level
Learn more about CORSANO 's ongoing journey with the cloud and our innovative use of security offerings to reduce risks and improve the privacy of information. Here’s an overview of how we have built security at Corsano:

Data security

CORSANO customer’s data – and the security of that data – is of utmost importance to us, which is why we provide our customers with complete control over their data. Data security and privacy is a priority and we aim at creating a platform where data can be securely shared between users and health professionals.

CORSANO protects personal data through the best practices in software development and cloud architecture, complying with various security and privacy standards (GDPR, HIPAA, ISO 27001).

Secure cloud infrastructure

The best cloud infrastructure is crucial for the security of data. This is why we select the best partners and use the best technologies and practices to ensure security, privacy and highest level of service for our users and customers.

CORSANO stores all production data in physically secure datacenters. We use Amazon Web Services (AWS) solutions, pioneer in supporting health data, in order to master all aspects of the security of data. Indeed, as an AWS Business Associate, we can guaranty the compliance with the highest data security and privacy.

https://aws.amazon.com/ru/health/healthcare-compliance/

Data centers

Secure design

Security is ensured by design, starting from careful site selection, based on initial geographic assessment, preventing from environmental risks.

Data center redundancy and automatic traffic management enable to maintain the highest level of service.

Physical access

Access is only granted to approved employees, on the principle of least privilege. Each access is limited in time and areas to the necessary minimum and regularly re-evaluated.

Surveillance and detection

Our data centers have common security practices, including closed-circuit video monitoring and 24/7-manned guards, and require the use of biometric access controls to our locked cages.

Operational support systems

Power, climate and temperature are 24/7 controlled and monitored. Data centers are equipped with fire detection and suppression equipment to ensure the highest level of safety.

Read more information about AWS data centers controls:

https://aws.amazon.com/compliance/data-center/controls/

Networks security

Protection

CORSANO network is protected by the use of AWS security services (Access Control List, firewall, anti-malware, securing data in transit via TLS, VPN…).

Architecture

Our cloud architecture consists of multiple layers of security, separated data clusters, replicated in multiple availability zones. Each layer is controlled by load balancers and protected via firewalls.

Infrastructure Analysis

The infrastructure security is analyzed by AWS tools to ensure it complies with the most rigorous practices in terms of operational excellence, security, reliability and performance.

Backups

CORSANO has implemented automated backup mechanisms for data, software and tools. Backups are regularly executed, tested and transferred to secure storage.

Events logging

CORSANO continuously monitors 24/7 all events and take timely and appropriate actions according to the severity level. The ISO 13485 Quality Management System clearly defines the procedure for incident management.

Encryption

CORSANO uses high level of encryption in all layers and at all levels of communication, using robust authentication technologies (OAuth, JWT) and latest standards of encrypted protocols (HTTPS, TLS).

Data are deleted when their use is not strictly necessary for the intended use of the product. Stored data shall use AES-256 or more.

Services & Applications Security

For services and applications, we deliver, maintain and manage data protection and security along all stages of their lifecycle.

Secured development

Code development best practices

Our developers use the programming best practices (OWASP top 10 security risks) and keep up-to-date an API Security Checklist.

Agile organization, code review and testing

All development activities are organized in AGILE method with sprints and clear prioritization of tasks. The development process includes code reviews, unit tests, functional integration tests and security tests.

Software Quality Assurance

The Software Lifecycle, including development, testing, configuration and releases is fully compliant with the IEC 62304 standard for medical software.

Vulnerabilities management

Automated security tests

Automated security tests are performed on each block of the cloud infrastructure to raise potential vulnerabilities.

Third party penetration tests

Harsh penetration tests are regularly performed by expert companies, hyper-specialized in penetration tests and ethical hacking.

Authentication security

Password policy

CORSANO requires the use of a strong password and complies with international recommendations in terms of robustness.

Multi-factor authentication

MFA is used for all access to critical data and resource.

APIs

CORSANO APIs uses the OAuth 2.0 and JWT methods to authenticate applications. Complex keys, token expiration and other best practices are used to protect from brute forcing and other security attacks.

Role-based access controls

Role-based access controls are used with least privilege approach to ensure privacy and limit the risks.

Securing data in transit

All communications over the public network are encrypted with HTTPS/TLS best industry standards (TLS 1.2 or higher).

Certifications & Standards

To ensure data privacy and security of our products and services, we comply with the highest standards of health data protection.

Certifications

Our data centers are certified for information security.

AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1.

Read more about AWS certification:

https://aws.amazon.com/compliance/iso-certified/

Standards

General Data Protection Regulation — European Union 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Health Insurance Portability and Accountability Act (HIPAA) of 1996. Standard governing the hosting of personal health data.

Continuous improvement

As an ISO 13485 certified company, CORSANO has established a Quality Management System (QMS) for the development and production of Medical Devices. The company aims at continuous improvement to deliver the best products to its customers.

Internal audits

Internal audit plan

An audit plan is yearly defined. Audits with external and internal experts are regularly performed. The QMS and Product compliance is verified in quarterly review sessions.

Management review

Management reviews ensure that the Management systematically reviews the compliance of the processes, the products and the company on a yearly basis. This enables to assess opportunities for improvement and decide on the strategic actions to improve the long-term quality of the products.

External audits

Quality Management System audits

CORSANO is annually audited for compliance to the ISO 13485 standard for Quality Management System for Medical Device, by the Notified Body Kiwa-Dare.

Security audit

Expert companies regularly perform security audits and penetration tests to ensure that the company keeps up-to-date and uses the highest data security and privacy standards.

Conformity assessment audits

Conformity assessment audits are performed by accredited and independent third-party experts. This ensures the compliance of the company procedures and technology with the regulations (GDPR, HIPAA).

Policy, Contracts and Project Safeguards

To ensure data privacy into our products and services, we use the highest standards of health data protection.

Subcontractors Management

CORSANO works with several subcontractors that were carefully selected and are regularly evaluated according to the supplier management procedure of our certified QMS.

CORSANO has special DPAs (Data Protection Agreements) with the critical suppliers when data processing is involved, to ensure that the Privacy and Security policy of the company is maintained on all stages of the product and service creation and provision.

Employee Confidentiality agreement

All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.

Security awareness

Security policies

CORSANO and its partners have developed a comprehensive set of policies and procedures to cover the employee confidentiality duty, security best practices, customer and internal privacy, incident management. CORSANO named a DPO (Data Privacy Officer) who is responsible for data privacy and security within the company and reporting to the Regulatory Authorities.

Information security awareness

Data security and privacy is considered as a priority and all members of the CORSANO HEALTH are encouraged to develop their knowledge in trainings and events, so that the data security is part of the company culture.

General Data Protection Regulation (GDPR) Compliance

CORSANO is passionate about ensuring that our clients are able to comply with data privacy regulations, including the European Union’s GDPR, which goes into effect in May 2018. We provide our clients with enterprise-grade controls to manage, govern access and ensure security of personal data housed in Corsano Health Cloud. As required by GDPR, CORSANO allows clients to correct, export, or permanently delete personal information. We also purge personal data from internal processing systems to minimize the data we retain per GDPR Article 5. Please visit our GDPR page to find out more how CORSANO  is setting the bar for customer personal data protection.

To report an incident, concern, or for general security questions, please email privacy@corsano.com