Security
Protecting your data is our priority and we ensure safety and security at every levelData security
CORSANO customer’s data – and the security of that data – is of utmost importance to us, which is why we provide our customers with complete control over their data. Data security and privacy is a priority and we aim at creating a platform where data can be securely shared between users and health professionals.
CORSANO protects personal data through the best practices in software development and cloud architecture, complying with various security and privacy standards (GDPR, HIPAA, ISO 27001).
Secure cloud infrastructure
The best cloud infrastructure is crucial for the security of data. This is why we select the best partners and use the best technologies and practices to ensure security, privacy and highest level of service for our users and customers.
CORSANO stores all production data in physically secure datacenters. We use Amazon Web Services (AWS) solutions, pioneer in supporting health data, in order to master all aspects of the security of data. Indeed, as an AWS Business Associate, we can guaranty the compliance with the highest data security and privacy.
https://aws.amazon.com/ru/health/healthcare-compliance/
Data centers
Secure design
Security is ensured by design, starting from careful site selection, based on initial geographic assessment, preventing from environmental risks.
Data center redundancy and automatic traffic management enable to maintain the highest level of service.
Physical access
Access is only granted to approved employees, on the principle of least privilege. Each access is limited in time and areas to the necessary minimum and regularly re-evaluated.
Surveillance and detection
Our data centers have common security practices, including closed-circuit video monitoring and 24/7-manned guards, and require the use of biometric access controls to our locked cages.
Operational support systems
Power, climate and temperature are 24/7 controlled and monitored. Data centers are equipped with fire detection and suppression equipment to ensure the highest level of safety.
Read more information about AWS data centers controls:
https://aws.amazon.com/compliance/data-center/controls/
Networks security
Protection
CORSANO network is protected by the use of AWS security services (Access Control List, firewall, anti-malware, securing data in transit via TLS, VPN…).
Architecture
Our cloud architecture consists of multiple layers of security, separated data clusters, replicated in multiple availability zones. Each layer is controlled by load balancers and protected via firewalls.
Infrastructure Analysis
The infrastructure security is analyzed by AWS tools to ensure it complies with the most rigorous practices in terms of operational excellence, security, reliability and performance.
Backups
CORSANO has implemented automated backup mechanisms for data, software and tools. Backups are regularly executed, tested and transferred to secure storage.
Events logging
CORSANO continuously monitors 24/7 all events and take timely and appropriate actions according to the severity level. The ISO 13485 Quality Management System clearly defines the procedure for incident management.
Encryption
CORSANO uses high level of encryption in all layers and at all levels of communication, using robust authentication technologies (OAuth, JWT) and latest standards of encrypted protocols (HTTPS, TLS).
Data are deleted when their use is not strictly necessary for the intended use of the product. Stored data shall use AES-256 or more.
Services & Applications Security
For services and applications, we deliver, maintain and manage data protection and security along all stages of their lifecycle.
Secured development
Code development best practices
Our developers use the programming best practices (OWASP top 10 security risks) and keep up-to-date an API Security Checklist.
Agile organization, code review and testing
All development activities are organized in AGILE method with sprints and clear prioritization of tasks. The development process includes code reviews, unit tests, functional integration tests and security tests.
Software Quality Assurance
The Software Lifecycle, including development, testing, configuration and releases is fully compliant with the IEC 62304 standard for medical software.
Vulnerabilities management
Automated security tests
Automated security tests are performed on each block of the cloud infrastructure to raise potential vulnerabilities.
Third party penetration tests
Harsh penetration tests are regularly performed by expert companies, hyper-specialized in penetration tests and ethical hacking.
Authentication security
Password policy
CORSANO requires the use of a strong password and complies with international recommendations in terms of robustness.
Multi-factor authentication
MFA is used for all access to critical data and resource.
APIs
CORSANO APIs uses the OAuth 2.0 and JWT methods to authenticate applications. Complex keys, token expiration and other best practices are used to protect from brute forcing and other security attacks.
Role-based access controls
Role-based access controls are used with least privilege approach to ensure privacy and limit the risks.
Securing data in transit
All communications over the public network are encrypted with HTTPS/TLS best industry standards (TLS 1.2 or higher).
Certifications & Standards
To ensure data privacy and security of our products and services, we comply with the highest standards of health data protection.
Certifications
Our data centers are certified for information security.
AWS has certification for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1.
Read more about AWS certification:
https://aws.amazon.com/compliance/iso-certified/
Standards
General Data Protection Regulation — European Union 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Health Insurance Portability and Accountability Act (HIPAA) of 1996. Standard governing the hosting of personal health data.
Continuous improvement
As an ISO 13485 certified company, CORSANO has established a Quality Management System (QMS) for the development and production of Medical Devices. The company aims at continuous improvement to deliver the best products to its customers.
Internal audits
Internal audit plan
An audit plan is yearly defined. Audits with external and internal experts are regularly performed. The QMS and Product compliance is verified in quarterly review sessions.
Management review
Management reviews ensure that the Management systematically reviews the compliance of the processes, the products and the company on a yearly basis. This enables to assess opportunities for improvement and decide on the strategic actions to improve the long-term quality of the products.
External audits
Quality Management System audits
CORSANO is annually audited for compliance to the ISO 13485 standard for Quality Management System for Medical Device, by the Notified Body Kiwa-Dare.
Security audit
Expert companies regularly perform security audits and penetration tests to ensure that the company keeps up-to-date and uses the highest data security and privacy standards.
Conformity assessment audits
Conformity assessment audits are performed by accredited and independent third-party experts. This ensures the compliance of the company procedures and technology with the regulations (GDPR, HIPAA).
Policy, Contracts and Project Safeguards
To ensure data privacy into our products and services, we use the highest standards of health data protection.
Subcontractors Management
CORSANO works with several subcontractors that were carefully selected and are regularly evaluated according to the supplier management procedure of our certified QMS.
CORSANO has special DPAs (Data Protection Agreements) with the critical suppliers when data processing is involved, to ensure that the Privacy and Security policy of the company is maintained on all stages of the product and service creation and provision.
Employee Confidentiality agreement
All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.
Security awareness
Security policies
CORSANO and its partners have developed a comprehensive set of policies and procedures to cover the employee confidentiality duty, security best practices, customer and internal privacy, incident management. CORSANO named a DPO (Data Privacy Officer) who is responsible for data privacy and security within the company and reporting to the Regulatory Authorities.
Information security awareness
Data security and privacy is considered as a priority and all members of the CORSANO HEALTH are encouraged to develop their knowledge in trainings and events, so that the data security is part of the company culture.
General Data Protection Regulation (GDPR) Compliance
CORSANO is passionate about ensuring that our clients are able to comply with data privacy regulations, including the European Union’s GDPR, which goes into effect in May 2018. We provide our clients with enterprise-grade controls to manage, govern access and ensure security of personal data housed in Corsano Health Cloud. As required by GDPR, CORSANO allows clients to correct, export, or permanently delete personal information. We also purge personal data from internal processing systems to minimize the data we retain per GDPR Article 5. Please visit our GDPR page to find out more how CORSANO is setting the bar for customer personal data protection.
To report an incident, concern, or for general security questions, please email privacy@corsano.com