Our technology meets all data security and regulatory standards in each of our operating territories. Public and private clinics and hospitals worldwide use our devices and reporting technologies in accordance with local government regulations, best practice protocols as well as our own policies and security procedures.
Download our Security fact sheet to learn more.
We are ISO9001:2015 certified for diagnostic and cardiac services to ensure our global business meet the highest international standards and certainty for our customers. Annual auditing and independent security penetration testing also form part of our security and compliance framework.
Information is transferred via secure communication software that encrypts and uploads the patient data to CardioScan servers. The information is securely transferred over HTTPS using SHA-2 encryption.
External interfaces are limited to HTTPS (port 443). The service is protected from external threats by a web application firewall that blocks non-required ports and performs deep, packet-level inspection of all web traffic.
CardioScan’s BeatBox is a purely cloud platform and no information is stored on local machines or mobile devices. The platform is built as a multitenant structure with 5 levels of hierarchy which is segregated based on each level per user and can be controlled by either the Customer or CardioScan.
CardioScan’s AWS environment is architected as a multi-layered, highly-available and secure service. Transparent data encryption (TDE) is used to automatically encrypt data at rest in the database using a 256-bit AES encryption algorithm. Files stored in object stores are also encrypted at rest using AES-256 server-side encryption.
Data is stored in Amazon Web Services where physical security is maintained 24×7. This includes the controlling of physical data centre access to approved employees only and the monitoring and logging all activity through sophisticated surveillance and detection systems.
Access to the BeatBox system is controlled through a user ID and password and a second authentication factor eg. Soft token if enabled for the user and organisation. The system uses role bases access control and a multi-layer organisational hierarchy to determine whether data is accessible to a user. Within configuration BeatBox supports and can enforce the use of complex passwords, password expiry, password history, minimum password length, session timeout and maximum login attempt lockout.
The policy for retaining records is defined by customer. Records will be retained indefinitely or as per agreement. On request or as per agreement, CardioScan will delete the customer’s data from the BeatBox service and associated data stores as agreed. Data stored in AWS filesystems and object storage services will not be accessible once deleted and the reference to the data is removed.