1. ADDI Medical
  2. /
  3. Security
Share page:  

Security

The Security building block in the HOPE Platform is based on an advanced  access policy, a so-called ”deny first principle”. This means that all access to information is restricted as a default. Access to information is activated only for a limited number of select people.

The restriction also applies to systems architecture, user authentication and how user access is managed by ADDI Medical for access to the system for maintenance and support purposes.

HOPE Platform™ meets the requirements of the MDD (Medical Devices Directive) 93/42/EEC.

 

Authentication

HOPE Platform has two main types of user:

  • Healthcare and medical staff including doctors, nurses, administrators and research staff. These users work in HOPE Practitioner.
  • The patient uses HOPE App.

Both types of user must authenticate themselves in accordance with established authentication methods before gaining access to information and functions in HOPE Platform. This applies to everything from registering information and participating in an activity such as a video meeting to answering a questionnaire.

The SITHS cards are mainly used by healthcare staff to log in and the patient uses the pairing service or BankID.

Pairing service

Patient Connector facilitates pairing between HOPE App and HOPE Practitioner. The purpose of the service is to connect the patient’s access to information via different user interfaces.  

Patient Connector is a software framework included in HOPE Platform. The framework requires minimal configuration and automatically sets up services used to pair HOPE App with HOPE Practitioner.

Encryption

All communication in HOPE Platform takes place via web services. Authentication is required to get access to the web services.

When transferring encrypted data, TLS (Transport Layer Security, cryptographic communication protocol) is used, which means that no unauthorised party can eavesdrop on a video meeting or take part in any other communication between the patient and care services. 

Log

In accordance with the Swedish Patient Data Act (PDL), HOPE Platform logs all user activity and saves the individual log for at least 5 years.

The log reports:

  • Patient data activity, for example when the caregiver has read, edited, exported, copied, created, or printed healthcare documentation
  • The healthcare unit and the time at which the activity was carried out and by whom
  • Identity of the patient involved

Secure data storage

HOPE Platform can be run as SaaS – Software as a Service – a cloud-based system for which the company does not need to install and maintain clients on each individual workstation.

Operational responsibility
ADDI Medical is responsible for application operations, managing backups and updates of new versions of HOPE Platform, as well as support and monitoring logs. This process is described in our maintenance process as part of our quality management system.

Service pack and security updates in Azure
HOPE Platform is hosted on Azure. ADDI Medical applies service packages that includes regular security updates after release, in synch with existing HOPE Platform service windows.

Antivirus
HOPE Platform is protected with Microsoft Defender Advanced Threat Protection. Security updates and patches are configured for automatic installation.

Local client side installation
HOPE Platform is also developed to be installed and run locally at the customer. In this case, the customer is responsible for ensuring that security updates are performed and antivirus software is in place on the servers where HOPE Platform is installed.

PIN code

There is protection available in HOPE Platform in the form of the user being able to enter a Personal Identification Number (PIN code) – a personal security code made up of a numeric password.

A PIN code can be entered  in HOPE App at any time. The PIN code consists of four digits selected by the user. The code is protected by encryption.

Laws and regulations

HOPE Platform also complies with the following  laws and regulations not covered by the Medical Devices Directive (MDD):

  • General Data Protection Regulation (GDPR)

  • Swedish Patient Data Act, PDL (2008: 355)

  • Swedish National Board of Health and Welfare Code of Statutes (SOSFS 2008:14)

  • Regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40)

Vill du veta mer om våra lösningar?

Fyll i din e-post och/eller telefonnummer så hör vi av oss inom kort!