PhysioQ strives to meet the highest standards for data security and privacy, and ensure that your data collection and storage is set up to comply with all relevant best practices.
This document clarifies which measures have been taken in the design and production of PhysioQ - in relation to data collection, storage, backup, security, and regulations that must be complied with when handling sensitive data.
1. Security of the System/Application
System Updates and Security Patches
- As a hosted solution, we regularly improve our system and update security patches. Non-critical system updates will be installed at predetermined times, while critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
- All PhysioQ users are informed of new PhysioQ version rollouts, with information on changes and potential feature updates.
Vulnerability and Security Testing
- PhysioQ performs regular Vulnerability Assessments once a month. Additional internal security testing is performed on the testing environment before the code is merged into a master repository.
User Login and Session Security
- Two-step verification provides an extra layer of security designed to ensure that user accounts can only be accessed by those given explicit access.
- With our trusted device management, accounts are protected with extra steps when being accessed by a new device.
Application Password Management
- PhysioQ requires user passwords to conform with high-level password security to limit the possibility of brute-force attacks. Passwords cannot be recovered, as PhysioQ doesn’t store the original password (only an undecryptable version), thus, users are required to create new passwords in case of a lost password.
- PhysioQ’s password policy requires each user to create a password that must consist of at least 8 characters with at least one number, one capital letter, and one lower case letter.
User Permission and Roles
- PhysioQ utilizes various account permission settings to allow secure collaboration with other PhysioQ users on a project. Administrators can customize user rights and responsibilities, from principal investigators to research assistants, ensuring projects and data can only be accessed by those given explicit access.
Encrypted Data Transfer
- All data sent between PhysioQ users and the system is encrypted with use of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) technologies. This keeps data secure while in transit and ensures it can only be interpreted by the intended parties.
How we limit PHI (Personal Health Information)
- Research participants have entrusted researchers with their data, and we believe in upholding that trust. We actively help researchers protect the confidentiality of participants, ensuring that all their data is anonymized before entering our system. Furthermore, no participant data is allowed to be collected without first having the researchers’ and participants’ consent.
- PhysioQ does not save the participants’ personal details. Instead, we create identification codes for your participants, which are randomly generated. These IDs are anonymous and unalterable. They can also be automatically generated when a new participant is included. It is the researcher’s responsibility to keep a record of the participant IDs linked to personal data.
- We advise all researchers not to store participant-identifiable information within PhysioQ, such as surnames, Social Security numbers, DOBs, and so on. The safest solution is to use the PhysioQ participant ID and to connect their computer to the participant data within their own network. This will ensure that participant information can never be traced back to a participant.
2. Data Center & Hardware (server security)
- All PhysioQ application and database servers are physically managed by Amazon Web Services (AWS) in highly secure data centers within the United States.
- AWS data centers are certified with a broad set of international and industry-specific standards such as ISO 9001 (Global Quality Standards), ISO 27001 (Security Management Controls), ISO 27017 (Cloud-Specific Controls), ISO 27018 (Personal Data Protection). [View all AWS compliance certifications] at https://aws.amazon.com/compliance/programs/.
- All AWS data center facilities have 24/7 physical security and Network Operations Center monitoring. [Learn more about AWS data center security] (https://aws.amazon.com/compliance/data-center/data-centers/)
- Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Data Access and Server Management Security
- PhysioQ ensures strong encryption for your data while in transit and at rest.
- No third party has access to any data on AWS hosting services.
- AWS does not access any of the data collected and stored on PhysioQ servers. As stated directly by AWS “As a customer, you maintain ownership of your content, and you select which AWS services can process, store, and host your content. We do not access or use your content for any purpose without your consent. We never use customer content or derive information from it for marketing or advertising.” [View AWS Data Privacy policies] [https://aws.amazon.com/compliance/data-privacy-faq/]
- Only select PhysioQ employees are able to access the server network.
Infrastructure and Environmental Safeguards
- All AWS data centers are equipped with components like back-up power equipment, HVAC systems, and fire suppression equipment. They are built to mitigate environmental risks, such as flooding, extreme weather, and seismic activity.
3. Data Storage & Backups
- PhysioQ primarily uses an AWS data center in Ohio. All data is continuously replicated and backed up across multiple AWS locations across the US. All data is de-identified and encrypted while in transit and at rest.
- For long-term storage of data, PhysioQ uses AWS S3 Glacier, a secure and durable cloud storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability and provides comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements. (https://aws.amazon.com/glacier/)
- GCP prescribes that all medical data are stored for at least two years unless a longer period is required because of local regulations. PhysioQ stores all data for at least 3 years after your study finishes and allows you to easily export it at any time. If your local laws require longer storage let us know and we will make sure your study complies with your local laws.
4. System Availability
- PhysioQ runs on fully managed virtual private servers. All servers are continually and pro-actively monitored, and in the event of any emerging problems or downtime, action is immediately taken according to our standard operating procedures.
5. Continuity & Source Code Escrow
If anything unexpected should happen to PhysioQ we want to minimize the impact this has for all users. Therefore we provide coverage on the short and long term:
- Short term coverage through a continuity solution: Funds have been put aside to ensure hosting continues for at least 3 months for all users.
- Long term coverage through a Source Code Escrow: users have the option to become a beneficiary of the application source code in case of product discontinuation. The code can be deployed in your own environment, or our hosting provider can continue the services.
6. In the Event of an Incident
- PhysioQ maintains real-time data stores mirrored across multiple geographic availability zones in AWS within your country of operation (ie. data collected in the United States will be mirrored in the United States). In a disaster situation, the full PhysioQ platform will be recreated and available in a different availability zone within a day of the disaster declaration.
- PhysioQ incorporates the newest technologies for secure computing and data storage. However, data transmission over the internet and data storage can never be guaranteed 100% secure. As such, if a security breach should occur, we will do everything to inform you as soon as possible and minimize damage. A formal notice will contain the type of security breach the system was subject to and what measures have been taken to ensure minimal data breach. In addition, PhysioQ will inform all users of which actions to take to minimize any risk of inconvenience.
7. Last Updated
The PhysioQ Security Statement was last updated on May 4, 2021.
PhysioQ strives to meet the highest standards for data security, and ensure that your data collection and storage is set up to comply with all relevant laws, regulations, and best practices such as ICH-GCP, HIPAA, FDA 21 CFR Part 11, GDPR, PIPEDA, PHIPA, ISO 27001, and ISO 9001. This document clarifies which measures have been taken in the design and production of PhysioQ - in relation to data collection, storage, backup, security, and regulations that must be complied with when handling sensitive health-related data.