We are frequently asked by potential users about patient confidentiality and data security. This article explains in straightforward terms the measures that we take to protect your data.
To understand how we maintain the integrity of your data, it’s worthwhile recapping on how WriteUpp works. WriteUpp is a cloud-based application. This isn’t particularly useful terminology as it implies something ethereal and anything but secure. In reality, cloud-based software is extremely secure and it is now the preferred software model of pretty much all major software vendors, including Microsoft (Office 365 is the cloud-based version of Microsoft Office).
In a cloud-based model, the application software (the stuff that you typically have to install on your PC) and your data (i.e. your patient records) are stored on our servers in a secure data centre. When you use WriteUpp, you are given your own personal URL, such as mypractice.writeupp.com along with a username and password that you use to access the software.
When you enter your personal URL into your chosen web browser (Google Chrome, Firefox, Internet Explorer or Safari) everything you see on your screen (application and data) has been sent to your computer over the internet from our servers, which are stored in a secure data centre. Importantly, no data is ever stored on your computer/device and there is no software to install.
These are the basic principles of cloud-based software. We’ll now explain what we do to keep your data safe.
You're in Safe Hands
We've invested heavily in Microsoft's Azure cloud infrastructure which is trusted by many of the world's leading enterprises and government agencies. In Microsoft's state of the art data centres they manage 1+ million servers in 140 countries supporting 20 million businesses, including WriteUpp.
We use active geo-replication in WriteUpp to create four readable secondary databases in both of our EU-based data centre locations. In essence, this results in eight geographically distributed, real-time copies of the data that underpins WriteUpp. As well as providing you with extra peace of mind, this technology allows us to use these secondary databases for failover if there is a data centre outage. For you, this means outstanding up-time and world-class data integrity.
Access to Microsoft's data centres is strictly limited to security-cleared personnel, controlled by extensive CCTV monitoring and state-of-the-art access control systems.
- Security guards patrolling 24x7x365
- Two-factor access control via biometric verification and card reader
- Climate control, seismic bracing and uninterruptible power supply in the event of power failure ensure the data centre keeps running 24x7x365
The video below demonstrates why we have chosen to invest in Microsoft to protect your data:
In selecting Microsoft Azure we wanted to work with an organisation that upheld the highest standards of privacy and data protection. We also wanted access to state-of-the-art tools to help us manage and secure your data. Here are some of the global companies that rely on Microsoft Azure – Customer & Partner Success Stories
In the event of outage our team assess the nature of the issue and take appropriate action. Clients are notified by email that an issue has arisen and the expected resolution time. Clients also have the ability to log tickets via our helpdesk system which resides on separate cloud-based infrastructure.
Encrypted in Flight
When data is being sent from your browser to our server it is encrypted using 256-bit encryption. This means that the data can only be interpreted using a specific key that resides on our server. You will know this is working because the address in your browser will begin with “https”. If you would like to know more about HTTPS & SSL, click here.
Two-Factor Authentication (2FA)
For those users wanting extra peace of mind, WriteUpp supports two-factor authentication (2FA) which provides an optional added layer of security for your WriteUpp account.
As the name suggests 2FA uses two mechanisms (instead of one) to verify your identity when you login to WriteUpp. In our case these two mechanisms are:
- Username/password – like normal
- Your mobile phone
All this means, in reality, is that the login process has one extra step after you have entered your username and password. This step involves entering a Time-based, One-time Password (TOTP) which is a six-digit code generated by an authentication app (like Google Authenticator, Microsoft Authenticator or Authy) on your mobile phone. You can read more about 2FA and the extra protection that it affords here.
EEA/EU based Data Centres
GDPR imposes restrictions on the transfer of personal data outside the European Union. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. To ensure we comply with GDPR (as your data processor) our data centres are located in the European Union. Going forward, in view of the lack of clarity from the UK Government and European Union about how Brexit might impact GDPR we have invested in the necessary infrastructure to allow us to relocate our data centres so that we remain compliant with future regulatory and legal requirements, should this prove necessary.
As your "data processor", we are fully prepared for GDPR but in addition, we have rolled out a series of features to help you reduce the time and cost involved in meeting your GDPR responsibilities going forwards. These include:
- Provision of the WriteUpp ID (WUID) which allows you to protect your client’s privacy by displaying their WUID (instead of their name) in your diary, documents, notes and emails and thereby avoiding the need to transmit PII (Patient Identifiable Information)
- Streamlined capture of Privacy Consent (Article 13 of GDPR) via email or in person
- Logging, managing and fulfilling Access Requests (Article 15 of GDPR). For many practices, collating every facet of information that you hold about a client within the 30-day deadline could be very onerous and time-consuming but in WriteUpp you can pull this information together in a few seconds.
- In accordance with Article 17 of the GDPR clients has the "right to be forgotten" (subject to professional regulations). WriteUpp provides a secure record deletion mechanism that allows you to delete a record in its entirety whilst also maintaining an auditable, non-identifiable log that the record has been deleted.
As well as developing WriteUpp, we (Pathway Software) work extensively with the NHS both on and off site. This means that our staff have access to Patient Identifiable Information (PII) on a daily basis. As part of our pre-existing contracts with the NHS, our staff are all background checked using Dun & Bradstreet. In addition, they are required as part of their employment contract to undertake Acceptable Use of IT Training, Acceptable Use of Mobile Devices Training and PII training.
We are also accredited to have remote access to NHS Servers in three different Trusts from our offices here in Chester.
In the event that you choose to unsubscribe from WriteUpp your account and client details will be deleted after a 45 day “cooling off” period.
ICO Registration Number
Pathway Software, the developer of WriteUpp, is registered with the Information Commissioners Office (ICO). ICO is the Government office responsible for the enforcement of the Data Protection Act 1998 and its successor GDPR - Our registration number is Z2865352.
If you have any further questions or concerns about the way we protect your data please contact support via firstname.lastname@example.org.
Need More Help?
We understand that not everything is black and white, so if you need some help, click "Submit A Request" ticket and one of our team will help you out as soon as possible.