How Do You Handle Patient Confidentiality & Data Security?

We are frequently asked by potential users about patient confidentiality and data security. This article explains in straightforward terms the measures that we take to protect your data.

Introduction

To understand how we maintain the integrity of your data, it’s worthwhile recapping on how WriteUpp works. WriteUpp is a cloud-based application. This isn’t particularly useful terminology as it implies something ethereal and anything but secure. In reality, cloud-based software is extremely secure and it is now the preferred software model of pretty much all major software vendors, including Microsoft (Office 365 is the cloud-based version of Microsoft Office).

In a cloud-based model, the application software (the stuff that you typically have to install on your PC) and your data (i.e. your patient records) are stored on our servers in a secure data centre. When you use WriteUpp, you are given your own personal URL, such as mypractice.writeupp.com along with a username and password that you use to access the software.

When you enter your personal URL into your chosen web browser (Google Chrome, Firefox, Internet Explorer or Safari) everything you see on your screen (application and data) has been sent to your computer over the internet from our servers, which are stored in a secure data centre. Importantly, no data is ever stored on your computer/device and there is no software to install.

These are the basic principles of cloud-based software. We’ll now explain what we do to keep your data safe.

Data Centre

We make reference to a “secure data centre”, but what does that actually mean?

The data centre that we use is located on the UK mainland (not overseas). Below is a schematic of the data centre layout.


Your data is stored on our servers which are located in specially constructed racks (1) designed to aid maintenance. Only our data is stored on our servers which are dedicated to running WriteUpp and nothing else.

The most common cause of computer failure occurs as a result of over-heating. To mitigate this, the environmental conditions in the centre are managed by a climate control system (2) which ensures consistent temperature and humidity.

In the unlikely event of fire, a suppression system (3) is triggered which extinguishes the fire using gas rather than water to prevent unnecessary damage to our servers.

To avoid damage to our servers as a result of electrical spikes, the centre is protected by a bank of Uninterruptible Power Supplies (UPS) (4).

If the power fails to the centre from the National Grid it is capable of running for 7 days non-stop using diesel generators (5) within the facility.

Physical access to the centre is controlled by biometric scanners (fingerprint) and CCTV monitors both the inside and outside of the building, which is also protected 24/7 by security guards.

Centre staff DO NOT have user access to our servers. They are contracted to “hot swap” disks in the event of failure but that is the only thing they can do on our servers. The only individuals with access to the data on the servers are our employees (see section on “Our Team” below).

Disk Mirroring

When you are using WriteUpp and entering data into the application, that data is written to two disks (normal desktop computers write to just one) at the same time. The most common component to fail in a computer is the disk drive, so to guard against failure (which can sometimes be catastrophic), we write to two. If one fails the server automatically switches to the single functioning disk and the centre staff are immediately alerted about the failure. They then “hot swap” the failed disk for a new one (without re-starting the server) and normal service is resumed with data being written to both disks. 

Backup

As you can see we have gone to great lengths to protect your data at source. In addition, your data is backed-up to a separate physical location every hour. We do this to mitigate against a major disaster such as an explosion which could destroy the whole building.

Outage

We monitor the status of our infrastructure using two mechanism: one provided by our hosting provider and a separate system provided by Pingdom. The latter is completely independent of our hosting providers infrastructure.

In the event of outage our team assess the nature of the issue and take appropriate action. Clients are notified by email that an issue has arisen and the expected resolution time. Clients also have the ability to log tickets via our helpdesk system which resides on separate cloud-based infrastructure.

Encrypted in Flight

When data is being sent from your browser to our server it is encrypted using 256-bit encryption. This means that the data can only be interpreted using a specific key that resides on our server. You will know this is working because the address in your browser will begin with “https”. If you would like to know more about HTTPS & SSL, click here.

Our Team

As well as developing WriteUpp, we (Pathway Software) work extensively with the NHS both on and off site. This means that our staff have access to Patient Identifiable Information (PII) on a daily basis. As part of our pre-existing contracts with the NHS, our staff are all background checked using Dun & Bradstreet. In addition, they are required as part of their employment contract to undertake Acceptable Use of IT Training, Acceptable Use of Mobile Devices Training and PII training.

We are also accredited to have remote access to NHS Servers in three different Trusts from our offices here in Halifax.

Record Deletion

WriteUpp provides a mechanism for you to delete patient records from the system should an individual no longer be a client of the user or if the client requests their data to be deleted.

Account Deletion

In the event that you choose to unsubscribe from WriteUpp your account and client details will be deleted after a 45 day “cooling off” period.

Information Commissioner

Pathway Software, the developer of WriteUpp, is registered with the Information Commissioners Office (ICO). ICO is the Government office responsible for the enforcement of the Data Protection Act 1998 - Our registration number is Z2865352

If you have any further questions or concerns about the way we protect your data please contact Bob Bond, (our CEO) directly on 01422 349412.

References:

Need More Help?

We understand that not everything is black and white, so if you need some help, click "Submit A Request" ticket and one of our team will help you out as soon as possible.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk