Quality and security at Visiba

Introduction

We take great pride in maintaining the highest standards of quality and information security across all aspects of our organisation. Our work culture is one where quality and information security are of the utmost importance. It is ingrained in our daily operations and decision making, and every employee takes ownership of their role in protecting our customers' information.

We strive to continuously improve and are convinced that complying with regulations, standards, and best practices is imperative in order to provide high quality and secure services. By committing ourselves to these priorities, we safeguard the trust placed in us by our customers and their end users.

This white paper aims to highlight some of the measures and practices that underpin our commitment to patient safety, data privacy, and operational excellence.

Standards and certifications

To demonstrate our commitment to quality and security, we adhere to and comply with a diverse range of internationally recognised standards, including:

• ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes
• ISO/IEC 27001 Information security management systems
• ISO 14971:2019 Medical devices — Application of risk management to medical devices
• IEC 62366-1:2015 Medical devices — Part 1: Application of usability engineering to medical devices
• IEC 62304:206+AMD1:2015 Medical device software - Software life cycle processes
• IEC 82304-1:2016 Health software — Part 1: General requirements for product safety
• DBC0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems
• Normen – The Norwegian Code of Conduct for information security and data protection in the healthcare and care services

Securing our products by design

Development lifecycle

We apply a lifecycle approach to developing all our services, from the initial idea to the end of life. Our experienced product managers are there to ensure that all services we put on the market meet our customers' needs and expectations and to guide our cross functional product development teams on what to focus on next. 

We proactively conduct post-market activities to continually monitor and ensure the optimal performance of our services. These post-market activities involve examining user feedback and closely tracking performance metrics to detect and address any potential negative trends or issues.

Change management

We follow a structured development approach, dividing our work into three-week release cycles known as sprints, to release improvements, introduce new features, and resolve known bugs. Each sprint concludes with a release meeting, during which our team reviews the work. 

Following the release meeting, the release is thoroughly tested, which includes both regression testing to verify that existing functionalities remain intact and testing of the newly added features and improvements. Our quality assurance team has extensive and proven experience in software quality assurance, strong technical expertise, and a deep understanding of the latest standards. 

During each sprint, we also revisit the service’s risk analysis and assessment and critically evaluate any potential risks that may have arisen due to the changes introduced in the current sprint.

Privacy by default and privacy by design

We always consider data protection and privacy issues upfront in all product development – from the design stage throughout the lifecycle of our services.
         
For example, to comply with the fundamental storage limitation principle (i.e. to not keep personal data for longer than you need), our services include functionality that automatically deletes personal data at predefined intervals that are configured for each customer. We also offer other substantial privacy defaults and user-friendly options and controls.
         
We employ an in-house legal counsel and a person responsible for regulatory compliance (PRRC) on a full-time basis. They are closely involved in our organisation's business operations and product development to ensure that data privacy and security, as well as other regulatory requirements, are considered from the design stage and throughout the service's lifecycle.

Ensuring a smooth user experience

Design principles

We want our services to be usable and accessible for as many people as possible, without excluding anyone. Our product development team analyses all new initiatives from an accessibility perspective. To ensure we keep this top of mind, we have implemented an accessibility checklist that guides us throughout the product development process.

WCAG and accessibility

Our services comply with the WCAG 2.1 AA standard. The Web Content Accessibility Guidelines, or WCAG, is considered to be the benchmark for website accessibility. They specify how to make website content more inclusive and accessible to people with disabilities. While many healthcare organisations must be in line with these standards by law, we believe that by designing interfaces for users with accessibility needs, all users will benefit.

Patient panel

We have established a patient panel, consisting of a diverse group of individuals. Their valuable insights and feedback play an important role in our product development. They help us test and evaluate both existing and new features, to ensure that the interface is user-friendly for both those who are using accessibility tools and those who are not. By including people from different age groups and with different needs, we can gain a good understanding of the unique needs and challenges faced by different users.

User testing

We conduct user testing in several stages of product development. Early concept testing is performed when different solutions to a problem are evaluated and compared to each other to select the most appropriate one. The chosen solution is refined, further developed, and then tested with a test scenario and clickable prototype. The test subject is observed while performing tasks and gets to give feedback. To ensure the test’s relevance, the test subjects are thoughtfully selected based on relevant qualifications and experience. The concept is evaluated on how easily the user can perform the tasks.

Securing our people

Security awareness

Our employees undergo security and privacy training as part of their onboarding process and receive ongoing training throughout their employment.  
     
During onboarding, all new hires must complete security awareness training explaining common security threats, policies, and best practices highlighting our commitment to keeping customer information safe. New hires must also read and agree to our company policies and procedures, which include information about protecting confidential information and company assets. Employees might be required to take additional training on specific security aspects depending on their job role.

Since security and privacy are ever-changing, all employees must complete a company-wide security awareness training at least annually.

Screenings

We perform pre-employment screenings. Our primary screening includes reference checks, past employment, and education verification. Depending on the role or position, we may also conduct criminal, credit, and other security checks as allowed by local law or statutory regulations.

Employee access

We follow the principle of least privilege, which means that our staff only have the minimum level of access to systems and data necessary to perform their job. We review access levels regularly and remove or change inappropriate access rights. When an employee's job responsibilities change, access privileges are revoked or reassigned as needed. Upon termination, the employee's accounts are deactivated.
     
Only a limited number of selected employees can access operational environments and customer data. They comply with strict access control and know when and how they may access servers and databases, and their activities show in security logs.

User authentication

Passwords are the first line of defense and, together with the user ID, help establish that people are who they claim to be.

We recognise that poorly chosen or misused passwords impose security risks. That is why we have documented a password policy, educated our staff on the characteristics of a strong password, and provided recommendations on maintaining and managing their passwords securely.

Privileged passwords are subject to stringent requirements, and we require multi-factor authentication (MFA) where possible.

Operational environments can only be accessed by authorised personnel via VPN.

Confidentiality

Our employment contracts include strict confidentiality concerning personal data and other confidential information that our staff may access.

Securing your data

Data encryption

We follow best practices for data protection for both data in transit (also known as data in motion) and data at rest. We encrypt data in transit and at rest as appropriate and have implemented policies with defined rules for the use of cryptographic controls, as well as for the use of cryptographic keys.  

We only use trusted industry-standard encryption algorithms. Data in transit is end-to-end encrypted with HTTPS / TLS 1.2, preventing data from being read other than by the true sender and recipient. Data at rest is safely stored on encrypted servers. For call traffic, we use WebRTC encryption where the connection negotiates with DTLS/SRTP.

Our services ensure that no information about a case is stored on the user's device after the browser is closed or the current user session is over.

Data segregation

Development, testing and operational environments are separated to reduce the risks of unauthorised access or changes to the operational environment. No live data is ever used in any other environment. Individual customer data is segregated, either through logical or physical means.

Data access

We follow the principle of least privilege, which means that our staff only have the minimum level of access to systems and data necessary to perform their job.

Logging and monitoring

Our services produce data access audit logs that comply with the local requirements in the markets we are currently operating in. Customer administrators can track user activity by reviewing audit logs, investigating breaches, and ensuring compliance with regulatory requirements. We also log our employee's actions and changes in operational environments and review such logs at regular intervals to identify any nonconforming actions.

Penetration testing

We analyse the risks presented by our data processing and use this to assess the appropriate level of security that we need to put in place. We conduct regular testing of our measures, to ensure they remain effective and that we act on the results of those tests. For example, we conduct external attack surface tests performed by a third party on our services weekly from internal (authorised user) and external (unauthorised user) sources. On an annual basis, a more comprehensive manual penetration test is performed by a third party.

Physical security and hosting

There are physical controls that prevent unauthorised access to buildings and locations where personal data is stored or processed. We only keep and process customer data on secure cloud servers.

Data processing

We aim to host our services and customer data locally in the customer's and their users' home country. We do not transfer customer data outside the EU/EEA and UK. Our processing activities are restricted to the UK, Sweden, Germany and France. If you want to know more specifically about the country or countries you are operating in, please reach out to our regulatory team. You will find their contact details at the end of this document.

Risk management

Identifying and mitigating risks

Managing risks is an integral part of our product development life cycle. During each sprint, we revisit the service’s risk analysis and assessment and critically evaluate any potential risks that may have arisen due to the changes introduced in the current sprint. Before a new spring is released, we ensure that all technical risk control features are functioning as intended.

Post-market activities

We proactively conduct post-market activities to continually monitor and ensure the optimal performance of our services. These post-market activities involve examining user feedback and closely tracking performance metrics to detect and address any potential negative trends or issues. This allows us to learn from real-world data, evaluate our risk assessments, and hopefully learn lessons that may prevent the occurrence of hazardous situations before they arise.

Responding to incidents

We have a tested and effective incident-management process for incidents that might affect the safety of users or the confidentiality, integrity, or availability of their data. Our staff receive incident management training as part of their onboarding and then annually. They know how to recognise and escalate any suspected incident. We have allocated responsibility for managing breaches to a dedicated incident team, with members from relevant departments within our organisation.

Operational resilience

Business continuity

With healthcare organisations and patients relying on the uninterrupted continuity of our services, ensuring business continuity and swift recovery from unforeseen disruptions is of utmost importance to us. To stay ahead of potential disruptions, we conduct risk assessments, keep in place a robust Business Continuity Plan (BCP), and implement redundancy and backup systems to minimise downtime and prevent single points of failure. This includes monitoring all servers and systems 24/7, with automatic alarms set to trigger in case of any issues or anomalies.

Disaster recovery

We ensure that we can restore access to personal data in the event of incidents. We perform regular backups of data in our services and perform backup testing to guarantee the successful and timely recovery of data if an incident occurs.

Managing third party risks

Like most companies, we sometimes engage other parties. For example, we work with hosting providers, eID authentication providers and similar service providers.
 
We keep a documented record with details of all companies processing personal data on our behalf. Whenever we act as a data processor or engage another data processor, we ensure that a written data processing agreement governs the processing activities. 

We make sure that any data subprocessor we use also implements appropriate technical and organisational measures. We only contract trusted and reputable companies with the proper certifications or other sufficient guarantees about their security measures.  

Supplier evaluation

Before engaging any third party service provider, we conduct a risk-based supplier evaluation. This assessment identifies security risks and potential threats that can influence confidentiality, integrity or availability of customer information or the quality of our services. The risks identified in the assessment are tracked to remediation. Third-party agreements include confidentiality, privacy and security obligations (when applicable) to ensure that the supplier maintains an appropriate level of security controls and protection.

Third party monitoring

We classify third-party suppliers based on importance, business need, and
risks. We periodically conduct monitoring assessments of existing suppliers. How often depends on the classification. Critical suppliers are re-assessed every year. Monitoring assessments include evaluating whether there have been any changes in the scope of the services and whether any system outages or breaches have occurred, requesting updated security documentation, and obtaining remediation status for any risk issues previously identified.

Third party off boarding

Upon the termination of a contract, we have an off-boarding process to ensure that all data is securely returned or destroyed, as appropriate.

Regulatory team

Meet our regulatory team.

Martin and Ludvig are closely involved in our organisation’s business operations and product development to ensure that data privacy and security, as well as other regulatory requirements, are considered from the design stage and throughout the service's lifecycle. They are also responsible for monitoring our compliance with relevant laws and regulations. 

Please do not hesitate to reach out to Martin or Ludvig if you have any questions regarding the content of this white paper.