Environmental, Social & Governance / IT security measures

IT Security Measures

OPEN Health Communications LLP – Information Security Controls

OPEN Health Communications LLP (“OPEN Health”) places the utmost importance on Information Security and has set the following objectives:

  • safeguard and protect client information within its custody, ensuring the preservation of the confidentiality, integrity and availability of the data;
  • establish safeguards to protect information resources from theft, abuse, misuse or any form of damage;
  • encourage the company’s management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimize the occurrence and severity of security incidents; and
  • ensure that OPEN Health can continue its commercial activities in the event of significant Information Security incidents.

To help meet these objectives, OPEN Health has –

  • appointed Exponential-e Limited, an accredited provider of IT Managed Services to operate its core information technology systems. You can see Exponential-e’s accreditations and the standards to which our services are managed here: https://www.exponential-e.com/about/our-accreditations-awards and
  • engaged a Security Ratings Company to scan and report on web anomalies every 24 hours for all OPEN Health web components that reside outside the networked environment.

In addition, OPEN Health has implemented the following technological and organisational measures:

Physical Admin Control

  1. Offices are protected by alarm systems that are connected directly to the local police station, and require RFID passes in order to gain access.
  2. Sophisticated controls and surveillance at data centres where OPEN Health data is stored.

Virtual Admin Control

  1. Unique passwords are assigned to every individual; 4 levels of complexity are applied along with exclusions for excessive attempts.
  2. Access to data is managed strictly via ‘least privilege’ protocols to ensure that only the required staff have access to this data.
  3. Employees working remotely must sign in via a VPN (Virtual Private Network) with two-factor authentication to access the OPEN Health network.
  4. Employees working remotely must sign in via two-factor authentication to access the OPEN Health O365 services.

Network Protection

  1. Anti-virus software in place that is constantly active, on both end-point devices and servers, and is refreshed from an enterprise server.
  2. As part of the service provided by Exponential-e all physical network equipment is hardened and default passwords changed as part of their implementation process.
  3. Monthly patching schedule is in place to apply security updates to all server operating systems.
  4. Patches are applied in the appropriate timescales subject to manufacturers recommendations.
  5. Penetration and vulnerability tests are performed are performed on a regular basis by managed services provider and any issues raised are dealt with in a timely fashion.
  6. Exponential-e have a cyber security operation centre (CSOC) monitoring security aspects across the OPEN Health infrastructure 24x7x365.

Encryption

  1. Laptops, mobile devices, file servers and internal Wi-Fi are encrypted.
  2. Storage used as part of Microsoft Office365 services is encrypted.
  3. If OPEN Health is asked to develop technological solutions (for example, an application for iOS) then the level of encryption required should be defined by the client and set out in the Statement of Work.

Data Availability

  1. Close to real-time replication from primary to secondary data centre is in place.
  2. Separate and independent backups are performed in both primary and secondary data centres.
  3. If OPEN Health is asked to develop technological solutions, further back-up/restoration controls are subject to agreement and must be defined within the applicable Statement of Work.

Organisational measures

  1. OPEN Health requires its staff to complete annual training covering the GDPR.
  2. OPEN Health shall manage and proceed to the mitigation of security incidents regarding its equipment and/or system by following an incident management process and response plan.
  3. OPEN Health shall fully cooperate with customer in case of any security investigation regarding potential breaches of its information security obligations.
  4. All system changes (including user/desktop changes (adds/moves/deletes), server and network changes) are managed via strict change control processes implemented by Exponential-e in accordance with its accreditations.