Security

Security is a top concern, especially when dealing with patient-level information. As such, considerable effort has been made to ensure the data is handled with utmost care in accordance with the Patient Charter.

There are several discreet sections to the system, each requiring attention.

GeneXpert PC: Protecting data at rest

  • Norton360 installed with anti-virus, firewall, intrusion detection and optional data backups, PC diagnostics, and more, all run from a single cloud interface. We monitor the security health of all GeneXpert PCs using GxAlert in real time across the globe. Host nation Ministries also have access to this management portal to enforce their own IT policies and standards. Norton360 is approved by Cepheid.
  • Symantec Whole Drive Encryption, with PGP(tm) Technology (formerly “PGP Whole Disk Encryption). This software encrypts the entire hard drive and protects the patient data from unauthorized access in the lab or if the laptop gets stolen. Without the login password, the entire hard drive is encrypted and unreadable, thereby protecting diagnostic results and patient safety.

GeneXpert-to-GxAlert: Protecting data in transit

  • Telco’s Virtual Private Network (VPN), coded into the SIM card itself. Uses world-class authentication, encryption algorithms, hash algorithms, and key exchange.
  • Telco’s private Access Point Network (APN) to prevent unauthorized interaction with non-HMIS servers and systems.
  • Hamachi VPN. Secures the data from the PC level through to GxAlert system. This is mostly redundant with the telco VPN but wraps the entire PC/laptop in VPN; in the event a user swaps out the secure telco modem for another modem, communications will still remain encrypted in transit, thanks to Hamachi.
  • For full specs, recommended security products, and installation procedures, see GeneXpert 301-1497 Rev A Cyber Security Manual-Linked

GxAlert environment

Reports, Certifications and Independent Attestations

  • Adheres to International Traffic in Arms Regulations (ITAR) requirements
  • Supports FIPS 140-2 compliant end points
  • Certified as FISMA Moderate environment
  • SSAE 16/SOC1/ISAE 3402 professional standards (formerly SAS-70 Type 2)
  • ISO/IEC 27001
  • PCI DSS Level 1
  • HIPAA compliant

Physical Security

  • The datacenter is housed in a nondescript facility.
  • Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
  • Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors.
  • All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
  • Access to the data center is only provided to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even when they continue to be an employee.
  • All physical access to datacenters is logged and audited routinely.

Data Privacy

  • Data within the environment is encrypted. Appropriate backup and recovery procedures are in place.

GxAlert-to-SMS and email messaging

  • Alerts sent over SMS, voice or email do not contain “Patient ID”, the only personally-identifiable information (PII) data element in the GeneXpert test results. Alerts focus instead on what actions the recipient can take. This emphasis both supports security best practice, and puts the emphasis on responding to new MDR suspected cases.

GxAlert-to-eTB Manager (or other M&E system)

  • Industry-standard SSL and encryption technology prevents data from being intercepted in transit.

 

For detailed information about the hosting environment or security of the GxAlert web database, please see our Security Whitepaper and Risk & Compliance Whitepaper and Security Best Practices.