HS ISO27001 Documents
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents

      HealthSafe Data Security Info

      V. 3.1.0 - 24 Nov 2022

      Contents:

      1. Data Security Overview
      2. ISO27001 Certified
      3. Penetration Testing


      Data Security Overview

      Please note that we are not able to share all the detailed level of ‘how’ and tools we use with regards to our data security processes as it would create vulnerabilities if this document were to end up in the inappropriate hands. The purpose of this section is to provide your IT department and data security department the confidence in the security measures we take in order to protect and govern your organisations data.

      Overview of the key data security measures​ (​not including all​)
      Full-stack server protection - We have a daily automated report sent to our team to closely monitor the server activity from a security perspective and a real-time notification should anything urgent occur.

      • Protection against D-Dos Attacks​ - We have a range of solutions in place which defend against D-Dos attack should it ever occur. We handle every step from detection using denial of service via TCP based protocols ie. HTTP, SMTP, FTP etc. through to mitigation with TCP/UDP-based distributed denial of Service attack and antiflood with an application-level DoS attack directed at the application. 
      • Intrusion detection ​-​ We have a web application firewall (WAF), outboundWAF and logs for the purposes of application layer attacks, like directory traversal, SQL Injection, XSS, remote file inclusion, code injection, on-site and cross-site request forgery.
      • IP reputation including country IP attacks -​ We closely monitor country IPs with the most attacks and temporarily turn off the country access until we are ready to enter the country with our systems. We manage everything from white/blacklisting IPs, basic and advanced IP reputations.
      • Malware detection and removal -​ To prevent against unvalidated file uploads, script injection, remote code injection. 
      • Port Honeypot -​ To protect against malicious port scans and sweeps.

      API Encryption for sensitive information - Protecting against interception of sensitive information between server and native iOS and Android apps.

      • AES-128-CBC encryption algorithm - One of the most recent updates was the enhancement of file encryption key security via triple key combination. Therefore we Blowfish is only in use for the old mobile apps (the ones with no login required like the Contractors mobile app) and it's specifically to encrypt/decrypt the information travelling from the app to our server and vice versa. The new kiosk app and for all new implementations we are using Auth 2.0 with Bearer tokens.

      Architecture and AWS Server Tools - We utilise AWS as our key system provider while utilising various 3rd party security tools to add additional layers of protection.

      • DB located on separate server​ - We have separated the files from db in separate servers to prevent DB intrusion if hacker were to get in through the web app interface.
      • SES - Email​ - This service is used by many of the biggest organisations in the world. 
      • SNS - SMS​ - We utilise this resource via MessageMedia, AWS, and Twilio  whom all have strong relationships with all major network providers globally. 
      • RDS for Database​ - We utilise AWS’s RDS in order to scale our DB with ease as the organisation and user base expands. 
      • EC2 for the Webserver​ - We utilise AWS’s EC2 because of its security and scalable attributes. AWS treats cloud security as their highest priority which benefits HealthSafe and ultimately our clients. 
      • Nginx as webserver​ - We utilise Nginx for it’s high performance, stability, and the features available. NGINX powers some of the most powerful sites in the world, such as Netflix, Hulu, Pinterest, CloudFlare, Airbnb etc. 


      ISO27001 Certified

      Our ISO27001 certificate is available here, and our IAF listing on the IAF register is accessible here.

      Some of the key benefits to a client are:

      • ISMS team 
      • External third-party audits​ (pen-tests and ISO audits)
      • Business continuity
      • Internal audits
      • Incident management which leads into ongoing improvements 

      Penetration Testing

      Software penetration testing for SecurePass and dynamicRMS was conducted in October 2022 as part of the annual pentest. The auditor provided positive results, awarding an ‘above market average’ rating.

      Penetration testing was completed by Control Group

      Control Group are a leading cyber security firm who are well respected in NZ and Australian markets. We selected them after engaging with several alternative providers.

      Around 750 security tests were run on our three solutions (including mobile apps)

      Control Group undertook over 250 unique manual checks and around 500 automated checks.

      The manual tests include checks for all authorisation and authentication and identifying information aspects of the web applications using a blackbox (external attacker) perspective; plus all configurations, service identifying information disclosure vulnerabilities, data storage, information leakage/disclosure, best practices regarding authentication and authorisation, password strength and complexity, account management within the mobile applications.

      Control Group use automated tools that utilise to identify out of date frameworks, missing patches and conduct a general vulnerability assessment against externally facing assets.

      Three risks were identified, with one critical - once this is addressed, our threat from external attack is assessed as ‘moderate’

      Three risks were identified. Only one (a risk of a brute force password finding attack) was of particular concern and has the potential to expose HealthSafe to unauthorised access and data disclosure from an external threat actor. Steps are being taken to address that risk, and this will lower the risk rating to ‘moderate’.

      Control Group advised that from the tests conducted, HealthSafe is far above average standard of security management within the software development lifecycle, and exceeds the standard demonstrated across the market.

      Control Group routinely engages a variety of clients across APAC ranging in size from SME to Enterprise clients situated across multiple verticals. A selection of these clients with similar profiles and provided scopes has been selected for comparison to provide the following context.

      • The average result for a Control Group client going through the first round of testing for an external scope similar to this engagement has historically averaged out at a High

      • The average number of findings for a similar size of scope is 15 risks located ranging from low to critical.