Security starts with these features
December 2, 2022 ∙ 7 min read
Subscribe to the myBeepr Newsletter
Stay up to date with the latest news and releases from myBeepr
The recent Optus and Medibank data breaches saw over 20 million disgruntled customers whose private information was exposed. This has led many health organisations scrambling to ensure their systems are safe and secure from unauthorised access.
Innovation in the health sector has spawned greater cyber security risks with Australian health service providers remaining the highest reporting industry sector, notifying 20% of all data breaches nationally in the OAIC's January to June 2022 National Data Breaches Report.
myBeepr's security posture is maintained through a culture that always prioritises security. Given the sensitive nature of patient health information communicated on myBeepr, we are committed to providing an environment that secures an organisation’s data at every layer.
Our security processes are constantly evolving with updated guidance and evolving industry best practices. We work in collaboration with security partners to ensure we are equipping our customers and users with features that help safeguard the exchange of important patient and personal information via myBeepr. Regular penetration testing and security risk reviews are part of business-as-usual for us.
Key security features and processes
Here are some of those features, along with a few measures we've taken to help our Customers and Users protect their information.
User Access and Management
myBeepr’s onboarding framework offers signing on with username/password credentials or single sign-on (SSO) via your organisation's Active Directory (AD) or other identity provider (IdP).
Once the AD integration has been set up, user access and provisioning can be managed via myBeepr’s Admin Portal. myBeepr adheres to role-based permissions when provisioning access – only authorised users can access the communication platform.
End to end Encryption
256-bit AES-GCM encryption: We use 256-bit AES-GCM encryption to encrypt all chat messages sent through our system.
End-to-end encryption (E2EE) for all chat messages: messages are stored on our servers, transmitted over our network, and stored locally on your device fully encrypted using 256-bit AES-GCM encryption.
System Monitoring, Logging and Alerting
myBeepr, in collaboration with our hosting provider, monitors uptime as well as maintains extensive audit logs which are reviewed to analyse the performance of the platform to ensure we identify potential issues before they happen.
Data Retention and Disposal
Customer data and archive records are stored encrypted and only the Organisation has access to their archives.
Disaster Recovery and Business Continuity Plan
myBeepr utilises geo-redundancy services from its hosting provider to distribute our production operations across different physical locations within Australia. Our hosting provider protects our service from loss of connectivity, power infrastructure and other common failures.
Transactional data, replicated within our operating environments, ensures the availability of our services in the unlikely occurrence of a location-specific catastrophic event. myBeepr also retains full backups of production data in a remote location significantly distant from the location of the primary operating environment. Full backups are saved to this remote location daily and transactions are saved continuously.
myBeepr tests backups at least quarterly to ensure they can be successfully restored.
Responding to Security Incidents
myBeepr has established policies and procedures for responding to potential security incidents. All security incidents are managed by our hosting provider and our policies define the types of events that must be managed via the incident response process and classify them based on severity.
External Validation
In addition to our compliance audits, myBeepr engages independent entities to conduct application-level and infrastructure-level penetration tests at least annually to verify that our regular vulnerability scanning is keeping the system safe and secure.
Results of these tests are shared with senior management and are triaged, prioritised, and remediated in a timely manner.
Network Security and Server Hardening
myBeepr divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting myBeepr's production infrastructure.
All servers within our production fleet are hardened (e.g. disabling unnecessary ports, removing default passwords, etc.) and have a base configuration image applied to ensure consistency across the environment.
Network access to myBeepr's production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet. Only those network protocols essential for delivery of our service to its users are open at our perimeter and there are mitigations against distributed denial of service (DDoS) attacks deployed at the network perimeter.
Additionally, for host-based intrusion detection and prevention activities, myBeepr logs, monitors, and audits all system calls and has alerting in place for system calls that may indicate a potential intrusion.
Hosting
myBeepr customer’s data is hosted in our common infrastructure and logically separated from other customers’ data using encryption. The myBeepr service is hosted on AWS servers (located in Sydney), which are ISO accredited industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise the operating environment.
Compliance
myBeepr has been specifically designed to comply with Australian Privacy Law regulations and in line with the Australian Privacy Principles.
myBeepr complies with GDPR recommended measures around the storage of personal and sensitive information, and are currently on track to gaining ISO27001 accreditation.