Updated May 25, 2022
1. Information security management system (ISMS)
Luscii uses an information security management system (ISMS), which is a set of processes for ensuring that information is safeguarded against internal and external security threats. Luscii’s ISMS is NEN 7510, as well as ISO 27001:2017 certified.
Specifically for the Dutch healthcare sector, the standard NEN 7510 describes the requirements for information security. Based on the ISO 27001 and ISO 27002 standards for data protection, NEN 7510 provides frameworks for information security for healthcare organisations and associated organisations like Luscii. ISO 27001:2017 is an international standard that provides guidance on incorporating an ISMS into an organisation.
For the UK healthcare sector, Luscii is certified for the Cyber Essentials and completes the Data Security Protection Toolkit (DSPT) as well as the Digital Technology Assessment Criteria (DTAC) annually, in addition to the above.
2. What technical security measures are in place?
As a vital part of our ISMS, Luscii has taken many different security measures have been taken to ensure secure data processing. These security measures include but are not limited to:
- Access to our servers and infrastructure is only possible from secure (Bastion) servers, requires the use of VPN protected by two-factor authentication, and the use of a personal security (SSH) key.
- Access to our database follows the same measures as above. Only people who need access to the database for their task and for their capacity will receive such an account.
- Luscii has a password policy to ensure strong passwords. Passwords must be reset periodically.
- Infrastructure is managed via the Infrastructure as Code principle.
- Luscii uses virtual private clouds per separate environment (testing, acceptance and production) to mitigate risks.
- Stored data is always protected through encryption (including 256 bits AES encryption). Passwords are also hashed and salted. Locally stored data (e.g. on iOS and Android) is also stored encrypted as far as sensitive information (medical information or authentication information) is concerned. Locally stored data is deleted when the user logs out.
- We use Transport Layer Security (TLS) technology to encrypt transmission data to and from Luscii.
- The maximum number of incorrect login attempts is limited.
- All information that users enter is checked to ensure that no malicious data is uploaded.
- Software has been installed to detect malicious software in a timely manner.
- Security updates take place in a continuous and automated manner.
- Luscii monitors access to the back-end section to detect potential security breaches or other anomalies.
- Luscii backs up the database continuously (see below). Users who have access to the database do not have access to the backups to prevent unwanted database deletion.
- Login to Luscii can be protected with two-factor authentication: username + password and a one-time login token sent via email.
- Cookies do not contain complete authentication information such as passwords, information in cookies is deleted when a user logs out.
- Important information in cookies is encrypted.
- The duration of login sessions is limited in time.
- Activities are logged and unusual activities are monitored.
- Technical security measures are tested via penetration tests conducted by a qualified external agency.
- Both software and infrastructure changes follow a unified change management process covering design, implementation, review, testing and release.
- Technical vulnerabilities are identified and resolved using a continuous vulnerability management process.
- Employees have periodic privacy awareness training.