Cyber Security And Data Handling Policy

RediMed is committed to protecting the data that we come into contact with, in the course of carrying out the services delivered. Our commitment to data protection is showcased through our privacy and data handling policy, which emphasises our dedication to handling data with the utmost care and confidentiality. This policy delineates our approach to the collection, processing, storage, usage, sharing, and disposal of data, ensuring fairness, transparency, and respect for individual’s rights.

This policy applies to all parties involved, including but not limited to employees, job candidates, customers, suppliers, and any entities providing information. It is mandatory for all employees, contractors, consultants, and partners affiliated with our company and its subsidiaries to adhere to this policy, ensuring compliance from anyone requiring occasional data access, while collaborating with or representing our company.

General Security Requirements

Aligned with industry-leading security practices, RediMed maintains physical, administrative, and technical safeguards, along with additional security measures. These measures aim to maintain the security and confidentiality of accessed, collected, used, stored, or transmitted information by a developer and protect it from known or anticipated threats, accidental loss, alteration, disclosure, and unlawful processing. Developers commit to complying with various requirements, including:

1. Network Protection

RediMed implements network protection controls including firewalls, access control lists, and network segmentation to prevent unauthorised access. It also employs anti-virus and anti-malware software on end-user devices, restricts public access to approved users, and provides comprehensive data protection and IT security training to all individuals with system access.

1.2 Access Management

RediMed establishes a formal user access registration process to assign access rights, unique IDs to individuals with computer access, and avoids generic or shared login credentials. It implements baselining mechanisms to ensure necessary user account access and enforces account lockout protocols. Additionally, it restricts employees and contractors from storing information on personal devices and promptly disables access upon employee termination.

1.3 Least Privilege Principle

RediMed implements fine-grained access control mechanisms, granting access to information based on the principle of least privilege and only on a “need-to-know” basis.

1.4 Credential Management

RediMed sets minimum password requirements, enforces password complexity, establishes password age policies, mandates multi-factor authentication (MFA), and limits access to API keys provided by Amazon to essential employees.

1.5 Encryption in Transit

RediMed mandates the encryption of all information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2, both internally and externally, and implements data message-level encryption where channel encryption terminates in untrusted multi-tenant hardware.

1.6 Risk Management and Incident Response Plan

RediMed maintains a comprehensive risk assessment and management process, conducts regular reviews, promptly notifies affected entities of security incidents, investigates incidents thoroughly, and implements corrective measures to prevent recurrence.

1.7 Request for Deletion

RediMed commits to permanently and securely deleting information upon receiving deletion notices from amazon, following industry-standard sensitisation procedures, and providing written certification of secure destruction upon request.

2 Additional Security Requirements for Personally Identifiable Information (PII)

RediMed ensures compliance with additional security requirements for PII, including data retention limitations, data governance policies, asset management practices, encryption at rest, secure coding practices, logging and monitoring procedures, vulnerability management, and audit and assessment protocols.

2.1 Data Retention

RediMed retains PII (Personally identifiable information) for the period legally mandated by the WA Health Department in the states Information Retention and Disposal Policy. The means that records are kept for a minimum of 7 years after the date of the last interaction with the patient and for longer periods for other specified groups of patients.

2.2 Data Governance

We are committed to creating, documenting, and adhering to a privacy and data handling policy for our applications or services. This policy dictates proper conduct and technical controls to manage and safeguard our information assets. To ensure compliance with regulations, we maintain records of data processing activities, especially concerning PII. Our company identifies and complies with privacy and security laws, implementing a privacy policy governing customer consent and data rights. We also assist authorized users with data subject access requests through technical and organizational processes.

2.3 Asset Management

We maintain a baseline standard configuration for our information system and update an inventory of software and physical assets, ensuring compliance with PII handling requirements. PII is not stored in removable media or personal devices without encryption, and data loss prevention controls are in place to monitor unauthorized data movement.

2.4 Encryption at Rest

All PII is encrypted at rest using robust cryptographic techniques accessible only to our company’s processes and services, employing AES-256 or RSA with a 2048-bit key size or higher.

2.5 Secure Coding Practices

Sensitive credentials like encryption keys or passwords are strictly prohibited from being hardcoded within code or exposed in public repositories. Developers maintain separate test and production environments to enhance security and manage sensitive information properly.

2.6 Logging and Monitoring

We establish a robust logging system to detect security-related events across applications and systems, ensuring logs are regularly reviewed and access controls are enforced. PII is included in logs only when necessary for legal requirements.

2.7 Vulnerability Management

Systems are in place for detecting and remediating vulnerabilities, conducting regular vulnerability scans and penetration testing. Changes to storage hardware are controlled, and procedures are in place to restore availability and access to PII in case of incidents.

3 Audit and Assessment

We maintain necessary records to validate adherence to policies and agreements, providing certification of compliance upon request. Amazon or an independent firm may conduct audits, and our company is expected to cooperate. Identified deficiencies or breaches must be rectified within an agreed timeframe, with remediation evidence provided upon request.

 

RediMed contact details:
Email: Quality@redimed.com.au
Phone: 1300 00 REDI
Fax: 08 9230 0999