medstamp.com

 
  • Increase font size
  • Default font size
  • Decrease font size
Security and Compliance

Securely held patient dataMedStamp's services have been designed to ensure the privacy and security of patient data. We use industry recognised standards and security protocols in combination with fail-safe procedural guards. MedStamp is also ISO 9001 accredited. This all ensures that our solutions are secure, and enables our customers to implement compliant solutions in a regulated environment. Of course, MedStamp is always willing to talk to customers individually about deployment options and their regulatory implications. However, the following provides a brief overview of how our products fit into some of the existing frameworks.

Procedural Safeguards

  • All data transferred using MedStamp is automatically encrypted.
  • Our system creates a comprehensive, non-editable audit trail of user activity that is stored securely on a central server. These audit trails are exportable and printable.
  • All user account modifications and log in attempts, whether successful or unsuccessful, are logged and stored securely on a central server.
  • The MedStamp e-forms module uses 21CFR part 11 compliant data files, and includes secure signing by validated users.
  • The application of checksums to all transmitted data assures 100% accuracy to the original and safeguards against unauthorised changes.
  • Our end-user applications seamlessly manage temporary losses in network connectivity and will securely resume transferring data at the soonest opportunity.
  • A 'locked' mode of operation means that our applications can continue to transfer medical data securely in the background, even when the user is away from their computer.
  • To rule out an inadvertent breach of confidentiality, anonymisation tools can be applied to DICOM data before it is sent, either on an ad hoc basis or enforced through pre-determined rules.

Technical Safeguards

  • All received data is held using MedStamp's Secure Store technology which prevents unauthorised access. This is particularly valuable where data may be held temporarily on laptops or on computers used outside of  a clinical environment.
  • MedStamp's client software automatically establishes a VPN to ensure all data is transferred safely.
  • Client data is transferred using AES 256bit encryption. This internationally recognised algorithm either meets or exceeds regulatory demands.
  • Our communications protocols are resistant to security problems such as replay attacks.
  • Access to our administrative tools is encrypted using HTTPS.
  • All of our servers are actively monitored to ensure their security.
  • MedStamp's communication layer is designed to establish its connections without needing any risky or time-consuming changes to your security or firewall policies.
  • Our technology can be securely deployed over an Internet connection, or on a private Intranet (like the UK Department of Health's N3 network).

Regulatory Compliance

MedStamp's technology has been designed from the ground up to help organisations in the medical industry meet their regulatory commitments. Our products provide the essential building blocks that help you create compliant policies and standard operating procedures. For example, we've helped our clients deploy systems that comply with: 21 CFR Part 11, HIPAA, and the Good Clinical Practice guidelines. 

21 CFR Part 11

This legalisation applies when using a computer system to create, modify, transfer or store an electronic representation of any information or process that is regulated by the US Food and Drug Administration.

  • These regulations identify specific controls that should be in place to help ensure: “the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine,"
  • Under the terms of this legalisation, MedStamp's solution meets the regulatory controls of a closed system. These reflect: “an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.”
  • A large body of this legalisation relates to record keeping activities rather than transmission systems, and in many circumstances, such as when using our image transfer solution, MedStamp technology can be classed as a transient rather than a permanent store.
  • MedStamp's anonymisation features also coincide with 21 CFR Part 11, for example by ensuring that details of the anonymisation process are always recorded.
  • The MedStamp e-form module is often used to collect information from remote medical centres. In line with 21 CFR Part 11, our solution has controls and safeguards to ensure that information is always: secure, signed, and tamper-proof.

HIPAA

The Security Rule of HIPAA (Health Insurance Portability & Accountability Act) covers creation, transfer, storage and receipt of Electronic Protected Health Information (ePHI). HIPPA defines ePHI as: “any electronic information that is created or received by a health care provider that relates to past, present for future physical or mental health of that individual and that identifies that individual”. The following aspects of MedStamp's technology are all essential to meeting HIPAA's rules:

  • All users of the system are identified and validated before they can access any private health information. Any access to this information is logged. Access to information can be withdrawn on request and policies exist to provide for emergency access.
  • Any information sent to third parties using the solution has the same level of safeguards as information which is distributed internally.
  • Transactional and user data held in the system is regularly backed up.
  • The solution operates on a technical architecture with in built redundancy. In addition administrative policies are in place to mange upgrades, disaster recovery and security breaches. In the unlikely event of system failure backup servers are available for continuation of service.
  • All medical data is encrypted and checksums are in place to ensure all data is maintained in its original form.
  • For all remote hosted solutions system configurations are documented. When a client chooses to host a MedStamp solution, MedStamp works with the client to provide this and all necessary configuration and system qualification documentation. 

Good Clinical Practice

Good Clinical Practice is part of a larger set of quality guidelines related to good practice guiding pharmaceutical product research, development and manufacturing. GCP is encompassed in a set of guidelines commonly refereed to as GxP. The MedStamp application falls under this remit when contributes directly or indirectly to drug development. In broad terms, the following features of MedStamp's technology are all important to meeting the GCP guidelines:

  • e-Forms are securely signed to avoid tampering during collection or transmission.
  • Complete audit trails of the users' activities are kept, and are stored centrally by our servers.
  • All client activity is date and time stamped.
  • Both raw data and processed versions of it, are preserved and centrally stored.
  • Passwords are user maintainable.
  • Our servers authenticate all users and verify those attempting to sign submissions.
 

© 2010 medstamp.com