Information Security

Securely hosted and managed in the UK

Our online consent platforms and patient portals use Microsoft Azure data centres located in London and Durham.
We chose Azure as it offers the highest levels of trust for UK healthcare applications, providing built in security at all levels and complying with specific compliance standards. For example, Azure is certified to the Health Information Trust Alliance Common Security Framework via the NHS IG Toolkit

Microsoft Azure Security Centre provides continuous security-health monitoring and threat-mitigation practices that are essential to the strong protection of services and data. These data centres comply, and have been audited to, with the following UK standards:

  • ISO 9001:2008 is a global standard (published certificate) for managing the quality of products and services.
  • ISO 27001:2013 is a widely-adopted global security standard that outlines the requirements for information security management systems.
  • ISO 27002: 2015 which gives cloud service providers and customers secure and specific implementation guidance for ISO 27002 security controls, as well as provides additional security controls specific to cloud services.
  • ISO 27018:2014 provides additional security controls not covered in ISO 27002 to give cloud service providers security control for Personally Identifiable Information (PII).

Azure is used by the UK Government G-Cloud initiative which supports easy procurement of cloud computing services for public-sector bodies in departments of the United Kingdom Government.

Azure has also attained Cyber Essentials PLUS certification meeting the requirements of the Cyber Essentials Scheme Assurance Framework, a UK government-defined scheme to help organisations protect against common cyber-security threats.

Full Penetration Testing to CREST standard

Our infrastructure and applications are monitored 24/7 for vulnerabilities and attacks. We also commission regular penetration tests from an independent CREST certified company who use best-in-class manual penetration testing practices.

As you would expect, all penetration tests have succesfully been prevented, and a full report is available when needed.

Cyber Essentials Certification

Our internal operations have also met the UK Government’s Cyber Essentials standards. This certification demonstrates our  internal controls and operational processes can withstand the most common cyber attacks, such as:

  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
  • Man-in-the-middle (MitM) attack
  • Phishing and spear phishing attacks
  • Drive-by attack
  • Password attack
  • SQL injection attack
  • Cross-site scripting (XSS) attack
  • Eavesdropping attack
  • Malware attack