UPDATE (as of February 2018):
As of February 2018, our failover disaster recovery facility has relocated to Montreal.
Prior to this, the facility was located in Vancouver.
Allowing patients to share personal data electronically opens up a range of possibilities to improve care, find efficiencies in our healthcare processes and improve research. Unfortunately, it can also put patient data at risk.
Security is a key priority for us at CognisantMD. From the start, we built Ocean to comply with PHIPA and other world-class privacy and security protocols. Thanks to our universal encryption, we can guarantee protection against theft, unauthorized use, disclosure, modification, and disposal of patient data.
Today, we’re pleased to share that we’ve taken our commitment to security even further by moving all our servers to Canada, ensuring that all data on the Ocean platform remains securely stored within our border.
All of our clinical information is stored in our primary storage facility located in Toronto, with additional copies of the data kept in a warm failover disaster recovery facility in Vancouver. Our data centers are SSAE 16 certified: this means they are locked, guarded, and monitored through closed-circuit television systems, with onsite security teams, military-grade pass card access, and biometric finger scan units providing additional security. Read more here: http://ssae16.com/SSAE16_overview.html.
As additional reassurance, we recently passed a detailed security audit and privacy impact analysis conducted by the privacy officer at a leading Canadian hospital. Their review found that CognisantMD’s end-to-end encryption, cloud-based technology, and privacy policies were sufficiently secure to host a large-scale project involving large amounts of confidential patient data.
About Our Data Security
In addition to standard security practices like using SSL for all data transport, rotating access keys and auditing patient data access, Ocean’s industry-leading security uses proprietary client-side patient encryption technology. All patient personal health information (PHI) sent to and stored within Ocean is encrypted end-to-end using the industry-standard 256-bit AES (Advanced Encryption Standard), the same technology used by financial institutions and other healthcare institutions.
The encryption keys are kept secret to Ocean’s end-user clinicians. Encryption keys for PHI are never sent to the Ocean server and are never seen by CognisantMD – we will never ask for them. Since the encryption keys are kept private and stored locally within each individual clinic, no agent outside of the clinic can ever decrypt or read PHI.
As a further protective step, our servers automatically delete all PHI after it transfers to the targeted healthcare information custodian. Our goal is to store only the minimal amount of encrypted PHI necessary to guarantee safe passage to the destination electronic medical records system.