Raising Standards for Privacy and Data Security

Run your Telehealth business with constant updates,

Monitoring and innovative security measures

Security, Compliance & Data

Security and privacy are of paramount importance to us - in the applications, their deployment and in our operations - we are constantly working on ensuring that we are in compliance with evolving security measures.

Data Ownership

You own your data, we just manage it on your behalf. We have taken every measure to ensure that your data is safe and protected. Our Privacy Policy and Terms of Service are simple and straightforward, and put you in absolute control.

If you ever do choose to cancel your account, then you can take your data with you and we will provide an export of your data. Your data will be held for a maximum of 30 days, after which it will be deleted.

Data Center

The ContinuousCare platform is hosted in ultra-high security Tier III+ AWS data centers that are secured with cutting edge surveillance and detection measures with round the clock monitoring and strict physical controls. All platform accounts are currently based in data centers in the US and Europe and we are in the process of setting up more regions.

High Availability and Failover

We support a high application architecture with no single point of failure that ensures continuous availability of services. Multiple availability zones allow for transparent failover and recovery, in case of any component failure.

App Data Encryption

All data is handled securely in transition and at rest. All transmitted data is encrypted with SSL 256-bit encryption. All data at rest is AES encrypted. Video streams employed for the video telemedicine features are also AES encrypted.

Secure WebRTC Service for Video Telemedicine Features

The webRTC service supporting the Video Consultations feature ensures secure transmission by using:

Secure Connection

The sessions established are secure (with secured tokens that are regenerated). Random AES keys are generated by clients at the beginning of the media connection. To increase security, additional keys are generated periodically throughout the session.

Data Transmission and Encryption

The service employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.

Application Security

The applications, themselves, are built to be secure and in compliance with security and privacy regulations:

  • All Virtual Practices are protected by digital security certificates
  • Secure login (and all passwords are encrypted) for all user accounts
  • All User Accounts have role based privileges. Only Provider roles have access to patient health data.
  • Auto-logoff is implemented for all healthcare provider accounts
  • Patient PHI is not transmitted in external notifications

Platform Monitoring & Maintenance

The platform is monitored 24/7 by a dedicated team, who will take immediate action to ensure restoration of services in the shortest possible time, in the case of any eventuality.

We also do continuous application updates and most of these happen transparently in the background. In the rare case, where there is a need for an actual downtime window, we aim to notify you well in advance.

Data Backups

Real-time replication is provided for back-end database and other data. We also do additional backups multiple times a day and these backups are stored securely across multiple physical locations. All the relevant components are backed up as per industry recommendations and required redundancy is provided for critical components.  Application servers are also distributed in geographically different data centers.

Compliance

GDPR Compliance

As of May 2018, we have updated our application and operations to comply with GDPR (General Data Protection Regulation) and have accordingly clarified this in our Terms of Service and Privacy Policy . The ContinuousCare platform enables our healthcare provider customers to be compliant with the European Union's comprehensive General Data Protection Regulations (GDPR). This covers among other things, the criteria of informed consent, the right to be forgotten, security and breach notification protocols.

HIPAA Compliance

The Virtual Practice applications and underlying platform services are developed to be in compliance with the Technical Safeguards of the HIPAA Security Rule. The ContinuousCare platform uses only HIPAA compliant components of the Amazon Web Services (in US data centers) and has been issued with a Business Associate Agreement (BAA) by AWS, ensuring that Physical Safeguards are met. Administrative safeguards to ensure compliance with regard to privacy, security and breach notifications are in place. We have a Breach Notification policy which is required for GDPR compliance as well.

Securing your account

Below are some of the security measures we recommend for securing your account:

Password Strength

We encourage our users to employ strong passwords that have at least 8 characters, with a mix of upper/lower case characters and include special characters. It is not advisable to employ passwords that are easily guessable.

Browser Updates

The ContinuousCare platform is committed to supporting the latest browsers. You can find more information about the browsers we support here We recommend that you enable auto updates for your browsers and employ frequent checks to ensure that you are in fact, using the latest browser versions.

Use appropriate user roles

Each of your employees/member of your care team, who has an account in the Virtual Practice, should be granted roles that are appropriate for their level of data access. You can find more information about user roles here

Avoid sharing accounts

Our pricing plans enable to scale up your users in a cost-effective fashion. For security and compliance reasons, it is advisable that each user be provided with a dedicated login.