Data Security Council of India Member
PRACTO RAY DATA SECURITY PRIMER
Patient name Details Prescription History
En cr y
n io pt
Strong password Two-factor authentication Practo Access Zones
010DSDSFA00 as00111dcdS101 01zxzxc000010 10011sdss101000
Practo is primarily a healthcare data company, and everything we do is based around storing and managing great amounts of health data. In our vision to help people live healthier & longer lives, we consider data our most important asset and we strive to do everything in our power to ensure it remains as safe as possible. This includes using the ‘gold standard’ security protocols that are publicly documented, as well as employing proprietary technologies to safeguard our data vault. This document provides an overview of these measures.
Application security Access control
ur
it y
la y
ers
Highly secure cloud Point-in-time recovery Versioning & multiple backups c se k or tw e N
INSIDE PRACTO’S SECURITY COMPLEX
Our data security standards are the same as your bank’s
Our security team ardently safeguards your data
Using stringent data protection and transfer standards ensures
We have the best team of qualified security experts with proven
your data is in the safest hands possible. Our systems always
track records to make sure that data is kept completely safe,
keep an eye on any and all changes, and discrepancies are flagged
behind an almost impenetrable wall. All data traffic that passes
immediately (within milliseconds).
through our servers is continuously analysed and tracked. Our data team also conducts precautionary security measures, like regular risk analyses and vulnerability assessments (in which our experts attempt to break into our own systems) to ensure that our data protection constantly improves and always remains current.
Our systems have nerves of steel
The data that passes through our servers travels through multiple
Our data storage systems are extremely robust
All data is backed up and versioned multiple times, in unique
network security layers before reaching its destination. This makes
secure locations across the world. We also employ a smart
it possible for us to monitor and detect any unusual activity and
feature called point-in-time recovery service, which allows us to
nip it in the bud, before it has had any chance to make any impact.
securely retrieve data from a specific time period. We have taken
The entire process takes place in a few milliseconds, ensuring
every conceivable step to prevent against data loss and made
speed and performance along with security.
sure that a version of your data can always be recovered. And almost all of this is automated, which means it’s running 24x7 even when our engineers are not physically present.
WHAT CAN I DO TO KEEP MY DATA SAFE?
The most common data security breaches happen due to easily preventable reasons, like weak passwords. Here are some simple measures that you can take, along with great opt-in features available in your Practo Ray account for complete peace of mind:
Two-factor Authentication Two-factor authentication adds an extra OTP-like layer of security, in addition to the credentials used to login to a Practo Ray practice. Right after you login with your
P OT
username & password, you’ll be asked to enter a code that is only accessible through an app on your smartphone or via SMS to a registered mobile number. You may have used this feature while logging in to your bank account.
Practo Access Zones Access Zones prevent unauthorized access to a Practo Ray practice from internet connections (or locations) other than the ones specified by you. Here’s how it works: All computers and mobile devices connected to the internet have an IP address. When you add IP addresses of your devices to the Practo Access Zones list, only these devices are allowed to access your Practo Ray account. This feature ensures that no one can access your practice data outside your practice premises, even if they happen to have your username & password. Using two-factor authentication and Practo Access Zones together makes accessing Practo Ray the most secure system in the industry!
Adding separate user accounts Instead of sharing your login details with your staff, you can create separate accounts for each of your staff members. This way, all your practice data remains secure. You can also specify access levels for each staff. Which means your receptionist won't have access to your billing data. So your staff will only see what you want them to see. Check our help article to see how to do this.
Setting a secure Password Using a strong password more than 8 characters long and which does not contain easy-to-guess words (like your name, your child’s name or your phone number) is a must. Our guidelines mandate that your password must: Be between 8-20 characters (longer the better!) Have at least one - upper & lower case alphabet - digit - special character out of @, #, $, %, ^, &, +, = Be changed regularly
Tip: If you want something easy to remember, start with a familiar word and keep making it stronger with a combination of upper & lower case alphabets, numbers and special characters. Here’s an example: Say your name is Mohammed and you were born on the 14th of June. Start with your name your date of birth – Mohammed146. Now add upper case alphabets – MoHaMmeD146. Now add special characters – MoH@MmeD146 and there you have it! However, we still recommend you have a completely unique combination of alphabets, numbers & characters that is very hard for anyone to guess. And remember to not leave the password lying around anywhere!
A TECHNICAL OVERVIEW
For the technically inclined, our security experts have also put together a primer on the secure technologies we employ at Practo.
Virtual Private Cloud
Encryption
All of Practo’s applications reside in a secure virtual private cloud
As your data travels from your computer to the VPC and back,
(VPC), which acts as a private space within a shared cloud
128-bit encryption protects it on the way. Encryption essentially
ecosystem. No other applications or services have access to your
converts textual data into random gibberish, mathematically
data and your data never leaves the VPC.
designed to be impossible to be read by either a human or a computer. When encrypted, only the cloud (pre-authorized by you) and your device can read your data. Even if the data is attempted to be read while it travels between your device and the cloud, it would make no sense.
Internal Security Measures
Our dedicated team of security experts periodically monitors the
Access Control Lists
Access Control Lists specify which user levels have the privilege to
health of our applications, protocols and systems. They ensure all
access or modify any data systems. It is a highly secure, rigid
technologies used are up-to-date and also monitor the safeguards
protocol that ensures nobody outside the access boundary (even
applied to all data coming in and out. Periodic tests, assessments
with a borrowed username & password) can access what they are
and system reviews of all security equipment are conducted
not supposed to. Think of it as being similar to access levels in
frequently.
Practo Ray – your receptionist cannot access reports, for instance.
Application Security
Till now we have discussed the safety protocols and measures applied while data moves across servers. But what about the integrity of our in-house systems? That’s where application security comes in. Simply put, application security refers to the use of software, hardware, and procedural methods to protect applications from external threats. This team ensures that the code which powers all Practo products remains as secure as possible, and a series of protocols are in place to make Practo a virtual fortress. The application security team performs Manual review of every line of code written by any developer Periodic maintenance and review of existing code External security reviews, by industry-leading experts Enforcement of non-disclosure agreements and strict usage terms for all external parties OWASP Top 10 compliance OWASP Top 10 describes a set of common and critical security vulnerabilities, as identified by international security experts. Almost all internet services or websites that handle sensitive data (e.g. banks, email programs, e-commerce portals) adhere to OWASP’s recommendations, and so do we. Also, application data (which refers to our services) and user data (the data that you enter) are in the same VPC, which means nobody can access any data while it is being transferred internally. But we still went ahead and encrypted everything, just to be super-safe.
Additional security measures:
Along with all the above measures, we are constantly looking for ways to improve our security feature. As a part of those efforts, Practo is now a member of the Data Security Council Of India (DSCI) - a NASSCOM initiative, functioning as the premier industry body to keep cyberspace safe,secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. With the experience and resources of DSCI, we’ve been working with them to reach new levels of security excellence, ensuring that our data security is truly unshakeable. With all these security measures (and many more, under the hood), it’s no longer a secret that Practo takes data security very, very seriously. And with all the hard work that we’re putting into protecting the world’s healthcare data, you can rest assured in trusting Practo as your partner in digital health.
If you still have questions, we’d be delighted to hear from you at
[email protected]