Security Overview
Enterprise-grade security for your health data
ISO 27001 aligned security practices with Australian compliance
Security Certifications & Standards
ISO 27001 Aligned
Information Security Management System following international best practices
PCI DSS Compliant
Payment Card Industry compliance through Stripe Australia integration
Australian ISM
Information Security Manual compliance for government-grade security
1. Data Encryption
Encryption at Rest
-
AES-256 Encryption
All stored data encrypted with industry-standard 256-bit Advanced Encryption Standard
-
Australian-Controlled Keys
Encryption keys managed exclusively within Australia using AWS KMS Australia
-
Database-Level Encryption
Full database encryption including tables, indexes, and backup files
Encryption in Transit
- TLS 1.3: Latest Transport Layer Security for all web communications
- Perfect Forward Secrecy: Unique session keys that can't be compromised retroactively
- HSTS Enforced: HTTP Strict Transport Security prevents downgrade attacks
- Certificate Pinning: Protection against certificate authority compromise
- End-to-End Encryption: Data remains encrypted from browser to database
2. Access Control & Authentication
User Authentication
Multi-Factor Authentication
- • TOTP authenticator apps supported
- • SMS backup authentication
- • Hardware security key support
- • Biometric authentication (where available)
Password Security
- • Argon2id password hashing
- • Minimum 12-character requirement
- • Breach detection integration
- • Regular password strength auditing
Administrative Access
- Principle of Least Privilege: Minimum necessary access granted
- Role-Based Access Control: Granular permissions based on job requirements
- Just-in-Time Access: Temporary elevation for administrative tasks
- Regular Access Reviews: Quarterly review and validation of all access rights
- Session Management: Automatic timeout and concurrent session limits
Zero Trust Architecture: All access requests are verified and authenticated, regardless of location or user credentials.
3. Infrastructure Security
Network Security
- Web Application Firewall: Advanced threat detection and blocking
- DDoS Protection: Multi-layered defense against distributed attacks
- Network Segmentation: Isolated environments for different system components
- VPN Access: Secure remote access for authorized personnel
- Intrusion Detection: Real-time monitoring and automated response
Cloud Security (AWS Australia)
Compute Security
- • EC2 instances with latest AMIs
- • Security groups with minimal exposure
- • Instance metadata service v2
- • Systems Manager for patch management
Data Security
- • RDS encryption with KMS
- • S3 bucket encryption and versioning
- • CloudTrail for API logging
- • GuardDuty threat detection
Application Security
- Secure Development Lifecycle: Security integrated throughout development
- Static Code Analysis: Automated vulnerability scanning pre-deployment
- Dynamic Testing: Runtime security testing and monitoring
- Dependency Scanning: Third-party component vulnerability management
- Container Security: Secure containerization with minimal attack surface
4. Data Protection Measures
Data Classification
| Classification | Examples | Protection Level | Access Control |
|---|---|---|---|
| Critical | Health data, medical results | Maximum encryption + auditing | Role-based + MFA required |
| Sensitive | Personal information, payment data | Strong encryption + monitoring | Need-to-know basis |
| Restricted | Usage analytics, system logs | Standard encryption | Authorized personnel |
Backup & Recovery
- Automated Backups: Multiple daily snapshots with encryption
- Geographic Redundancy: Cross-region backup within Australia
- Point-in-Time Recovery: Restore to any point within 35-day window
- Backup Testing: Monthly restore tests to verify integrity
- Disaster Recovery: RTO of 4 hours, RPO of 15 minutes
Data Lifecycle Management
- Data Minimization: Collect only necessary information
- Automated Retention: Automatic deletion per retention policies
- Secure Disposal: Cryptographic wiping of deleted data
- Right to Erasure: User-initiated data deletion capabilities
5. Security Monitoring & Incident Response
24/7 Security Operations
Threat Detection
- SIEM Integration: Security Information and Event Management
- Behavioral Analytics: Machine learning-based anomaly detection
- Threat Intelligence: Real-time threat feed integration
- Vulnerability Scanning: Automated weekly security assessments
- Penetration Testing: Quarterly third-party security testing
Incident Response Process
-
Detection (0-5 minutes):
Automated monitoring alerts security team
-
Assessment (5-15 minutes):
Threat classification and impact analysis
-
Containment (15-30 minutes):
Immediate threat containment and isolation
-
Investigation (30 minutes - 4 hours):
Forensic analysis and root cause identification
-
Recovery (4-24 hours):
System restoration and monitoring
-
Lessons Learned (24-72 hours):
Post-incident review and improvement
6. Compliance & Auditing
Regular Security Audits
Internal Audits
- • Monthly security control assessments
- • Quarterly access control reviews
- • Bi-annual policy compliance checks
- • Annual security program review
External Audits
- • Annual ISO 27001 compliance audit
- • Quarterly penetration testing
- • Annual privacy impact assessments
- • Third-party security certifications
Compliance Reporting
- Security Dashboard: Real-time security metrics and KPIs
- Incident Reports: Detailed analysis of all security events
- Compliance Status: Regular updates on regulatory compliance
- Risk Assessments: Ongoing evaluation of security risks
7. Your Role in Security
Best Practices for Users
Account Security
- • Use a strong, unique password for your account
- • Enable two-factor authentication immediately
- • Log out from shared or public computers
- • Review account activity regularly
- • Report suspicious activity immediately
Data Upload Security
- Only upload your own pathology reports
- Verify SSL connection (look for the lock icon)
- Use secure networks (avoid public WiFi for uploads)
- Delete files from downloads folder after upload
How to Report Security Concerns
Security Team: [email protected]
Emergency Security Hotline: 1300 XXX XXX
Response Time: Within 4 hours for security issues
Bug Bounty: Responsible disclosure program available
This Security Overview was last updated on January 1, 2024. We continuously improve our security practices and update this document quarterly to reflect current implementations.