Home > Security Processes

Security Processes

General Security 

Phew operates to quality management standards ISO27001:2015 and ISO9001:2018, along with Cyber Essential Plus.

A strict disaster recovery process is in place, and backup collection and full restoration can be actioned in under four hours if a critical incident were to occur.

Monthly maintenance tasks are in place to ensure that data can be recovered and restored from backups.

Phew’s entire application and the associated database is backed up every night to an offsite location. This backup is rolling for 30 days which means we can recover the application as it was at any point in the last 30 days.

Learning Management System

  • Register and login forms are further protected via Google RECAPTCHA technology.
  • User access logging is in place for all login attempts and this is reviewed in our monthly maintenance checks.
  • The Phew LMS undergoes annual penetration testing to CREST certified standards and there are ongoing vulnerability checks as part of our monthly maintenance and with a third party (App.Check).
  • All web pages within the application operate with a SHA-256 security certificate (SSL/TLS).
  • Counter cross scripting measure are in place, as well as Cross-Site Request Forgery (CSRF) tokens to ensure validity of the user and prevent phishing attacks.
  • Data is handled server side by the application exclusively and then stored securely in a database. Securely in this context is defined as access is limited to the application and restricted to users with a temporary IP address whitelisting.
  • All user password data is stored in a one-way hash as per industry standards.
  • Brute force protections are in place on sensitive forms such as logins.

Audit System

  • User access logging is in place for all login attempts and this is reviewed in our monthly maintenance checks.
  • Optional two-factor authentication via SMS available for further login authentication to the system.
  • Audit response data (including submitted files) can optionally be encrypted at rest using AES-256.
  • All high privilege user actions are logged for 12 months.
  • The Phew Audit System undergoes annual penetration testing to CREST certified standards and there are ongoing vulnerability checks as part of our monthly maintenance and with a third party (App.Check).
  • All web pages within the application operate with a SHA-256 security certificate (SSL/TLS).
  • Counter cross scripting measure are in place, as well as Cross-Site Request Forgery (CSRF) tokens to ensure validity of the user and prevent phishing attacks.
  • Data is handled server side by the application exclusively and then stored securely in a database. Securely in this context is defined as access is limited to the application and restricted to users with a temporary IP address whitelisting.
  • All user password data is stored in a one-way hash as per industry standards.
  • Brute force protections are in place on sensitive forms such as logins.

Patient Discharge Management System

  • Two-factor authentication is in place via SMS to ensure further login authentication to the system.
  • All sensitive patient information is encrypted at rest using AES-256.
  • The Phew Patient Discharge Management System undergoes annual penetration testing to CREST certified standards and there are ongoing vulnerability checks as part of our monthly maintenance and with a third party (App.Check).
  • All web pages within the application operate with a SHA-256 security certificate (SSL/TLS).
  • Counter cross scripting measure are in place, as well as Cross-Site Request Forgery (CSRF) tokens to ensure validity of the user and prevent phishing attacks.
  • Data is handled server side by the application exclusively and then stored securely in a database. Securely in this context is defined as access is limited to the application and restricted to users with a temporary IP address whitelisting.
  • All user password data is stored in a one-way hash as per industry standards.
  • Brute force protections are in place on sensitive forms such as logins.

Websites

  • Firewall and brute force protections are in place via a series of security plugins.
  • All user login screens are hidden.
  • Two-factor authentication can be implemented at client request.
  • Optional enterprise firewalls can be installed (CloudFlare, Securi) on request.