What is Metadvice?
Metadvice is a suite of precision medicine applications that facilitates comprehensive and precise diagnostic and therapeutic evaluations. Metadvice uses artificial intelligence to transform big data into actionable insights for both doctors and patients.
With the rapid advance of healthcare technologies – such as mobile medical apps and cloud computing – and their increasing integration with social media, personal data1 protection has become of paramount importance.
The European Union has recently adopted a new regulation concerning data protection - the EU General Data Protection Regulation 2016/679, known as the General Data Protection Regulation ("GDPR"). As a company with EU users, Metadvice has taken certain actions and has adopted policies and procedures in order to implement the GDPR to enhance the data protection of the personal data1 of its EU users.
The first required safeguard in the Security Rule is a risk analysis – “As part of the risk management process, the company performs an annual risk analysis for its products analyzing software and data security”. The Security Rule details specific requirements for security safeguards. Items marked (R) are required and items marked (A) need to be addressed according to the results of the risk analysis.
To reduce risks to EPHI, covered entities and their business associates such as Metadvice must implement the appropriate technical safeguards for their business situation – this is the raison d’être of risk analysis. The most effective safeguard is to store as little EPHI as possible. To this extent:
Metadvice has performed a threat analysis of the Metadvice mobile app and services. The threat analysis considered attack scenarios involving system availability, EPHI confidentiality, integrity and availability, as well as attacks on code and service configurations. The results of the threat analysis guide Metadvice in their implementation of Security Rule safeguards.
Person or Entity authentication (R)
This safeguard requires a covered entity and its suppliers to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Authentication in Metadvice ensures that a person is in fact who he or she claims to be before being allowed access certain features in Metadvice. This is accomplished by providing satisfactory proof of identity, to attest that a new user is a healthcare professional or his/her patient. After completing the in-app registration, a new user is vetted by Metadvice for use of the app. User authentication is based on an email username and strong passwords with a minimum of 8 characters.
The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource”.
Metadvice has implemented access control in the Metadvice system as follows:
Mobile device policy
In addition to Security Rule requirements for access control, Metadvice realizes that innovative mobile apps such as Metadvice are part of a diverse mobile IT environment that introduces new threats and requires appropriate security countermeasures. In the event a user has a lost or stolen mobile device, a user can de-authenticate the device remotely, through Metadvice’s support.
Users of Metadvice are encouraged to use device-level security features such as requiring a password or PIN when the screen is turned on to provide an additional layer of protection.
The Audit Controls safeguards require a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Metadvice maintains comprehensive audit logs on its cloud servers:
Transmission security safeguards require a covered entity to: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” These include:
Metadvice encrypts the connection between the applications and the cloud services using TLS (Transport Layer Security) / SSL (Secure sockets layer). The connection is encrypted using an RSA 2048 bits key issued by Letsencrypt. An independent assessment can be obtained from SSL Labs under this link.
Metadvice is a unique and innovative search and reference application for precision medicine, powered by artificial intelligence. Metadvice has implemented the appropriate Security Rule safeguards as part of a corporate commitment to protecting personal data through a strong security and compliance management program.: