Security and compliance overview
As an enterprise-level medical device and software provider, MobileODT understands that the security of the patient data collected and stored by our customers is nothing less than critical.
MobileODT customers include some of the world’s leading medical institutions for whom maintaining secure user data is a topmost priority. To deliver the peace of mind that our customers deserve, we believe in transparency regarding MobileODT security standards and practices.
As an accreditation for these practices, MobileODT is ISO 13485 certified, ensuring the highest international standards and best practices in medical devices.
Application level security
By design, we separate Protected Health Information (PHI) from non-PHI. We make great efforts to ensure the security of data processed by the EVA System on behalf of our users.
Users can access the information stored on the cloud through the EVA portal. The portal is accessed through an internet browser in a secure HTTPS session.
Information can be exported in multiple formats such as JPEG/PDF images or images and patient information via PDF. Custom integration into the organization’s Electronic Health Records (EHR) is possible through an open API.
Data anonymization and research
Anonymized images may be used by MobileODT for research in medicine, public health studies, and the improvement of our products and technology. We perform data anonymization by removing personal and health identifiers from images. Once this data is stripped of personally identifying elements, those elements can never be re-associated with the data or the underlying individual. This data is stored in a separate storage to ensure that only medical data is used for research.
The EVA System can be used at the point-of-care without an internet connection. PHI will be securely stored on the cellular and transferred over an HTTPS encrypted channel to the online storage once a connection is established or data can be transferred directly to an electronic data management system or to a computer.
We implement multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans, and other similar harmful code.
Administrative access to our production environment is limited to a restricted number of individuals. Access to additional individuals is given only in extreme circumstances, for a specific purpose, and is limited in duration. Such access to these additional individuals is given only after the explicit approval of the customer.
As part of our HIPAA-compliance, we have implemented an advanced security incident and event management solution to audit, monitor, aggregate, and correlate security alerts ensuring swift discovery and response to potential security incidents.
Cloud Storage and HIPAA
As a company, we make constant efforts to ingrain good practices among our employees when it comes to data security and privacy. These efforts stem from an ongoing security awareness framework, one that mandates and audits the implementation of all security procedures within the company and aids in assuring the distribution of security principles.
We chose Amazon Web Services (AWS) as our strategic HIPAA-compliant data facility and have a Business Associate Agreement in place. All our client-recorded data is stored on secure servers located in the United States. Amazon’s infrastructure has the highest level of availability, redundancy and incident response mechanisms that provide us with the infrastructure to deploy a resilient IT architecture.
MobileODT has made all the efforts to be GDPR-compliant across all our applications. We understand that meeting the GDPR requirements is an ongoing process and effort. And as your partner, we want to help you make your process as seamless as possible so that you don’t have to worry about compliance and can focus more on running your business
We are ISO 13485 certified. We view this certification as an independent assurance to our customers of our commitment to the quality of our internal processes as well as provided medical devices and services to consistently meet customers’ and applicable regulatory requirements and controls.
These controls are systematically evaluated and updated by internal parties and by external auditors, to ensure that we continually meet both our own internal needs and those of our customers.