Data Security

Introduction

At AMaT, we are trusted with the governance data of over forty NHS Trusts, Health Boards, and private healthcare organisations.

We are signed up to the NHS's Cyber Security Charter, and believe that it's essential we can demonstrate to both new clients and our existing base that we take data security very seriously.

This page briefly details the various accreditations and certifications that we hold and that we renew annually. The majority of these are externally audited / assessed annually.

Our development arm, Meantime IT, is also ISO 27001 and Cyber Essentials certified.

ISO 27001

We consider ISO 27001 to be the jewel in the information security crown. It is the leading international standard for data security.

Our scope of applicability is as follows:

“The scope of Meantime AMaT’s Information Security Policy and ISMS is: information security management of sales, marketing, design, specification, testing, and management of the cloud-based AMaT solution, as well as training and support for clients, in accordance with the company’s latest Statement of Applicability”.

This covers every aspect of our work.

We are certified by ISOQAR and our certification number is 20228. Our current ISO 27001 certificate can be viewed here (opens external PDF document).

As mentioned above, our development arm, Meantime IT, is also ISO 27001 certified, with a statement of applicability that covers all aspects of the design, development, deployment, maintenance, and managed hosting of our software. Its certification number is 13607.

Cyber Essentials Plus

Although much of what is included in Cyber Essentials is covered by ISO 27001, there are a number of aspects that are of a more practical nature, which is why we also have this certification. It is also often required by organisations that don’t specify ISO 27001.

Although companies are permitted to self-certify for Cyber Essentials, the ‘Plus’ part means that we are externally assessed.

Our current Cyber Essentials Plus certificate can be viewed here (opens in a new window).

NCSC daily pen tests

The National Cyber Security Centre runs a ‘light’ pen test against AMaT every day. Crucially, this test includes the OWASP Top Ten, which are the top ten web application security risks.

AMaT clients have access to the NCSC’s dashboard, which shows them how AMaT is performing in mitigating those threats.

External pen tests (full)

Although the NCSC’s daily pen tests provide an excellent indication of AMaT’s resilience, many organisations like to see that a full external pen test has been carried out within the last twelve months.

Consequently, we carry out a full pen test at least annually, making the results available to organisations on request.

NHS Digital Data Security and Protection Toolkit

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

AMaT is scored as ‘standards exceeded’, the highest rating. Our current Data Security and Protection Toolkit certificate can be viewed here (opens external PDF document).

NCSC Software Security Code of Practice

The National Cyber Security Centre is moving to an assurance-based set of software development principles and outcomes that, if met, allow the vendor to state that their software has achieved a baseline of software security and resilience.

All of the specified Assurance Principles and Claims (APCs) are covered by our other accreditations and certifications, but we self-certify against their code of practice for completeness.

There is an option to be externally assessed, but the bodies that carry out such assessments only re-assess when the code of practice is significantly amended by the NCSC. We prefer all assessments to be on a continuous basis and carried out at least annually, which is why we have opted to self-certify in this case.

Cloudflare

Cloudflare is a web application firewall, which protects our software and our clients’ data against a wealth of real-time attack methods.

We consider Cloudflare to be ‘best of breed’, an opinion that is shared by much larger organisations than ours, including household names such as Netflix.

Password security

We recommend that organisations use Single Sign-On (SSO) to access AMaT. However, as this is still not possible for some NHS Trusts, we also provide an option to activate Multi Factor Authentication (MFA), in line with the NHS's recommendation.

We follow OWASP’s guidance that passwords are hashed using Argon2 and we utilise the Argon2id variant. The hashing process is protected using the quantum resistant SHA-384 Keccak Sponge algorithm. Finally, the passwords are stored in our database, which is AES 256 encrypted. All passwords must be changed every three months.

In addition to the above, we also complete the following assessments for NHS organisations:

Digital Technology Assessment Criteria (DTAC)

DTAC is an assessment tool owned by NHS England.

It aims to bring together legislation and best practice in the areas of clinical safety, data protection, technical security, interoperability, and usability and accessibility standards.

A standard version of the current DTAC form is available online, although we have found that some Trusts use their own amended version. We can provide a set of responses to the questions for which we are responsible on the standard form, and, of course, we will answer any additional questions that Trusts might have.

Data Protection Impact Assessment (DPIA)

Organisations are required by the General Data Protection Regulation (GDPR) to complete a Data Protection Impact Assessment (DPIA) where its processing of personal data is considered to be a risk to the rights and freedoms of individuals.

As with the DTAC, a standard version is available, and we have a set of responses to those questions for which we are responsible. Naturally, we will answer any additional questions an organisation might have.

DCB0129

This standard provides a set of requirements to promote and ensure the effective application of clinical risk management by organisations that are responsible for the development and maintenance of Health IT Systems for use within the health and care environment.

However, the standard only applies to applications that affect the real-time or near-real-time care of patients. AMaT has been externally assessed (by Safehand Consulting), and it has been deemed to fall outside of the remit of DCB0129. The applicability assessment is available on request.