Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, redesign and development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Non-product software validation
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Predetermined Change Control Plan
    • GP-025 Usability and Human Factors Engineering
    • GP-026 Market-specific product requirements
    • GP-027 Corporate Governance
    • GP-028 AI Development
    • GP-029 Software Delivery and Commissioning
    • GP-030 Cyber Security Management
    • GP-031 Training Data Governance
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-110 Esquema Nacional de Seguridad
    • GP-200 Remote Data Acquisition in Clinical Investigations
    • GP-600 Equality Planning
  • Records
  • Legit.Health Plus Version 1.1.0.0
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • BSI Non-Conformities
  • Pricing
  • Public tenders
  • Procedures
  • GP-101 Information security

GP-101 Information security

Purpose​

To describe how we carry out the management of information security, access and data recovery of information systems under the scope of the Information Security Management System (hereinafter ISMS).

Scope​

This procedure concerns the management operations of the resources linked to the information systems under the scope of the Quality Management System: the design and development of medical software.

Definitions​

  • Access control: Means to ensure that access to assets is authorized and restricted based on business and security requirements.
  • Confidentiality: Property that information is not made available or disclosed to unauthorized persons, entities or processes.
  • Information security: Preservation of confidentiality, integrity and availability of information.
  • ISMS: Information Security Management System

Responsibilities​

JD-007​

  • To apply all necessary measures to ensure information security and the maintenance and updating of the information security systems are implemented.
  • To propose the necessary measures and activities in the event of detecting any type of incident related to information security.

JD-004​

  • To ensure the correct maintenance and filing of all documentation generated, including procedures and records, as well as to verify that such records comply with established procedures.

Inputs​

  • New media requirements
  • Sensitive information
  • New hirings

Outputs​

Development​

General​

We have developed this procedure following the guidelines established by the ISO/IEC 27001 international standard to manage the information security and to ensure the confidentiality, integrity and availability of the information that our stakeholders deposit and that we store in our information systems.

Information security is defined as the protection of information and also refers to the eradication of a wide range of threats to ensure business continuity, minimize business risks and maximize return on investment and business opportunities.

In order to properly manage such security, we establish, implement, review and improve an information security policy, where required, to ensure that the company's specific security and business objectives are met.

The review of this policy will be performed when significant changes occur in the ISMS or, alternatively, annually, to ensure that all aspects developed continue to be met.

The security measures associated with the management of access and management of media that may contain, where appropriate, personal data of medium or high level, is performed according to the criteria established in the current legislation on the subject, which we specifies, where appropriate, within our security documents.

Information security management system objectives​

  • Protection of information assets, so that all types of system resources are secured.
  • Authentication of all users and employees in the access to the different information sources. Protection against the risk of identity theft.
  • Authorization: Establishment of different levels of permissions and authorization to the information and periodic review of the same.
  • Integrity of information: Ensuring that information is kept intact in all operations carried out, as well as in the communication processes.
  • Auditing of security activities: Periodic monitoring and recording of possible incidents and suspicious activities in order to prevent undesired events.

Information security policy communication​

We communicate the Information Security policy to both employees and interested parties.

In the case of employees, the policy is communicated at the beginning of their activity with us or when relevant changes occur in it.

In the case of stakeholders, the policy will be communicated at the start of the activity or when a change that may affect them is included. In addition, the company's integrated quality policy, which includes the embedded values relating to the ISMS, is publicly available.

Information security management​

Once the information assets have been identified (T-018-001 Infrastructure list and control plan), we identify the security requirements based on three sources:

  • Risk assessment of the organization, taking into account the overall business objectives and strategy of the organization. Through risk assessment, asset threats are identified, their probability of occurrence is evaluated and their potential impact is estimated.
  • The set of legal, statutory and contractual requirements that must be met by the organization, its business partners, contractors, service providers and its socio-cultural environment.
  • Principles, objectives and business requirements that are part of the information process that the organization has developed to support its operations. Following the identification of security requirements, we select and implement appropriate controls to ensure that risks are reduced to an acceptable level.

Based on the above, we define and approve an analysis and treatment of the exposed risks (see GP-013 Risk management) on an annual basis.

Data protection​

We have designed the GP-050 Data protection manual in collaboration with our trusted legal firm, to find out what measures in particular we should take in order to improve compliance with data protection regulations, especially in relation to the General Data Protection Regulation or GDPR.

Data Privacy Impact Assessment (DPIA)​

We have also evaluated the impact of the data processing that we conduct following the template T-052-001 DPIA. In particular, we have evaluated the activity DA-005 PR API of our Record of Processing activities (ROPA), that corresponds to the management of medical data provided via API integration by the customers that use our service, and it is recorded at the T-052-001 DPIA for DA-005 PR API.

Information confidenciality​

Every user with access to the information systems must sign a "Master agreement".

It is forbidden to send confidential information to the outside, by means of material supports, or through any means of communication, including simple visualization or access, without the authorization of Management.

No collaborator must possess, for uses outside their own responsibility, any material or information owned by the Entity both now and in the future.

Users must keep for an indefinite period of time confidentiality in the aspects they know, data, files, access, passwords, documents, contracts, programs and other information , not disclosing its content to third parties either directly or indirectly. The obligation extends even after the termination of the employment or collaboration contract.

If for work reasons the employee accesses confidential information, access, and possession of the information is temporary, without granting the right to possession or copy, having to return all the material at the end of the work to be performed or at the end of the employment relationship.

Failure to comply with this obligation may constitute a crime of disclosure of secrets, foreseen in the Penal Code and entitles us to demand financial compensation from the user.

In cases where there is a change in responsibility or termination of responsibilities, ongoing and continuing confidentiality commitments and legal responsibilities will remain in effect for a defined period after the termination of the employee, contractor and third party user contract.

Information resources authorization​

For the addition or deletion of information processing resources we have implemented the following guidelines:

  • New information processing media require the approval of the JD-001, JD-003 or JD-007,authorizing its purpose and ensuring that it complies or can comply with all corresponding security policies and requirements, as well as the compatibility of the same in the system under the scope of the system. Once approved, the new resource is assessed for incorporation (if applicable) into the T-018-001 Infrastructure list and control plan .
  • Resource retirements are authorized and reviewed by Management, so that it can evaluate the consequences of such a retirement, as well as ensure that the retirement is carried out under controlled conditions. In the event that a reallocation of licenses is required for any of the information assets, it will be the JD-003 or JD-007 responsibility to obtain the corresponding uninstallation code and agree on the allocation of the same. Once the de-assignment is approved, the resource is removed from the Inventory of which it was a part, as indicated above.
  • In addition to the compatibility of the resource, JD-003 or JD-007 evaluate the possible introduction of new vulnerabilities in the system and review their effect on the entire management system and on the risk assessment, communicating the possible consequences as input information for the system review processes by Management.
  • Specifically, all those programs, utilities or services that may be installed or executed on an asset registered by the system must be previously authorized by JD-003 or JD-007.

Return of media​

The user, in the event of the need to discard, destroy or delete to reuse any support with personal data, will have the obligation to contact the person in charge to discard these supports, guarantee their correct deletion and, where appropriate, the impossibility of recovery.

Access management​

As it is described at the GP-018 Infrastructure and facilities, the access to all company's resources has been defined under a minimum access policy that restricts a user to only the least amount of access to privileged resources and permissions that are needed to perform an authorized and assigned activity or activities. The process to grant and control the remote access to the resources is explained at the SP-018-001 Remote infrastructure control access policy.

Additionally, multi-factor authentication (MFA) mechanisms are used.

Use of cryptographic controls​

Sensitive information is stored encrypted in databases using the strongest algorithm supported by the server (AWS S3).

Communications between the different systems that make up the application are sent encrypted using HTTPS. In the case of this application, an SSL certificate is used for this encryption, so that the communication is encrypted and authenticated by means of TLS1.2, ECDHE_RSA with X25519 and CHACHA20_POLY1305.

Password management policy​

This procedure is described at the SP-050-002 Manual of functions and obligations of the staff and communicated to the employees when they join the company through the Master agreement we provide.

We have in place the Passbolt password manager to manage all the individual and shared passwords in a secure manner. We host the manager in a secure private server with backups and strict security measures.

Physical, environmental and equipment safety.​

As we have recorded at the R-002-007 Validation card 2023_005, our work is performed remotely.

The physical protection of portable devices is the responsibility of those who are initially assigned to them (see asset owners in T-018-001 Infrastructure list and control plan). Users follow the rules stipulated for this type of equipment to ensure the security of the device and the information it contains. In this regard, it has been made mandatory not to store information subject to the scope of the ISMS on the hard disks of such portable equipment, but working on the cloud.

Devices security and maintenance​

This procedure is described at the GP-018 Infrastructure and facilities and GP-051 Security violations.

Operations security​

Back ups​

QMS and DHF documentation backup procedure is explained at the GP-001 Control of documents.

For our manufacturing process we use the Atlassian suite of applications, that provides its own procedure for the data backups and integrity measures.

Furthemore, the APIdata is meticulously updated at regular intervals to ensure optimal performance and up-to-date information. With a precise update frequency of 12 hours, our robust system guarantees that the most current data is consistently available to users.

In order to safeguard the integrity of our data, we have implemented a comprehensive backup strategy. Our carefully devised plan utilizes an incremental backup approach, which efficiently captures and stores any modifications made to the data since the last backup. This method not only reduces storage requirements but also minimizes the time and resources needed for the backup process.

By employing this best-in-class data update and backup system, we maintain a high standard of reliability, efficiency, and security, providing our clients with the utmost confidence in the quality and accuracy of the information provided by our API.

Systems and applications security​

  • Systems monitor: we use Cloudwatch to monitor our main systems and generate alerts when consumption thresholds and system crashes are exceeded.
  • We perform the security functionalities testing using portal.intruder, including:
    • Robustness testing.
    • Penetration testing.
    • SQL injection.
    • Cross-site scripting.
    • Buffer overloading.
  • portal.indruder is also used to ensure the vulnerabilities control.
  • We develop software applications in accordance with industry best practices (OWASP Guide): The development of the applications is based on the following methodologies: -The software life cycle is based on Scrum and biweekly sprints. Bimonthly retrospectives are performed to iterate on the model and improve metrics and estimates. -Version control is performed under a gitflow methodology with different branches for the development of new features, bug fixes and environments.
    • Finally, the software is developed under DDD / TDD methodology to ensure a high percentage of code coverage.
    • Additionally we follow the guidelines established in ISO 62304:2007/A1:2016 Medical device software. Software life cycle processes.
  • Network access
    • Resources such as databases and servers are protected by a firewall that only allows access to specified IPs.
    • The databases, where all confidential data is stored, are implemented in RDS behind a firewall that only allows connections from internal servers of the same closed system. SSH connections to our instances through port 22 are only allowed from known IPs that must be manually approved and added. All static assets stored in S3 are not publicly accessible; instead, the system requires a signed URL for access.
  • Routing controls
    • Critical services such as databases or static file repositories are not publicly accessible, i.e. they are only accessible from within the private network configured on AWS. Services such as servers from which we serve our applications only expose the necessary ports to the outside and their access for maintenance tasks is protected by a firewall system + private key access.
    • SSH connections to our instances through port 22 are only allowed from known IPs that must be manually approved and added.
  • Systems monitorization
    • We are using Cloudfront and load balancer to monitor traffic and alert for possible malicious access.

New media requirements​

New media requirements are established at the GP-018 Infrastructure and facilities.

Job abandonment​

All employees must ensure the security and confidentiality of the information they process and use in the course of their work. To this end, the employees shall keep in a safe place and with secure access to computer screens, scanners, printers, photocopiers and any device that allows viewing, reproducing, storing, copying and processing personal data.

  • When leaving the workstation momentarily, i.e., for no more than five minutes (consulting another co-worker, photocopying, etc.), the user must minimize any application in use on the screen, leaving only the PC desktop in view, or turning off the monitor or blocking the session.
  • When this abandonment, supposes a period superior to 30 minutes, then it will have to proceed to the closing or blocking of its session (it is possible to be used the direct command Windows+L) or to the shutdown of its PC by longer times. As a security measure against forgetfulness, the computers will lock themselves after 5 minutes of inactivity, requiring the user's password again to reactivate his session.
  • The employee shall also ensure that any printed or photocopied document, received by fax or by means of any peripheral device, is collected and protected to prevent its loss or access by unauthorized persons.
  • The employee shall prevent unauthorized persons from accessing the data, preventing third parties from accessing the equipment, programs, applications, supports and other elements that allow access to the data.
  • The portable equipment, hardware, software, applications, data, files and other elements of the computer provided shall be used exclusively for the purposes that have been authorized.

Email​

The e-mail systems (Google suite) have incoming and outgoing e-mail scanning mechanisms as well as anti-malware protection mechanisms.

End of the employment relationship​

The Top Management is responsible for managing the process of employee discharge and termination and for reporting on decisions taken on information security. They disable access to information and information processing resources. At the end of the work relationship, the employee must return all the organization's assets in his possession. Likewise, all passwords to which the user may have had access during his stay in the company must be modified.

Reference documents​

  • GP-001 Control of documents
  • GP-013 Risk management
  • GP-018 Infrastructure and facilities
  • GP-050 Data protection
  • GP-051 Security violations
  • R-002-007 Validation card 2023_005
  • SP-018-001 Remote infrastructure control access policy
  • SP-050-002 Manual of functions and obligations of the staff
  • T-018-001 Infrastructure list and control plan
  • T-052-001 DPIA for DA-005 PR API

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
ㅤ

Previous
GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
Next
GP-110 Esquema Nacional de Seguridad
  • Purpose
  • Scope
  • Definitions
  • Responsibilities
    • JD-007
    • JD-004
  • Inputs
  • Outputs
  • Development
    • General
    • Information security management system objectives
    • Information security policy communication
    • Information security management
    • Data protection
    • Data Privacy Impact Assessment (DPIA)
    • Information confidenciality
    • Information resources authorization
    • Return of media
    • Access management
    • Use of cryptographic controls
    • Password management policy
    • Physical, environmental and equipment safety.
    • Devices security and maintenance
    • Operations security
      • Back ups
      • Systems and applications security
    • New media requirements
    • Job abandonment
    • Email
    • End of the employment relationship
  • Reference documents
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)