AWS NACL and Security Groups - Every single database request on MedMe’s platform must pass through these 2 firewalls to access the data. MedMe defines a set of IP addresses that are allowed to access our applications and database in these firewalls, as described here.

AES 256 - All EC2 instances and databases are encrypted with AES 256 at rest and in transit. The secrets are maintained by AWS Key Management Service and are cycled periodically by AWS.

AWS Certificate Manager - All requests and responses are sent over https(443) - the internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site adopted by most sites. Automatic redirect of http to https is enabled, and the SSL certificate is managed by AWS Certificate Manager.

Individual PI and PHI cannot be accessed and viewed by MedMe and its constituents (including its developers, 3rd-party software providers, contractors, and any other parties involved with MedMe's product and services), except for 2 members of our team (see Select Users below). In order to troubleshoot errors in software, our pharmacy clients must give explicit permission for MedMe to access the specific instance of the platform, and by extension, any related PHI

MedMe does not share and sell any PI and PHI to its customers, including: private organizations, academia, government bodies, and non-profit organizations.

MedMe will not directly engage with any patients or promote other services unless it is a part of the MedMe platform as confirmed by the pharmacy (i.e. consultation confirmation, reminders, post-consultation notes, etc.)

Select User Access - Only 2 MedMe team members (engineers) have access to the production databases, and therefore by extension, PHI: Purya Sarmadi (CEO and Privacy Officer) and Kalai Selvan (Lead Back End Engineer). Both members hold a Masters in Health Informatics, are fully aware of responsibilities pertaining to this degree of access, and have surrendered the following information available upon request: copy of passport, copy of government ID, and criminal record check.

Privacy Officer - Purya Sarmadi is MedMe's single point-of-contact for all privacy and security-related questions/concerns (anonymous). Purya is in charge of providing documents and presentations on ongoing compliance related topics (upon government requirements updates) to the team as well as all new hires

Select Laptops - Laptops used by Select Users (see above) are company property and fully controlled by MedMe via software with mandatory login credential requirements (i.e. new password every 6 months). All traffic can be monitored by MedMe, and all data on the laptops can be remotely wiped in case of theft. Select users must also use "Security Screens" in office (the content of the screen cannot be viewed from a side angle).

Segregated Networks - MedMe's production network is completely segregated from regular internal networks and can only be accessed by Select Users (see above) through Select Laptops (see above) differentiated by serial number. Select Users must use a secured VPN when accessing the production network outside of the office network.

Changes to Production Environment - all change requests to the production environments (i.e. databases, servers, microservices, codebase, etc.) require sign-offs from the Privacy Officer and the CTO

Accidental PHI leaks by clients - When clients accidentally share PHI to any MedMe team member through email, text, or by any other means, a specific procedure is followed to destroy all PHI that was leaked and educate the client to prevent repeating the same mistake.

AWS CloudTrail - Monitors and logs all activity that takes place in MedMe's AWS account (i.e. authenticate users with AWS Cognito, read or upload files from Amazon S3 servers)

AWS Config - Monitors all the configurations in place and notifies MedMe if there are any changes in the configurations (i.e. new IP addresses added to the firewalls)

Amazon CloudWatch - Monitors all the resources and application logs and triggers an alarm if there is any unusual activity (i.e. it triggers an alarm if the application is down or any data is deleted from the database). It maintains all the application logs and can be used in audits by regulatory bodies

VPC Flow Logs - Records all the traffic going to and from our virtual private cloud

Amazon GuardDuty - A threat detection service that continuously monitors for malicious activity and unauthorized behaviour in our databases and workloads

Installing patches to resolve viruses and technology flaws to prevent additional servers from becoming exposed

Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.

Disabling network access for computers known to be infected by viruses or other malware so they can be quarantined, and blocking the accounts of users that may have been involved in the data breach

Recalling/deleting information such as recalling emails, asking unintended recipients to destroy copies, and/or disabling erroneous links

System shutdown, as a last resort, to completely eliminate any possibility for a further data breaches in cases where we are unable to immediately identify the impact and extent of the breach

Evidence gathering - MedMe identifies all the information that has been compromised and traces the data breach to help with auditing procedures and feed into the Incident Post-mortem.

Eradication - MedMe eliminates all components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited

Incident Post-mortem - MedMe conducts a full post-mortem analysis to summarize lessons learned from the breach, replicate the breach, identify the root causes of the breach, and implement measures/changes to the platform to prevent further similar breaches