Last updated: December 20, 2021

KangarooHealth is committed to create a certified environment enabling health professionals to gain actionable insights about their patient populations from multiple platforms following a unified and secure protocol. If there are any questions about the KangarooHealth security approaches and practices, please contact security@kangaroohealth.com.

CONTRACTS & PROJECT SAFEGUARDSTo factor data privacy into our products and services, we strive for the highest standards of health data protection.

‍Security Insurance Plan

‍Detailed in the sections below, the KangarooHealth Security Insurance Plan describes the methods, organization, and quality assurance and quality control activities specific to applications hosted by the KangarooHealth Medical Cloud in order to:

● constitute a common reference for all collaborators to standardize working methods.
● guarantee the quality of products and services by defining measurable criteria.
● define the procedures to be followed, the tools to use, the standards to be respected, the methodology and the controls to be planned for each activity and referenced in the Information Security Management System (ISMS - Information Security Information System).

‍Subcontractors management

‍KangarooHealth uses one or more subcontractors to provide remote patient monitoring services for patient populations referred by collaborating providers.
Subcontractors are selected by following the subcontractor management procedure, including background checks and annual security/HIPAA training.

‍Services & applications security

‍For services hosted on KangarooHealth Medical Cloud, we deliver, maintain, and manage data protection in our applications and services across all stages of their lifecycle and within differing regulatory environments.SECURED DEVELOPMENT

‍Training on secured code

‍At least once a year, developers participate in secure code training covering the top 10 OWASP or equivalent security risks, common attack vectors, and KangarooHealth security controls.

‍Framework security controls

‍KangarooHealth relies on modern techniques with security controls to limit exposure to the top 10 OWASP security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

‍Agile organization, code review and testing

‍All development activities are organized in AGILE method with the establishment of sprints and prioritization of tasks with the Product Manager team. All sprints are historized. Developers must perform unit tests, functional integration tests, and security tests. Code and tests are reviewed and evaluated through peer reviews before deployment.

‍Software Quality Assurance

‍The Software Quality Assurance department tests the services and applications before going into production (manual or automatic tests).

‍Environments separations and test data

‍The development and test environments are logically separated from the production environment. No personal production data is used in our development or test environments.VULNERABILITIES MANAGEMENTCode auditKangarooHealth uses third party security tools to analyze all code prior to production against major security risks. Vulnerabilities that may cause security breaches are mandatorily corrected and/or planned in a continuous improvement cycle.

‍Automatic code testing

‍The code is automatically tested with predefined test scenarios to ensure that changes do not result in any loss or degradation of security. Tests are performed on virtual machines with a limited lifespan and completely separate from production.

‍Third-Party Penetration Testing

‍In addition to vulnerabilities management including analysis and testing, KangarooHealth employs third party security experts to perform penetration testing on various applications in our product range.

AUTHENTICATION SECURITY

‍Password policy

‍KangarooHealth requires the use of a strong password and complies with international recommendations in terms of robustness. This policy applies to all users of the KangarooHealth solution.

‍Two-factor authentication

‍KangarooHealth is starting to impose the use of two-factor authentication for users of the KangarooHealth solutions in phases.

‍Authentication data storage
‍KangarooHealth never displays plaintext authentication data in its applications or services.

‍API - partner application authentication
‍KangarooHealth API uses the OAuth 2.0 method to authenticate partner applications. Each application has a unique and robust client id and secret.

‍API - collection of individual consent and authentication
‍KangarooHealth API uses the OAuth 2.0 method to collect end user consent. The connection data is then secured with expiring tokens that the client must regenerate from KangarooHealth.ROLE-BASED ACCESS CONTROLSThe majority of KangarooHealth applications and services are subject to access controls based on roles with predefined privileges allowing controlled use and access to data.SECURING DATA IN TRANSITAll communications over the public network are encrypted with HTTPS/TLS industry standards (TLS 1.2 or higher).CHANGE MANAGEMENT

‍Categorization of changes
‍KangarooHealth has defined change categories allowing a follow-up adapted to the typology of the change in order to keep a strong reactivity while ensuring that the implications are properly assessed.

‍Change procedure
‍KangarooHealth has defined a change management procedure depending on its category, which may include: a change request, appointment of a change committee, security risk analysis, planning, implementation of the change, or modification of the continuity or recovery plan.MEDICAL CLOUD & INFRASTRUCTURE PROTECTIONBecause how we protect data is part of how we build value for our health partners, we call upon the best firewall, connection, encryption, and backup solutions within high-security facilities to protect KangarooHealth Medical Cloud.PHYSICAL DATA CENTER SECURITY

‍Physical facilities
‍KangarooHealth hosts its medical infrastructure on the Amazon AWS in data centers in the United States. All data centers are certified ISO 27001, ISO 27017, ISO 27018, PCI DSS, SOC I/II/III.
To ensure 24/7 operation and constant availability of services, Amazon's data centers are equipped with redundant power systems and are subject to environmental controls. Every critical component has a main power source as well as an alternating power source of equal power.On site securityAmazon's data centers are designed with a multi-layered security model that includes custom-designed electronic access cards, alarms, vehicle access control barriers, security fencing, metal detectors, and biometric technologies. Each data center is also equipped with a laser beam intrusion detection system. The data centers are monitored 24 hours a day, 7 days a week using high-resolution indoor and outdoor cameras that can detect and track intruders.Location of data hostingUpon request, the client may request to regionalize the processing of its data to an available location of services. KangarooHealth respects the client's choice and informs clients if one or more services are not regionalizable.NETWORKS SECURITY

‍Protection
‍KangarooHealth network is protected by the use of security services (DMZ, Access Control List (ACL) firewall, anti-malware, securing data in transit via TLS, IPSec VPN...).

‍Architecture
‍Our network security architecture consists of multiple layers of security, each replicated in multiple availability zones. DMZs are used for areas exposed to the public network. Each layer is protected via firewalls.

‍Infrastructure Vulnerability Analysis
‍The analysis of infrastructure security via automated scans provides in-depth information for the rapid identification of non-compliant or potentially vulnerable systems.

‍Third party penetration tests
‍In addition to vulnerabilities management including analysis and testing, KangarooHealth employs third party security experts to perform penetration testing on its medical infrastructure.

‍Logistical access
‍Access to the production platform is limited to system administrators. All accesses are controlled and recorded in protected logs and automatically analyzed and audited by a security engineer independent of system administrators. System administrators accessing the production platform must use several personal and robust authentication factors.

‍Backups
‍KangarooHealth has implemented a backup policy for all production systems and environments, including databases, GIT directories, virtual machine disks, and document sharing servers. Backups are regularly executed and tested according to their level of criticality. Backups are then encrypted before encrypted transfer to secure storage. Only system administrators have access to backups.

‍Events logging
‍KangarooHealth has set up an event logging policy including system administration logs that cannot be disabled. Activities on all KangarooHealth systems and applications are also logged. The logs are then analyzed by automatic algorithms in order to detect any suspicious or malicious activities.

‍Security incidents management
‍A continuous alert system allows continuous monitoring of security incidents and their resolution by system administrators in the shortest possible time (between 24 hours and 96 hours). Employees are trained on security incident response processes, including the management of communication channels and escalation paths.

ENCRYPTION

‍Encryption of stored data
‍KangarooHealth uses low-level disk encryption. The encryption must have a robustness of at least AES-256 or equivalent.
‍
‍Encryption of databases
‍Information in databases is encrypted according to its classification in the data registry.

‍SSH connections
‍KangarooHealth guarantees SSH connections using only SSH v2 and industry recognized Encryption Ciphers.

‍VPN connection
‍KangarooHealth guarantees VPN connections using only industry-recognized and robust Encryption Ciphers.

‍Backups
‍All backups are encrypted, at least once, before being transmitted to a remote storage area. Where possible, they are also encrypted by the storage solution itself.

AVAILABILITY PLAN & CONTINUITY
‍
‍Information on the availability
‍KangarooHealth provides a publicly accessible system status web page that includes system availability details, planned maintenance, service incident history and relevant security events.

‍Redundancy
‍The entire physical and cloud infrastructure is redundant in order to minimize the risk of downtime and data loss. In particular, the databases are configured with near-instantaneous replication to ensure that, under normal operating conditions, the complete loss of the main node receiving the writings does not result in data loss of more than a few seconds.

‍Recovery point objective
‍KangarooHealth IT backup policy ensures a daily backup of production databases. KangarooHealth therefore ensures that the recovery point objective (RPO) will not exceed one day in the event that KangarooHealth activity is maintained.

‍Disaster recovery plan
‍KangarooHealth disaster recovery plan ensures that the production platform can be fully recreated in the event of a total malfunction of the production environment. All code, configurations, and databases are stored in secure locations and are independent of the production environment. Restoration of the complete platform is automatically regularly. KangarooHealth therefore commits to ensure that the maximum tolerable period of disruption (MTPD) is no longer than one week for the resumption of a degraded service, or even operational in the majority of disasters, in the event that KangarooHealth activity is maintained.

HR SECURITY
The limited staff that handles data in the KangarooHealth Medical Cloud is subject to regular vetting and continuous training on how to mitigate the risks involved in processing personal data.

EMPLOYEES MANAGEMENT

‍Background and competency checks
‍KangarooHealth conducts background checks on all new employees in accordance with local laws. These checks are also performed for contractors. Background checks may include technical and general skills, previous employment, and criminal record checks if required.

‍Confidentiality agreement
‍All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.

‍Role and responsibilities definition
‍KangarooHealth ensures that all roles and responsibilities involved in its ISMS are well defined and assigned to and understood by individuals.

‍Disciplinary procedure
‍KangarooHealth has put in place disciplinary procedures in the event of a breach of entrusted responsibilities based on a scale of sanctions defined in the internal regulations.

SECURITY AWARENESS
‍
‍Background and competency checks
‍KangarooHealth conducts background checks on all new employees in accordance with local laws. These checks are also performed for contractors. Background checks may include technical and general skills, previous employment, and criminal record checks if required.

‍Security policies
‍KangarooHealth has developed a comprehensive set of security policies covering a wide range of topics. These policies are shared and made available to all employees and subcontractors with access to KangarooHealth' information systems.

‍Information security awareness
‍All employees undergo security awareness training that is included in the hiring procedure and reviewed annually thereafter. The basic rules and good practices are also recalled on the KangarooHealth premises.

‍Security training
‍All developers are made aware of the top 10 OWASP security risks through training and best practice guides. Training sessions with external experts are also organized to ensure a deep knowledge and dissemination of the secure code. The security team also provides additional security awareness updates via email, blog posts, and presentations at internal events.

CONTINUOUS IMPROVEMENT

As an innovative healthcare technology company, we make sure that we are always one step ahead of current data protection standards. This is enabled by a regular internal and external audit plan.

INTERNAL AUDITS

‍Internal audit plan
‍All WSIS processes are audited by internal audit teams or by external service providers.

‍Management review
‍Management reviews ensure that Management systematically reviews ISMS, assesses opportunities for improvement, and decides on the measures necessary to ensure the relevance, adequacy, and effectiveness of ISMS.

‍Security committee
‍The Security Committee also ensures the security watch carried out by the security engineer, the review of security incidents and action plans. The Security Committee also reviews the technical indicators set up to assess the effectiveness of the ISMS, and prepares the report for the Executive Committee.

EXTERNAL AUDITS

‍Technical audits
‍In addition to vulnerability management including analysis and testing, KangarooHealth employs third party security experts to perform detailed penetration testing on various applications in our product line. External technical audits are integrated into KangarooHealth annual Quality Plan.

‍Conformity assessment audit
‍KangarooHealth may use independent conformity assessment audits to ensure the compliance of its ISMS with standards such as HIPAA.

‍Compliance certification audit
‍KangarooHealth has embarked on a certification process by an accredited body to ensure that its ISMS complies with international standards recognized by the industry. The proper functioning of the ISMS is therefore assessed annually by an independent trusted third party. All the certifications, as well as the audit reports, are available upon request of the client.

‍Conformity assessment audit
‍KangarooHealth provides certificates of conformity to its clients upon request as well as the audit reports of the certification body. KangarooHealth accedes to any request from its client to audit the personal data protection measures. If KangarooHealth justifies objective reasons that the audit does not guarantee sufficient conditions of independence and impartiality, KangarooHealth will have the right to refuse the audit. In all cases, the audit will only concern the respect of KangarooHealth contractual commitments in terms of protection of personal data.