Introduction
We use WoundReference to keep our team organized and connected. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.
Our security strategy covers all aspects of our business, including:
- WoundReference corporate security policies
- Physical and environmental security
- Operational security processes
- Scalability & reliability of our system architecture
- Data model access control in WoundReference
- Systems development and maintenance
- Service development and maintenance
- Regularly working with third party security experts
WoundReference Corporate Security Policies & Procedures
Every WoundReference employee is expected to respect the terms of our data confidentiality policies, available at WoundReference.com/terms and woundreference.com/privacy. Access rights are based on employee’s role.
Security in our Software Development Lifecycle
WoundReference uses Visual Studio Team Services revision control system. Changes to WoundReference’s code base go through a suite of automated tests and are then manually reviewed. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein WoundReference employees are able to test changes before an eventual push to production servers. WoundReference engineers also have the ability to "cherry pick" critical updates and push them immediately to production servers.
We also work with third-party security professionals to test our web application security.
WoundReference Architecture & Scalability
Scalability/Reliability of Architecture
WoundReference uses Microsoft Azure Web Services (SQL) to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Microsoft Azure failure.
We currently host data in secure SSAE 16 audited data centers via Microsoft Azure.
Encrypted Transactions and Data
Web connections to the WoundReference service are via TLS 1.2 and above. All data is encrypted at rest using performance optimized symmetric encryption.
Information Security
Security Consulting and Application Review
We work with external security advisors, and have a responsible disclosure policy that allows security researchers to report vulnerabilities in our application.
Data Center Security
Microsoft Azure
Azure employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Azure’s physical security processes, please visit azure security.
HIPAA Compliance
WoundReference and its parent company Wound Reference Inc. have gone through a comprehensive review to achieve HIPAA compliance. WoundReference does not collect any information that can be tied back to a specific patient. We also do not transmit or store any images from the mobile device.
Product Features
Administrator Management Features
Authentication – If passwords are stored directly with WoundReference, we secure them using bcrypt.
User Management – Administrators can see last login, user status, and deprovision users from a central administration interface.
User Features
Privacy, Visibility, & Sharing Settings – Customers determine who can access and edit pathways. You can assign users to groups for department level management.
Privacy
Privacy Policy
WoundReference’s privacy policy, which describes how we handle data input into WoundReference, can be found at WoundReference.com/privacy.
Availability
We are committed to making WoundReference consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.
Want to report a security concern?
Email us at security@woundreference.com.
