Security and Trust at Carelane

At Carelane, we hold the protection of data at the core of our mission. We have implemented rigorous security measures to meet the highest standards of privacy and security.

EncryptionRBACData IsolationMonitoring and LoggingContact

Encryption

At Carelane, safeguarding data integrity and confidentiality stands at the core of our commitment to security. To uphold this pledge, we have implemented a comprehensive encryption strategy designed to secure data both in transit and at rest, ensuring that sensitive information remains inaccessible to unauthorized parties with PHI protection (Protected Health Information) being handled to the highest possible standards. Our encryption methodology is twofold, providing robust protection tailored to the specific nature of the data:

  • General Data Encryption: All non-PHI data within our databases and collections undergo encryption, restricting access strictly to authorized users, systems within Carelane, and Carelane itself. This layer ensures the confidentiality and integrity of operational and administrative data. Carelane's security infrastructure aligns with the highest industry standards, incorporating encryption protocols that have undergone rigorous evaluations and certifications. Our infrastructure has been certified according to ISO 27001, SOC 1, SOC 2, and SOC 3 evaluations, ISO 27017 and ISO 27018.
  • PHI Data Encryption: We adopt a unique approach for PHI, employing separate encryption for each piece of data with distinct keys allocated for every study and each site within those studies. This method, combined with our site management design, ensures that neither Carelane nor sponsors can access these keys, with exclusivity granted solely to members of the respective study site, controlled by role-based access controls. Adhering to FIPS 140-2 standards, this encryption safeguards the most sensitive health information, enabling secure and compliant data handling.

Role-Based Access Controls (RBAC)

Our primary method for managing access to data across our platform is through Role-Based Access Controls (RBAC). This system assigns access rights and permissions based on the roles of individual users within the organization and studies. By categorizing users into roles based on their job functions and determining access permissions accordingly, RBAC enables us to enforce the principle of least privilege—ensuring that users have access only to the data necessary for their specific tasks.

RBAC serves as the cornerstone of our access control strategy, ensuring that:

  • Access to PHI is provided on a need-to-know basis, minimizing the risk of unauthorized disclosure.
  • The allocation of permissions is both clear and manageable, facilitating ease of administration and oversight.
  • System security is enhanced by limiting access to sensitive information to those roles explicitly authorized.

Continuous Auditing

To maintain and enhance the effectiveness of our access control measures, we engage in continuous auditing of roles and permissions. This proactive approach allows accountable staff to:

  • Regularly review and refine access controls to adapt to evolving security requirements and potential vulnerabilities.
  • Ensure that changes in personnel or job functions are promptly reflected in access rights, maintaining alignment with the principle of least privilege.
  • Identify and rectify any discrepancies or anomalies in access patterns, reinforcing the integrity of access control measures.

Data Isolation

At Carelane, we employ advanced data isolation techniques to safeguard user data from unauthorized access, breaches, and other security threats.

Segregated Data Collections

Our platform utilizes a data segregation strategy that extends beyond client differentiation. Each client, study, and site within those studies is assigned its own unique data collection. This granular approach to data isolation provides several key benefits:

  • Enhanced Security: By segregating data at multiple levels, we significantly reduce the risk of unauthorized access.
  • Tailored Access Controls: Segregated collections allow for more precise control over who can access specific data sets, enabling us to apply the principle of least privilege more effectively.

Secure Key Management

Central to our data isolation strategy is the secure management of encryption keys. Keys used for encrypting and decrypting PHI are stored in a dedicated key management store, separate from the data itself. This separation ensures:

  • Enhanced Security: By storing keys in a specialized key management system, we add an additional layer of security. The keys never leave this secure environment, thereby minimizing the risk of interception or unauthorized use.
  • Secure Data Processing: Data requiring encryption or decryption is sent directly to the key management store. This process ensures that the actual data is processed in a secure environment, further safeguarding sensitive information.

Monitoring and Logging

Real-time Monitoring

Our system is equipped with advanced real-time monitoring capabilities designed to detect and respond to suspicious activities promptly. This proactive approach allows us to:

  • Identify potential security threats before they can cause harm.
  • Take immediate corrective action to mitigate risks.
  • Ensure the ongoing protection of user data against unauthorized access or breaches.

Detailed Access and Change Logging

To further enhance our security measures, we maintain detailed logs of all access to and changes made to PHI. This rigorous logging practice enables accountable persons to:

  • Track who accessed PHI, when, and for what purpose.
  • Monitor and audit all modifications to PHI, ensuring accountability and traceability.
  • Quickly identify and investigate any unauthorized or anomalous activities.

Contact

If you have any questions or concerns regarding our security measures, please don't hesitate to reach out to us at data.privacy@carelane.io. We are committed to ensuring your data's safety and are available 24/7 to assist you. Should you require a more detailed discussion, we are also happy to schedule meetings to provide an in-depth dive into our security practices. Your trust and security are our top priorities, and we're here to support you every step of the way.