Supplementary Security Measures

1. STANDARDS AND CERTIFICATIONS

In order to guarantee the highest standards of security in data management, CURE51 is committed to the strictest data protection standards:

• ISO/IEC 27001:2022 ;

• Hébergeurs de données de santé (HDS), v2.0, avril 2024.

2. SCOPE OF CURE51 

CURE51 provides managed hosting services. CURE51's management system covers all systems, people, and processes involved in the design, development, operations, validation, and support of applications, namely the following layers: 

• 3° The provision and maintenance of the virtual infrastructure of the information system used for processing health data;

• 4° Providing and maintaining the operational condition of the information system's application hosting platform;

• 5° The administration and operation of the information system containing health data.

3. OUTSOURCING OF HOSTING TO AWS BY CURE51

CURE51 subcontracts the following hosting layers to AWS, whose certification is available upon request:

• 1. The provision and maintenance of physical sites to host the hardware infrastructure of the information system used for processing health data;

• 2. The provision and maintenance of the hardware infrastructure of the information system.

4. ADDITIONAL SECURITY MEASURES 

1. Service and application security

CURE51 ensures, maintains, and manages the protection of personal health data in its applications at all stages of their lifecycle.

2. Secure development

Agile organization, code review, and testing. All development activities are organized using the Agile method, with sprints and task prioritization carried out with the Product Manager team. All sprints are archived. Developers perform unit tests, functional integration tests, and end-to-end tests. The code is peer-reviewed before deployment. 

Vulnerability management. Automatic vulnerability checks of the libraries used are implemented during integration, allowing for blocking in the event of a high vulnerability being detected.

Software Quality Assurance. Quality Assurance tests all applications before they go into production (manual and automatic tests).

Separation of test environments and data. Development and test environments are logically separated from the production environment. No personal health data is used in our development or test environments.

Automatic code testing.  The code is automatically tested with predefined test scenarios to ensure that changes do not result in any loss or degradation of security. 

Independent pentest.  In addition to vulnerability management, including analysis and testing, CURE51 conducts penetration testing with third-party security experts. 

3. Authentication security

Password policy. CURE51 requires the use of a strong password that complies with international recommendations in terms of robustness.

Two-factor authentication. CURE51 requires the use of two-factor authentication to enhance the security of user accounts for applications that process personal health data (DSCP).

Role-based access controls. CURE51 applications are subject to role-based access controls with predefined privileges, allowing control over the use of and access to personal health data.

4. Securing data in transit

All communications on the public network are encrypted using the HTTPS/TLS protocol (TLS 1.2 or higher) in accordance with industry standards.

5. Change Management

CURE51 has defined a change management procedure that includes:

• Description of the change;

• Risk analysis related to security or personal data protection;

• Impact on the BCP/DRP;

• Planning and implementation of the change;

• Post-implementation review. 

6. Security

Physical facilities. CURE51 uses servers provided by AWS in data centers located in Europe (France and Germany). To ensure 24/7 operation and constant service availability, AWS data centers are equipped with redundant power systems and are subject to environmental controls. AWS is HDS and ISO 27001 certified. 

Network security.

Protection: the CURE51 network is protected by several security services (DMZ, access control list, firewall, anti-malware, TLS, Bastion, IPSec, etc.);

Architecture: the network security architecture consists of several layers of security, each of which is replicated in several availability zones. Demilitarized zones (DMZ) are used for areas exposed to the public network. Each layer is protected by firewalls.

Logical access: Access to the production environment is strictly limited to system administrators. All access to DSCPs is controlled and logged in protected logs. 

7. Backups

CURE51 has implemented a backup policy across all production systems and environments, including databases, GIT repositories, and S3 buckets. Backups are performed and tested regularly according to their level of criticality. They are then encrypted before being transferred to secure storage. Only system administrators have access to backups. Backups are immutable. 

8. Event logs

CURE51 has implemented an event logging policy using system administration logs. Activities across all CURE51 applications are also logged. 

9. Security incidents management 

A continuous alert system allows for constant monitoring of security incidents and their resolution by system administrators as quickly as possible. Employees are trained in security incident response processes, including communication channel management and escalation paths.

10. Encryption

Encryption of stored data. CURE51 uses low-level disk encryption. The encryption has a strength of at least AES-256 or equivalent.

Encryption of communications. On public networks, all communications with CURE51 user interfaces and APIs are encrypted using the HTTPS/TLS standard (TLS 1.2 or higher). This ensures that all traffic between CURE51 and users and partners is secure during transit.

Backups. All backups are encrypted before being transmitted to a remote storage area. 

11. Availability and Continuity Plan

Redundancy. All infrastructure is redundant in order to minimize the risk of downtime and data loss. Databases are configured with near-instantaneous replication to ensure that, under normal operating conditions, the complete loss of the main node receiving writes does not result in more than a few seconds of data loss.

Recovery point objective. CURE51's IT backup policy ensures daily backup of production databases.

Disaster recovery plan. The disaster recovery plan ensures that the production platform can be completely recreated in the event of a total failure of the production environment. All codes and configurations are stored in secure locations and are independent of the production environment. 

12. HR security

Training. Staff who process health data (DSCP) are subject to regular checks and ongoing training on how to reduce the risks associated with processing personal data.

Background and skills checks. CURE51 conducts background checks on all new employees. These checks are also carried out for contractors. Background checks may include verification of technical and general skills, as well as previous employment history.

Confidentiality agreement. All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.

Definition of roles and responsibilities. CURE51 ensures that all roles and responsibilities are clearly defined and understood by the individuals to whom they are assigned.

Disciplinary procedure. CURE51 has established disciplinary procedures in the event of misconduct, as provided for in the internal regulations.

Security awareness. 

• All employees undergo security awareness training as part of the hiring process, which is reviewed annually thereafter. Basic rules and best practices are also regularly reinforced at CURE51's premises.

• All developers are made aware of best development practices.

• The security team also provides additional updates on security awareness via email, blog posts, and presentations at internal events.

Audits. CURE51 is committed to a cycle of continuous improvement and to regularly auditing its systems:

• Internal audit plan: all processes are audited by internal audit teams or external service providers.

• Management review: Management reviews ensure that management systematically reviews the ISMS, evaluates opportunities for improvement, and decides on the measures necessary to ensure the relevance, adequacy, and effectiveness of the ISMS.

• Technical audits: In addition to management vulnerabilities including analysis and testing: CURE51 employs third-party security experts to perform detailed penetration testing. External technical audits are integrated into CURE51's annual audit plan.

• Compliance certification audit: CURE51 has entered into a certification process with an accredited body to ensure that its ISMS complies with internationally recognized industry standards. The proper functioning of the ISMS is therefore assessed annually by an independent trusted third party.