Information Security Standard - ADHICS and its impact on the healthcare providers in Abu Dhabi

How Insta HMS helps healthcare providers to follow and adhere to information security standards.

• In UAE, Insta HMS is hosted on enterprise grade Microsoft Azure Cloud services which has certifications such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2.
• Insta HMS follows data localization hosting compliance rules and so has Abu Dhabi and Dubai customers hosted out of Abu Dhabi and Dubai regions only.
  • Insta HMS either allocates a separate dedicated instance or a shared hardware but tenanted database to each healthcare provider who uses Insta HMS.
• Microsoft Azure Cloud services offers multiple options to comply with Data Encryption requirements.
  
  1. Data encryption at rest: includes information that resides in persistent storage on physical media, in any digital format. This can include files on magnetic or optical media, archived data, and data backups. Microsoft Azure offers a variety of data storage solutions to meet different needs, including file, disk, blob, and table storage.
  2. Azure offers many mechanisms for keeping data encrypted in motion or in transit.
  3. Transparent Data Encryption (TDE) protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory. TDE is now enabled by default on newly created Azure SQL databases.
• Insta HMS is the only clinic and hospital management solution which is able to offer Etisalat SDWAN powered Microsoft Azure hosted cloud based solutions with Malaffi Health Information Exchange connectivity in Abu Dhabi.
• Insta HMS has extensively well defined and flexible backup policy options for point in time recovery and disaster management to choose from whether they are hosted on their own on-premises servers or Insta managed Microsoft Azure cloud. These backups are tested periodically in coordination with the providers.
  
  • Hot backup option to a local disk or NAS using database WAL shipping.
  • Streaming replication to a backup server for High Availability.
  • Backup from on prem to cloud.
• Insta has role based access controls so that only authenticated users via multi factor authentication have access to the Insta HMS application at all times.
  
  • Access controls can be defined to authorize which users have access to specific screens and actions in the application workflow.
  • Insta supports totp based authentication using apps, otp over email/sms, offline tokens which can be setup basis IP configuration rules.
• Insta stores all passwords in an 128 bit encrypted format, enforces a minimum 12 character length password, enforces first time login change password and has configurable password preferences to enforce customizable strength rules as well such as number of special characters, digits, characters, lower/uppercase letters etc.
• Insta has a wide range of administrator access to view the trail of transactions using the application audit log functionality.
• Insta HMS has written contractual agreements in place with customers not to make attempts to anonymize healthcare entity data/information, through specific instances, for the purpose of our own business benefits or needs.
• In the event that a customer wishes for any reason to transition out or discontinue use of Insta HMS services we are fully supportive of the customer during the transition and offer the following options for data extraction:
  
  • a database dump is provided to the customer before deinstallation of software from customer servers or cloud instances.
  • clinical data such as medical reports can be extracted in the form of PDF exports.
  • masters and transactional data can be exported using Insta’s extensive reporting capabilities.
• In addition, we are responsible for all data removal from our environment, disconnecting all existing integrations and knowledge handover based on a mutually agreed approach.
• In the event that a security breach occurs our operations teams are equipped to make the disclosures within one hour of observation or knowledge to soc@doh.gov.ae.