Viedoc and Information Security

Viedoc Technologies, at heart, is about confidentiality, integrity, and availability of your most valuable information assets - clinical data. We’ve always aimed to deliver a secure-by-design platform and build a cybersecurity-aware culture in all areas of our organization.

Alongside our Quality Management System that we’ve had since the start in 2003, we implemented an Information Security Management System (ISMS) in 2017. We continually added and updated existing policies, processes, and procedures until we were certification-ready. Our ISMS is now ready to be audited in December for ISO 27001 certification.

The ISMS requires continuous top management engagement in, and review of, information security concerns, and mandates continuous improvement throughout the organization. The system also establishes well over 100 controls to be implemented and monitored. These controls include, but are not limited to:

• regulatory, legal, and contractual compliance
• recruitment, onboarding, training, awareness, termination of personnel
• separation of duties, the principle of least privilege
• access control, provisioning, review, deprovisioning
• physical security, network security, information transfer security
• encryption in transit, at rest, keys management
• change management, patch management, protection from malware
• secure development, security testing, security review
• supplier selection, management, decommissioning
• business continuity, data backups, data retention, data disposal
• incident management, forensics, logging, penetration testing

In 2019 we started migrating away from owning physical hardware and rack space in data centers and moved into the Microsoft Azure IaaS/PaaS infrastructure. Microsoft annually invests more than US$ 1bn in information security, and we wanted to be a part of that. The security Microsoft offers allows us to focus on what we do best.

Another aspect of information security is the features that Viedoc provides. We understand that it is just as important Viedoc enables you to maintain information security in the areas that you are responsible for:

• data isolation is, by design, through a role-based permission system
• roles are highly configurable to enable a project following the principle of least privilege
• multi-factor-authentication can be enforced on project level but can also be enabled at-will by users
• Viedoc features encourage a delegated access management approach, which makes recognizing incorrect/outdated access authorization possible

We have incident response and business continuity procedures in place to allow rapid recovery with minimal impact on your business continuity. We test components of these procedures every day to ensure they work if ever needed. We are confident that Viedoc is as resilient to the ever-evolving cyberthreats as any system can be, while maintaining a user experience enabling clinical data collection of the highest possible quality.