Update: 28th June 2021
We wanted to let our clients know that we have recently become aware of two new businesses, “Vaultron Technology” and “Cyber-Medica” that have published a document purporting to be a ‘Software Provider Data Trust Report’ on Power Diary. The document contains a series of statements, assertions and conclusions that range from overtly inaccurate and misleading, through to gross oversimplifications and misrepresentations.
In January 2021 we were contacted by this company claiming to be acting for an unnamed client, requesting information from us about our security and privacy processes. Several aspects of this contact gave us cause for concern as to the validity of the enquiry: statements about standards that are incorrect, references to schemes that don’t exist, spelling and grammatical errors, a mobile phone number for the general manager, a company that was formed just a few months ago, and an absence of any formatting in the message.
They would not name the client when we asked, citing client confidentiality. That’s their right, of course, however this is not normal practice by all other people or organisations that have conducted similar research in the past.
The entire approach was inconsistent with all the previous requests for similar information we have had.
After making some initial enquiries we ceased contact, out of concerns that this was either a marketing exercise for their consulting services – that was our initial view, or a ruse to discover sensitive information about our operations, or possibly even an actual security test to see how much information we might provide, despite the obvious red flags.
We recently learned via a concerned user that they had indeed produced a report and we received a copy of the document just this weekend. This document uses unprofessional, inflammatory & alarming language to make a number of claims which we strongly dispute, and draws many inaccurate conclusions.
We will now review the contents in detail, and explore our legal and other options. We will provide a further update over the coming days as this matter progresses.
We want to assure you that Power Diary has extremely robust security systems and processes in place. Power Diary has over 10 years of providing safe and secure practice management software to the healthcare industry in Australia and around the world. We take data safety and privacy extremely seriously and strongly refute the false and misleading assertions made. We are particularly disappointed that this document has caused increased stress and worry to health practitioners at a time of unprecedented pressure and strain.
Among other things, the report includes the misleading statement that their: “refusal to adopt independent best practice audits such as SOC 2, ISO 27001 … raise[s] profound concerns.
We have never refused this, and to say or even imply that we have done so is grossly inaccurate and misleading.
We are well-accustomed to completing security audits and we are regularly contacted by representatives from health practices, governments and other organisations as part of their security audits and reviews. Normally these are all in the form of a detailed questionnaire about our security standards, systems and processes that we have in place. We have not had any issues with the many security reviews we’ve completed in the past.
Power Diary adopts a high standard and preferences suppliers that adopt similar or higher standards. For example the cloud infrastructure provider that runs Power Diary is certified ISO 27001 compliant.
Power Diary is one of a select set of practice management systems to have a native integration with Medicare Australia – meaning that we are accredited to directly connect to them and do not use any third parties for this processing. As a part of this, the integration requires that we are regularly subjected to Medicare’s rigorous testing and security evaluation process. We have always met or exceeded all the standards they set; this benefits all of our clients – whether or not they utilise this integration. It’s important to note that Medicare is a Government body and not a standards organisation so they do not have a formal role as a compliance assessor, however they do have extremely thorough requirements that must be met.
Power Diary is also an accredited Xero Partner with a fully approved & validated integration. This also required a comprehensive security review done of us, with an extended survey and evaluation of our processes and the integration. Again, Power Diary was found to meet or exceed all standards and requirements. Note that it’s possible to integrate without being an accredited partner, with a much lower level of requirements than met by Power Diary.
Power Diary Pty Ltd has been operating since 2010. There are tens of thousands of practitioners that trust Power Diary as their practice management system and we’ve helped practices make tens of millions of appointments. We assure you that we intend to be around for a lot longer and work with many more practices to help them run more effectively. We would never do anything to jeopardise this long-term approach and security is always a top priority.
We believe that data security should be a high priority for all health practice owners, however false accusations or misleading statements are confusing and do not make anyone more secure. It is a good reminder that any advice sought and taken on security should be provided by organisations with a well-established reputation and demonstrated experience in the industry.