Power Diary is a leading healthcare practice management platform chosen by thousands of practitioners worldwide. Healthcare data security is a critical priority for us, and security permeates everything we do – from how our software is built and used, to the way we operate as a company.
There are many aspects to healthcare data security, and here, we cover the most important approaches we take and try to address any security concerns you might have. A key thing to note about Power Diary’s security compliance is that we have operations and customers in many countries and therefore, must adhere to the highest standards across all jurisdictions – and all customers benefit from this.
Power Diary is ISO 27001 Certified
The most important global security standard for practice management software is ISO 27001.
Power Diary is certified with ISO 27001, and this international standard recognises our commitment to ensuring the highest global security standards for healthcare data. Power Diary has become one of only a few Practice Management Software systems to achieve ISO 27001 certification. This certification serves as a testament to our unwavering dedication to ensuring the security of our customers’ health information. It lets customers know that Power Diary is compliant with health data security standards and also externally verified as adhering to global data security best practices – something we think is crucial when handling sensitive health data.
Security and Privacy Compliance and Certifications
Power Diary is certified and/or compliant with the following security and privacy standards;
ISO 27001 Certified (Worldwide)
ISO 27001 is an internationally acknowledged standard for information security management. Being ISO 27001 certified means that Power Diary has implemented strict security measures to prevent unauthorised access, theft, and corruption of sensitive information.
HIPAA is the US sectorial law that establishes the privacy and security standards for protecting medical information in the US. Power Diary is HIPAA compliant, which means that the company has implemented policies and procedures to ensure the privacy, confidentiality, integrity, and availability of protected health information.
GDPR UK and GDPR EU (UK and Europe)
The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies to all UK and EU citizens. Power Diary is GDPR compliant, which means that Power Diary has implemented the necessary measures to protect the privacy of the personal data of individuals in the UK and EU.
The Australian Cyber Security Centre (ACSC) is the lead agency for cybersecurity in Australia. Being a member of the ACSC means Power Diary has access to the latest cybersecurity threat intelligence and advice on protecting against cyber attacks.
The Privacy Act (Australia)
The Privacy Act 1988 is Australia’s consolidated data protection law which aims to promote the protection of individuals’ privacy, interpreted and applied by the Australian Privacy Principle (‘APP’) Guidelines issued by the Australian Information Commissioner (‘OAIC’). Compliance with the APPs means that Power Diary has implemented measures to protect the privacy of the personal information of Australian citizens.
PIPEDA is a Canadian law regulating private sector organisations’ collection, use, and disclosure of personal information. Being PIPEDA compliant means that Power Diary has implemented the necessary measures to protect the privacy of the personal information of Canadian citizens.
CCPA is a California state law that gives California residents the right to know what personal information is being collected about them and the right to request that it be deleted. Being CCPA compliant means that Power Diary has implemented measures to protect the privacy of the personal information of California residents.
POPIA governs the law of data protection and privacy in South Africa and contains many similarities with the European GDPR regarding their material scope, key definitions, providing data subject rights, and in their general approaches to personal data protection. Power Diary is compliant with POPIA.
How Does ISO 27001 Certification
Protect Your Patients’ Information?
When we think of data security, what usually comes to mind is encryption, password strength, and the data centre’s location. But while these are important factors, they are only the tip of the iceberg. In fact, very few data breaches are due to these factors, as security in practice is much broader and more holistic.
You might be wondering why ISO certification matters or what difference it makes for you and your clients. Here, we attempt to explain the differences between a practice management system that is ISO Certified versus one that is not ISO certified.
|Security Characteristics||Power Diary – ISO Certified|
(Externally verified audited annually)
|Non-ISO Certified |
Practice Management Systems
|Information Security Policies|
Power Diary has a documented and approved Information Security Policy, which includes access control, acceptable use, incident management, and data classification.
Practice management systems without ISO 27001 certification may not have a documented and approved Information Security Policy, leaving their customer’s sensitive information at risk.
Power Diary has implemented procedures and controls for secure operations such as change management, backup and recovery, and incident management.
Practice management systems without ISO 27001 certification may not have formalised procedures for secure operations, which can lead to errors, outages, or data loss.
|Organisation of Information Security|
Power Diary has implemented an Information Security Management System (ISMS) that includes an organisational structure, roles, and responsibilities for information security.
Practice management systems without ISO 27001 certification may not have an organised approach to information security, which can lead to confusion, errors, and vulnerabilities.
Power Diary has been verified as having secure communication channels which provide protection such as encryption and digital signatures to ensure the confidentiality, integrity, and appropriate availability of sensitive information.
Practice management systems without ISO 27001 certification may not have secure communication channels, leaving sensitive information vulnerable to interception or alteration.
|Human Resources Security|
Power Diary has implemented procedures for hiring, training, and managing employees, contractors, and third-party personnel to ensure they have the necessary knowledge, skills, and integrity to protect customers’ information.
Practice management systems without ISO 27001 certification may not have strict hiring and training procedures, which can result in unqualified, unidentifiable, or malicious personnel with access to sensitive information.
|Software Development and Maintenance|
Power Diary has implemented procedures and controls for secure software development as well as for testing, system integration, and maintenance.
Practice management systems without ISO 27001 certification may not have secure software development or maintenance procedures, leaving their software vulnerable to bugs, exploits, or backdoors.
Power Diary has inventoried and classified information assets, implemented controls for their protection, and monitor their usage and disposal.
Practice management systems without ISO 27001 certification may not have an accurate inventory of their information assets, which can lead to loss, theft, or unauthorised access to sensitive information.
Power Diary has implemented procedures and controls to ensure that its suppliers and partners are also protecting their customers’ sensitive information.
Practice management systems without ISO 27001 certification may not scrutinise their suppliers and partners, which may put client health data at risk.
Power Diary has implemented a comprehensive access control system that includes policies, procedures, and technical measures such as authentication, authorisation, and encryption.
Practice management systems without ISO 27001 certification may not have robust access control systems, which can lead to unauthorised access to sensitive information.
|Data Incident Management|
Power Diary has implemented an incident management process that includes procedures for reporting, assessing, and resolving security incidents.
Practice management systems without proper incident management may not have a documented or tested incident management process, leading to a slower response time or inadequate handling of security incidents.
Power Diary has implemented encryption and other cryptographic controls to protect sensitive information in storage and transmission.
Practice management systems without ISO 27001 certification may not have implemented encryption or other cryptographic controls, leaving sensitive information vulnerable to interception or theft.
|Business Continuity Plan|
Power Diary has integrated information security aspects into its business continuity management process to ensure that they can recover from security incidents and minimise any impact on customers.
Practice management systems without proper incident management may not have integrated information security into their business continuity management process, which can result in long periods of downtime and greater disruption to their customers.
|Physical and Environmental Security|
Power Diary has assessed the relevant physical and environmental controls such as access control, surveillance, and backup power to protect the infrastructure and equipment that process and store sensitive information.
Practice management systems without ISO 27001 certification may not have physical and environmental controls in place, making their infrastructure and equipment vulnerable to theft, damage, or disruption.
Power Diary has implemented processes to identify and comply with relevant laws, security standards, contractual obligations, and data protection agreements related to information security and privacy. All policies and procedures are formally reviewed according to a preset schedule, and evidence of this is documented.
Practice management systems without proper compliance may not have processes in place to identify and comply with relevant laws and contractual requirements, which can lead to legal and financial penalties, and loss of customer trust.
What is ISO 27001?
ISO 27001 is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS). It was originally published in 2005 and has been updated and revised several times since then.
3 Pillars of ISO 27001
The goal of ISO 27001 and an Information Security Management System is to protect three principles of information handling:
Get started for free
14 Day Trial. Then pay-as-you-go. No lock-in contracts.
Start your free trial before the end of [month] [year] to receive 50% off for 6 months.
What are the Domains of ISO 27001?
The current ISO 27001 certification has four domains. Each includes numerous controls for assessing adherence to the ISO 27001 standards (there are currently a total of 96 controls).
4 Domains of ISO 27001
- Organisational controls
- Personal controls
- Physical controls
- Technological controls
The current ISO 27001 standard has four domains, which cover seven broad security areas:
7 broad security areas covered by ISO 27001
- Company security policy
- Asset management
- Physical and environmental security
- Access control
- Incident management
- Regulatory compliance
- Risk management
What’s Involved in
ISO 27001 Certification?
The ISO 27001 certification process represents a significant commitment in time and resources. In Power Diary’s case, we added extra team members specifically dedicated to our focus on security, and the process took more than a year, involving all directors, senior management and ultimately impacting every team member in the company. We also implemented a governance, risk and compliance platform to ensure our ongoing compliance with security frameworks and privacy regulations.
The process of getting certified with ISO 27001 involves developing an information security management system (ISMS) which is rigorously and thoroughly evaluated as part of the ISO 27001 certification process to ensure it complies with the ISO 27001 standards. Certification currently involves an assessment against all the controls – most of which are focused on operational and technical aspects.
8 Stages of ISO 27001 Certification
The following steps are usually included in the ISO certification process:
- Gap Analysis: The first step is to conduct a gap analysis to identify areas where the organisation’s ISMS does not meet the requirements of the ISO 27001 standard.
- Risk Assessment: The next step involves a risk assessment; the goal is to identify potential security threats and vulnerabilities that could impact the organisation’s sensitive information confidentiality, integrity, and availability.
- ISMS Development: Based on the gap analysis and risk assessment results, the organisation develops and implements an ISMS to meet the requirements set forth by the ISO 27001 standard.
- Internal Audit: The organisation will conduct an internal audit of its ISMS to ensure that it is functioning effectively and meeting the requirements of the ISO 27001 standard.
- Certification Audit: The certification audit is conducted by an independent third-party certification body that assesses the organisation’s ISMS against the requirements of the ISO 27001 standard.
- Corrective Actions: If any non-conformities are identified during the certification audit, the organisation must implement corrective actions to address them.
- Certification: Once the organisation has successfully demonstrated that its ISMS meets the requirements of the ISO 27001 standard and any non-conformities have been addressed, it will be awarded the ISO 27001 certification.
- Continuous Improvement & Recertification: ISO certification is valid for three years, during which time the organisation will need to undergo regular surveillance audits to ensure that its ISMS continues to meet the requirements of the ISO 27001 standard. Power Diary has committed to this continuous process.
Get started for free
14 Day Trial. Then pay-as-you-go. No lock-in contracts.
Start your free trial before the end of [month] [year] to receive 50% off for 6 months.
Understanding Healthcare Data Security
All data security is important, but security is even more pertinent when dealing with patient medical or health data. Patient data often contains highly sensitive information, which if compromised, has the potential for serious consequences.
It should be noted that the approaches to address patient data security are more than purely technological, as they need to incorporate; people, operations, and technology. For Power Diary, data security is not simply a “tick-the-box” exercise; it’s something that runs to the core of everything we do and affects every single person in the company. We believe that the best way for users to determine a system’s security level is through externally validated certification. This is why Power Diary invested, and continues to invest, in meeting the requirements of all the top-tier security guidelines and certifying for the highest global standard for information security – ISO 27001.
For health practices, patient data security is a critical issue that all practice owners and managers should be concerned about. Patients trust health practices to keep their information confidential and secure, and failure to do so can result in significant reputational damage, loss of trust, fines and may have consequences for practitioners’ professional status. Furthermore, depending on the profession and jurisdiction, many health practices are also legally obligated to adhere to certain data protection regulations. Therefore, all health practices need to prioritise patient data security to safeguard patient privacy, maintain trust, and comply with their professional obligations.
The choice of practice management software is critical to patient data security, as it plays a crucial role in managing and protecting patient information. Health practices that use Power Diary as their practice management software can be sure that they are protecting the security of their patients’ data. However, many other factors, such as staff training, internal policies and processes, and access controls, all contribute to robust data security practices.
Our goal at Power Diary is for all customers to have the necessary tools and knowledge to uphold a high healthcare privacy and data security standard. When you start with Power Diary, we’ll provide you with the guidance, tips and support you need.
Our founders recently ran an information session covering the basics of healthcare data security and privacy, such as best practices for keeping patient data safe. It highlights the importance of proper user access control, password management, and two-factor authentication while also discussing how to handle employee termination scenarios and other security-related topics.
Tips to Maintain Data Security in Healthcare
Here are some healthcare privacy essentials to keep in mind.
As well as choosing a secure practice management system, there are necessary, practical steps that all practices should take to ensure their clients’ healthcare data is protected. Remember, your security is only as strong as its weakest point, so please ensure that these practices are in place in your business;
How does Power Diary’s Practice Management Software ensure Patient Data Security?
Power Diary is one of the most loved healthcare practice management tools, used by thousands of practitioners worldwide. We consider healthcare data security our highest priority.
As part of our ISO 27001 certification, we have developed robust data security policies, procedures and controls, to ensure the highest level of data protection in healthcare. Power Diary also strictly follows all applicable privacy regulations such as the US HIPAA, the UK/EU GDPR, the Australian Privacy Act, the California Consumer Privacy Act and the Canadian PIPEDA.
Here are some ways security is applied in the Power Diary system to protect sensitive health data.
✓ Secure Clinical Notes
Some of the most sensitive client information can often be clinical notes that practitioners write about their patients. Like all client data, these are encrypted during transmission to the server, and when in storage – making any information virtually impossible to access without appropriate permission. Using configurable templates, we make treatment notes extremely efficient to prepare, while ensuring that they are completely secure from both a database point of view and with the ability to apply appropriate user permissions.
✓ Two Factor Authentication
Power Diary offers users additional protection against potential patient data privacy breaches with Two-Factor Authentication (2FA).
2FA requires users to provide a second form of authentication so that users enter not only their username and password, but also a unique code sent directly to their mobile device via SMS or a separate app, before being granted access.
This extra step helps protect patient data from unauthorised access if a device is lost or stolen, or login credentials are compromised. 2FA is accepted as one of the key ways to protect sensitive data and prevent unauthorised access.
✓ Backup and Encryption
Power Diary takes the security of users’ data seriously, which is why all information stored on Power Diary’s servers is backed up hourly and encrypted using industry-standard 256-bit SSL technology. This ensures that if any data becomes corrupted or lost due to a technical issue, it can be quickly recovered with minimal disruption. Encryption also helps protect patient data as it scrambles the information into an unreadable form, making it virtually impossible for unauthorised individuals to access it.
This level of security benefits patients and healthcare providers by ensuring compliance with healthcare data privacy regulations.
✓ User Access Controls
Power Diary’s user account controls are an important security measure for protecting patient data and healthcare privacy. These controls allow practices to determine who has access to their Power Diary account and the level of access for each user. Each user has unique login credentials, which allow them to access the system while their activity is recorded in the activity log file. (Power Diary strongly discourages any sharing of user accounts, and there is no charge for extra users.)
✓ User Activity Recording
Power Diary tracks activity by recording each time a user logs in or out of the system, and what data they have viewed or changed. This helps protect patient data privacy by ensuring that any changes made to a patient’s records can always be traced back to the person who made the change, and by making it easy to identify any suspicious activity or unusual login patterns.
✓ Hosting Infrastructure and Design
Power Diary’s infrastructure and design are critical to ensuring optimum healthcare data privacy. All data is kept on secure servers provided by Amazon Web Services (AWS). By using AWS as our infrastructure provider, Power Diary exceeds the standards defined by ISO 27001 and the HIPAA Security Rule, which is typically used as the international standard for the physical and electronic safeguards required for managing Protected Health Information.
Power Diary also has an AWS Business Associate Addendum in place that ensures any data stored on the platform is protected and secure. This addendum outlines specific requirements for ensuring the security of patient data, such as encryption technology and multi-factor authentication. Power Diary also has a Service Level Agreement with AWS which guarantees a high level of uptime. Since 2007, Power Diary’s uptime has exceeded 99.9%, ensuring user data is always available and protected from potential security threats.
✓ Active System Monitoring
Power Diary has a comprehensive system for actively monitoring user activity and potential security threats. This system monitors data continuously to detect any suspicious activity that might indicate a potential security threat or data breach. By constantly monitoring user activity and system performance, Power Diary can take immediate action if any unusual activity is detected.
✓ Technology Updates
Power Diary understands the importance of staying up-to-date with the latest security technologies and continuously updates its systems with new features. This helps protect patient data privacy from potential threats by ensuring the platform is ahead of emerging security risks or vulnerabilities.
When Power Diary becomes aware of any recent developments in cyber security, we immediately take steps to update our technology and ensure that the latest security measures are employed. This may involve installing patches, applying new security protocols, or implementing additional encryption technology to protect patient data privacy.
✓ Data Transmission
When data is transmitted from Power Diary to its users, we use secure socket layer (SSL) encryption technology to ensure that all information remains confidential. This encryption technology, which is the same as that used by online banks and other large financial institutions, renders data unrecognisable so that it can only be read by the intended recipient.
Power Diary also uses a Domain Validated Security Certificate to provide extra protection against someone attempting to impersonate the site. This certificate ensures that all traffic is securely encrypted and the website is legitimate. Without this secure certificate, data transmission may be vulnerable to malicious attacks such as phishing or man-in-the-middle attacks, designed to fool users into entering their confidential information on a fake website.
50% OFF. Start in [month]: Special Offer
Enhancing Your Healthcare Data Protection: Power Diary’s Robust Security and Compliance Program
Our Security and Compliance Program goes beyond simply adhering to industry standards. Unlike most practice management systems, Power Diary’s data security is certified against worldwide best practices to ensure the highest standards for the protection of patient information.
We understand that your data is critical to your business, and we take great care to keep it safe. We believe that trust is created through transparency, and we intend to be transparent about our commitments and what you can expect from us.
At the highest level, our security commitments when you use Power Diary’s health practice management system are:
- Your data remains yours
Power Diary is dedicated to healthcare privacy, ensuring that patient data remains confidential. Power Diary will not sell your customer data to third parties, nor give any government or other entity access unless required by law, or in order to provide the expected service.
- We’re committed to international, best-practice privacy and security standards
Although the security and privacy landscape constantly changes, Power Diary is fully committed to protecting customer data using the best methods available. Our privacy and security practices are regularly audited against international standards.
We believe in creating trust through transparency, so we have outlined below the main elements of our Security and Compliance Program.
Power Diary Security Downloadables
Here, we’ve prepared some key documents that can be downloaded for your reference.
Patient Data Privacy and Security for
Practices Using Power Diary
Health practices using Power Diary as their practice management software have chosen a platform committed to world-class data security. Power Diary proudly holds ISO 27001 certification, a global standard for information security management systems.
How does this safeguard patients?
- World-Class Data Security: Power Diary’s ISO 27001 certification confirms our implementation of comprehensive security measures to safeguard your data from potential cyber threats.
- Trust in Your Provider: The certification is an assurance of your healthcare provider’s commitment to data security. By choosing Power Diary, they’ve selected one of just a few practice management systems globally that have successfully fulfilled the stringent requirements of ISO 27001.
- Continuous Security Enhancements: ISO 27001 certification requires that our software is subject to ongoing monitoring and regular audits, ensuring continuous protection against evolving threats. This commitment means data stored in Power Diary is always safeguarded by the latest, most effective security measures.
Protecting Your Privacy: Power Diary’s Commitment to
Clients and Patients
In addition to ISO 27001 certification, Power Diary complies with stringent privacy regulations, including The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California).
What does this mean for patients?
- Respected Privacy: Power Diary’s adherence to international privacy laws ensures that your personal data is handled with utmost care.
- Data Protection Agreements: At Power Diary, we enforce legally binding agreements that clearly delineate data protection rights and responsibilities between our company and our customers. These arrangements serve as a robust framework for data protection, ensuring every piece of personal data processed is handled with protection and security as the top priority.
- Transparency: Power Diary’s compliance with privacy laws ensures full transparency, letting you know exactly how your data is stored and managed – without being used for any other purposes.
By choosing a healthcare provider who uses Power Diary, you’re opting for a service that values data security and privacy.
Increase Client Trust: Showcase Your Connection with Power Diary Using Our Embeddable Logos!
Select embed code
Select embed code
Select embed code
Select embed code
Select embed code
Select embed code
Communicating Privacy and Security with
Your Clients and Patients
As a healthcare provider, you understand how crucial security and privacy are to patients. Power Diary’s robust data protection is backed by ISO 27001 certification and rigorous adherence to privacy standards dictated by The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California). We continuously monitor these standards to uphold the highest levels of data security and privacy and are subject to an annual audit to maintain ISO 27001 certification.
To help you communicate this to patients, you can use a brief explanation like,
“The security and privacy of your data is our top priority. We manage all patient data through Power Diary, an ISO 27001-certified practice management system. This ensures that your personal data is protected by software that meets the highest global standards for information security management and complies with all applicable privacy regulations.”
Or a slightly longer explanation could be something like,
“The security and privacy of your data is our top priority. That’s why we manage all patient data through Power Diary. Power Diary is ISO 27001-certified practice management software and strictly adheres to privacy regulations, including The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California). Power Diary is externally audited on an annual basis to maintain ISO 27001 status, which we believe is essential for the protection of health data. Choosing software that meets the highest standards for information security management is part of our commitment to you. Learn more about how Power Diary protects your data here.
FREQUENTLY ASKED QUESTIONS
How Secure Is Cloud-Based Practice Management Software?
Cloud-based practice management software like Power Diary is designed to keep all data secure and compliant with industry regulations. Data is transmitted from your device to servers over an encrypted, secure connection. All data is stored in secure servers with built-in redundancies and backup systems.
Additionally, Power Diary has security protocols in place to protect user data, such as active system monitoring, two-factor authentication, and more. Cloud-based solutions like Power Diary are considered to be more secure than on-premise software, which is more vulnerable to network breaches, data loss and device accidents, loss or theft.
Is Power Diary ISO 27001 Certified?
Yes, Power Diary is ISO 27001 certified. This standard represents the highest level of data security standards worldwide. Power Diary is one of only a few health practice management software companies in the world to obtain this certification.
Is Power Diary HIPAA Compliant?
Yes, Power Diary is HIPAA compliant. HIPAA is the US Health Insurance Portability and Accountability Act. This requires companies that deal with protected health information to have appropriate physical, network, and process security measures in place.
Is Power Diary GDPR Compliant?
Yes, Power Diary is GDPR compliant (the General Data Protection Regulation) for both GDPR UK and GDPR EU. This is widely thought to be the world’s strongest set of data protection rules, which enhance how people can access information about themselves and places limits on what organisations can do with personal data.
Is data encrypted in Power Diary?
Yes, Power Diary uses encryption and other cryptographic controls to protect sensitive information.
For data in transit, the connection between your browser and our servers is protected so that information transferred is encrypted using 256-bit SSL technology. This prevents others from intercepting and reading any information during transit. We also use a Domain Validated Security Certificate, which provides extra protection against someone attempting to impersonate our site.
For data at rest, Power Diary encrypts this data and stores and manages encryption keys. Encryption tools and products are configured using industry best practice encryption strength to protect data at rest.
Our internal Key Management and Cryptography Policy govern our encryption. This policy establishes requirements for selecting cryptographic keys, managing keys, assigning key strengths and using and managing digital certificates.
Secure Your Healthcare Data with Power Diary
At Power Diary, we’re known for our commitment to patient data privacy and security. We understand the importance of keeping healthcare data secure and our enhanced security measures and compliance with various regulatory requirements demonstrate our continuous commitment to providing a secure platform for our customers – now and always.
With Power Diary, you can have peace of mind knowing that your healthcare data is being safeguarded by industry-leading security measures. Secure your healthcare data with Power Diary today and take advantage of our reliable and secure practice management software, loved by practitioners worldwide.If you have any questions or would like to learn more about our security processes, please contact us anytime. We’re here to help!