Power Diary is a leading healthcare practice management platform chosen by thousands of practitioners worldwide. Healthcare data security is a critical priority for us, and security permeates everything we do – from how our software is built and used, to the way we operate as a company.
There are many aspects to healthcare data security, and here, we cover the most important approaches we take and try to address any security concerns you might have. A key thing to note about Power Diary’s security compliance is that we have operations and customers in many countries and therefore, must adhere to the highest standards across all jurisdictions – and all customers benefit from this.
Power Diary is ISO 27001 Certified
The most important global security standard for practice management software is ISO 27001.
Power Diary is certified with ISO 27001, and this international standard recognises our commitment to ensuring the highest global security standards for healthcare data. Power Diary has become one of only a few Practice Management Software systems to achieve ISO 27001 certification. This certification serves as a testament to our unwavering dedication to ensuring the security of our customers’ health information. It lets customers know that Power Diary is compliant with health data security standards and also externally verified as adhering to global data security best practices – something we think is crucial when handling sensitive health data.
Quick Links
Security and Privacy Compliance and Certifications
Power Diary is certified and/or compliant with the following security and privacy standards;
ISO 27001 Certified (Worldwide)
ISO 27001 is an internationally acknowledged standard for information security management. Being ISO 27001 certified means that Power Diary has implemented strict security measures to prevent unauthorised access, theft, and corruption of sensitive information.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is the US sectorial law that establishes the privacy and security standards for protecting medical information in the US. Power Diary is HIPAA compliant, which means that the company has implemented policies and procedures to ensure the privacy, confidentiality, integrity, and availability of protected health information.
GDPR UK and GDPR EU (UK and Europe)
The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies to all UK and EU citizens. Power Diary is GDPR compliant, which means that Power Diary has implemented the necessary measures to protect the privacy of the personal data of individuals in the UK and EU.
Australian Cyber Security Centre Member
The Australian Cyber Security Centre (ACSC) is the lead agency for cybersecurity in Australia. Being a member of the ACSC means Power Diary has access to the latest cybersecurity threat intelligence and advice on protecting against cyber attacks.
The Privacy Act (Australia)
The Privacy Act 1988 is Australia’s consolidated data protection law which aims to promote the protection of individuals’ privacy, interpreted and applied by the Australian Privacy Principle (‘APP’) Guidelines issued by the Australian Information Commissioner (‘OAIC’). Compliance with the APPs means that Power Diary has implemented measures to protect the privacy of the personal information of Australian citizens.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian law regulating private sector organisations’ collection, use, and disclosure of personal information. Being PIPEDA compliant means that Power Diary has implemented the necessary measures to protect the privacy of the personal information of Canadian citizens.
California Consumer Privacy Act Compliant (CCPA)
CCPA is a California state law that gives California residents the right to know what personal information is being collected about them and the right to request that it be deleted. Being CCPA compliant means that Power Diary has implemented measures to protect the privacy of the personal information of California residents.
Protection of Personal Information Act (POPIA)
POPIA governs the law of data protection and privacy in South Africa and contains many similarities with the European GDPR regarding their material scope, key definitions, providing data subject rights, and in their general approaches to personal data protection. Power Diary is compliant with POPIA.
How Does ISO 27001 Certification
Protect Your Patients’ Information?
When we think of data security, what usually comes to mind is encryption, password strength, and the data centre’s location. But while these are important factors, they are only the tip of the iceberg. In fact, very few data breaches are due to these factors, as security in practice is much broader and more holistic.
You might be wondering why ISO certification matters or what difference it makes for you and your clients. Here, we attempt to explain the differences between a practice management system that is ISO Certified versus one that is not ISO certified.
| Security Characteristics | Power Diary – ISO Certified (Externally verified audited annually) | Non-ISO Certified Practice Management Systems |
|---|---|---|
| Information Security Policies | Power Diary has a documented and approved Information Security Policy, which includes access control, acceptable use, incident management, and data classification. | Practice management systems without ISO 27001 certification may not have a documented and approved Information Security Policy, leaving their customer’s sensitive information at risk. |
| Operations Security | Power Diary has implemented procedures and controls for secure operations such as change management, backup and recovery, and incident management. | Practice management systems without ISO 27001 certification may not have formalised procedures for secure operations, which can lead to errors, outages, or data loss. |
| Organisation of Information Security | Power Diary has implemented an Information Security Management System (ISMS) that includes an organisational structure, roles, and responsibilities for information security. | Practice management systems without ISO 27001 certification may not have an organised approach to information security, which can lead to confusion, errors, and vulnerabilities. |
| Communications Security | Power Diary has been verified as having secure communication channels which provide protection such as encryption and digital signatures to ensure the confidentiality, integrity, and appropriate availability of sensitive information. | Practice management systems without ISO 27001 certification may not have secure communication channels, leaving sensitive information vulnerable to interception or alteration. |
| Human Resources Security | Power Diary has implemented procedures for hiring, training, and managing employees, contractors, and third-party personnel to ensure they have the necessary knowledge, skills, and integrity to protect customers’ information. | Practice management systems without ISO 27001 certification may not have strict hiring and training procedures, which can result in unqualified, unidentifiable, or malicious personnel with access to sensitive information. |
| Software Development and Maintenance | Power Diary has implemented procedures and controls for secure software development as well as for testing, system integration, and maintenance. | Practice management systems without ISO 27001 certification may not have secure software development or maintenance procedures, leaving their software vulnerable to bugs, exploits, or backdoors. |
| Asset Management | Power Diary has inventoried and classified information assets, implemented controls for their protection, and monitor their usage and disposal. | Practice management systems without ISO 27001 certification may not have an accurate inventory of their information assets, which can lead to loss, theft, or unauthorised access to sensitive information. |
| Supplier Relationships | Power Diary has implemented procedures and controls to ensure that its suppliers and partners are also protecting their customers’ sensitive information. | Practice management systems without ISO 27001 certification may not scrutinise their suppliers and partners, which may put client health data at risk. |
| Access Control | Power Diary has implemented a comprehensive access control system that includes policies, procedures, and technical measures such as authentication, authorisation, and encryption. | Practice management systems without ISO 27001 certification may not have robust access control systems, which can lead to unauthorised access to sensitive information. |
| Data Incident Management | Power Diary has implemented an incident management process that includes procedures for reporting, assessing, and resolving security incidents. | Practice management systems without proper incident management may not have a documented or tested incident management process, leading to a slower response time or inadequate handling of security incidents. |
| Cryptography | Power Diary has implemented encryption and other cryptographic controls to protect sensitive information in storage and transmission. | Practice management systems without ISO 27001 certification may not have implemented encryption or other cryptographic controls, leaving sensitive information vulnerable to interception or theft. |
| Business Continuity Plan | Power Diary has integrated information security aspects into its business continuity management process to ensure that they can recover from security incidents and minimise any impact on customers. | Practice management systems without proper incident management may not have integrated information security into their business continuity management process, which can result in long periods of downtime and greater disruption to their customers. |
| Physical and Environmental Security | Power Diary has assessed the relevant physical and environmental controls such as access control, surveillance, and backup power to protect the infrastructure and equipment that process and store sensitive information. | Practice management systems without ISO 27001 certification may not have physical and environmental controls in place, making their infrastructure and equipment vulnerable to theft, damage, or disruption. |
| Compliance | Power Diary has implemented processes to identify and comply with relevant laws, security standards, contractual obligations, and data protection agreements related to information security and privacy. All policies and procedures are formally reviewed according to a preset schedule, and evidence of this is documented. | Practice management systems without proper compliance may not have processes in place to identify and comply with relevant laws and contractual requirements, which can lead to legal and financial penalties, and loss of customer trust. |
What is ISO 27001?
ISO 27001 is an information security standard created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS). It was originally published in 2005 and has been updated and revised several times since then.
3 Pillars of ISO 27001
The goal of ISO 27001 and an Information Security Management System is to protect three principles of information handling:
1.CONFIDENTIALITY
Only authorised persons have the right to access information.
2. INTEGRITY
Only authorised persons can change the information.
3. AVAILABILITY
The information must be accessible to authorised persons whenever it is needed.
Get started for free
14 Day Trial. Then pay-as-you-go. No lock-in contracts.
Pay Nothing until October 2023!*
Then receive 50% off for the first 6 months.
What are the Domains of ISO 27001?
The current ISO 27001 certification has four domains. Each includes numerous controls for assessing adherence to the ISO 27001 standards (there are currently a total of 96 controls).
4 Domains of ISO 27001
- Organisational controls
- Personal controls
- Physical controls
- Technological controls
The current ISO 27001 standard has four domains, which cover seven broad security areas:
7 broad security areas covered by ISO 27001
- Company security policy
- Asset management
- Physical and environmental security
- Access control
- Incident management
- Regulatory compliance
- Risk management
What’s Involved in
ISO 27001 Certification?
The ISO 27001 certification process represents a significant commitment in time and resources. In Power Diary’s case, we added extra team members specifically dedicated to our focus on security, and the process took more than a year, involving all directors, senior management and ultimately impacting every team member in the company. We also implemented a governance, risk and compliance platform to ensure our ongoing compliance with security frameworks and privacy regulations.
The process of getting certified with ISO 27001 involves developing an information security management system (ISMS) which is rigorously and thoroughly evaluated as part of the ISO 27001 certification process to ensure it complies with the ISO 27001 standards. Certification currently involves an assessment against all the controls – most of which are focused on operational and technical aspects.
8 Stages of ISO 27001 Certification
The following steps are usually included in the ISO certification process:
- Gap Analysis: The first step is to conduct a gap analysis to identify areas where the organisation’s ISMS does not meet the requirements of the ISO 27001 standard.
- Risk Assessment: The next step involves a risk assessment; the goal is to identify potential security threats and vulnerabilities that could impact the organisation’s sensitive information confidentiality, integrity, and availability.
- ISMS Development: Based on the gap analysis and risk assessment results, the organisation develops and implements an ISMS to meet the requirements set forth by the ISO 27001 standard.
- Internal Audit: The organisation will conduct an internal audit of its ISMS to ensure that it is functioning effectively and meeting the requirements of the ISO 27001 standard.
- Certification Audit: The certification audit is conducted by an independent third-party certification body that assesses the organisation’s ISMS against the requirements of the ISO 27001 standard.
- Corrective Actions: If any non-conformities are identified during the certification audit, the organisation must implement corrective actions to address them.
- Certification: Once the organisation has successfully demonstrated that its ISMS meets the requirements of the ISO 27001 standard and any non-conformities have been addressed, it will be awarded the ISO 27001 certification.
- Continuous Improvement & Recertification: ISO certification is valid for three years, during which time the organisation will need to undergo regular surveillance audits to ensure that its ISMS continues to meet the requirements of the ISO 27001 standard. Power Diary has committed to this continuous process.
Get started for free
14 Day Trial. Then pay-as-you-go. No lock-in contracts.
Pay Nothing until October 2023!*
Then receive 50% off for the first 6 months.
Understanding Healthcare Data Security
All data security is important, but security is even more pertinent when dealing with patient medical or health data. Patient data often contains highly sensitive information, which if compromised, has the potential for serious consequences.
It should be noted that the approaches to address patient data security are more than purely technological, as they need to incorporate; people, operations, and technology. For Power Diary, data security is not simply a “tick-the-box” exercise; it’s something that runs to the core of everything we do and affects every single person in the company. We believe that the best way for users to determine a system’s security level is through externally validated certification. This is why Power Diary invested, and continues to invest, in meeting the requirements of all the top-tier security guidelines and certifying for the highest global standard for information security – ISO 27001.
For health practices, patient data security is a critical issue that all practice owners and managers should be concerned about. Patients trust health practices to keep their information confidential and secure, and failure to do so can result in significant reputational damage, loss of trust, fines and may have consequences for practitioners’ professional status. Furthermore, depending on the profession and jurisdiction, many health practices are also legally obligated to adhere to certain data protection regulations. Therefore, all health practices need to prioritise patient data security to safeguard patient privacy, maintain trust, and comply with their professional obligations.
The choice of practice management software is critical to patient data security, as it plays a crucial role in managing and protecting patient information. Health practices that use Power Diary as their practice management software can be sure that they are protecting the security of their patients’ data. However, many other factors, such as staff training, internal policies and processes, and access controls, all contribute to robust data security practices.
Our goal at Power Diary is for all customers to have the necessary tools and knowledge to uphold a high healthcare privacy and data security standard. When you start with Power Diary, we’ll provide you with the guidance, tips and support you need.
Our founders recently ran an information session covering the basics of healthcare data security and privacy, such as best practices for keeping patient data safe. It highlights the importance of proper user access control, password management, and two-factor authentication while also discussing how to handle employee termination scenarios and other security-related topics.
Tips to Maintain Data Security in Healthcare
Here are some healthcare privacy essentials to keep in mind.
As well as choosing a secure practice management system, there are necessary, practical steps that all practices should take to ensure their clients’ healthcare data is protected. Remember, your security is only as strong as its weakest point, so please ensure that these practices are in place in your business;
User Accounts Passwords 2-Factor Authentication User Permissions User Activities Privacy Mode Screensavers Anti-Virus Firewalls Software Updates Paper Records Security Policies
Every user should have their own account.
Users should never share their Power Diary account with anyone else and should only access patient data from their own accounts.
Use strong passwords.
Passwords should be at least 8 characters long and contain a mix of upper and lowercase letters, numbers, and special characters. They should never be shared and should be changed frequently. It’s also preferable to use a password manager to manage passwords.
Use two-factor authentication.
Two-factor authentication adds an extra layer of security to the user login process by requiring an additional means of authentication.
Set up strict user permissions.
Restrict access to patient data so that employees can only view the data they need to perform their duties.
Monitor user activities.
Use logs to monitor user activity and identify any suspicious behaviour.
Use Privacy Mode.
Whenever there is the possibility of others seeing a screen containing client data, enable private mode to prevent identifying information from being displayed.
Use a password-protected screensaver.
Set up an automated password-protected screensaver to prevent access to your computer when you’re away (inactive for more than a couple of minutes).
Install anti-virus.
Protect your computer and network with anti-virus software that updates regularly.
Enable firewalls.
Firewalls act like digital barricades and can help to protect your data from malicious attacks.
Keep all software updated.
Ensure all software is up-to-date, including web browsers, and regularly patch any security vulnerabilities.
Eliminate paper records.
Physical copies of healthcare records represent a security risk for your clients and your operations. Migrate all relevant records into your practice management software or secure online file storage and securely destroy everything else.
Establish security policies.
Create and document security policies in your Practice Operations Manual (included with Power Diary) and ensure all team members comply with these.
How does Power Diary’s Practice Management Software ensure Patient Data Security?
Power Diary is one of the most loved healthcare practice management tools, used by thousands of practitioners worldwide. We consider healthcare data security our highest priority.
As part of our ISO 27001 certification, we have developed robust data security policies, procedures and controls, to ensure the highest level of data protection in healthcare. Power Diary also strictly follows all applicable privacy regulations such as the US HIPAA, the UK/EU GDPR, the Australian Privacy Act, the California Consumer Privacy Act and the Canadian PIPEDA.
Power Diary will never sell patient data or use, disclose, or manage it for any other purpose or in a way not stated in our Privacy Policy.
Here are some ways security is applied in the Power Diary system to protect sensitive health data.
✓ Secure Clinical Notes
Some of the most sensitive client information can often be clinical notes that practitioners write about their patients. Like all client data, these are encrypted during transmission to the server, and when in storage – making any information virtually impossible to access without appropriate permission. Using configurable templates, we make treatment notes extremely efficient to prepare, while ensuring that they are completely secure from both a database point of view and with the ability to apply appropriate user permissions.
✓ Two Factor Authentication
Power Diary offers users additional protection against potential patient data privacy breaches with Two-Factor Authentication (2FA).
2FA requires users to provide a second form of authentication so that users enter not only their username and password, but also a unique code sent directly to their mobile device via SMS or a separate app, before being granted access.
This extra step helps protect patient data from unauthorised access if a device is lost or stolen, or login credentials are compromised. 2FA is accepted as one of the key ways to protect sensitive data and prevent unauthorised access.
✓ Backup and Encryption
Power Diary takes the security of users’ data seriously, which is why all information stored on Power Diary’s servers is backed up hourly and encrypted using industry-standard 256-bit SSL technology. This ensures that if any data becomes corrupted or lost due to a technical issue, it can be quickly recovered with minimal disruption. Encryption also helps protect patient data as it scrambles the information into an unreadable form, making it virtually impossible for unauthorised individuals to access it.
This level of security benefits patients and healthcare providers by ensuring compliance with healthcare data privacy regulations.
✓ User Access Controls
Power Diary’s user account controls are an important security measure for protecting patient data and healthcare privacy. These controls allow practices to determine who has access to their Power Diary account and the level of access for each user. Each user has unique login credentials, which allow them to access the system while their activity is recorded in the activity log file. (Power Diary strongly discourages any sharing of user accounts, and there is no charge for extra users.)
✓ User Activity Recording
Power Diary tracks activity by recording each time a user logs in or out of the system, and what data they have viewed or changed. This helps protect patient data privacy by ensuring that any changes made to a patient’s records can always be traced back to the person who made the change, and by making it easy to identify any suspicious activity or unusual login patterns.
✓ Hosting Infrastructure and Design
Power Diary’s infrastructure and design are critical to ensuring optimum healthcare data privacy. All data is kept on secure servers provided by Amazon Web Services (AWS). By using AWS as our infrastructure provider, Power Diary exceeds the standards defined by ISO 27001 and the HIPAA Security Rule, which is typically used as the international standard for the physical and electronic safeguards required for managing Protected Health Information.
Power Diary also has an AWS Business Associate Addendum in place that ensures any data stored on the platform is protected and secure. This addendum outlines specific requirements for ensuring the security of patient data, such as encryption technology and multi-factor authentication. Power Diary also has a Service Level Agreement with AWS which guarantees a high level of uptime. Since 2007, Power Diary’s uptime has exceeded 99.9%, ensuring user data is always available and protected from potential security threats.
✓ Active System Monitoring
Power Diary has a comprehensive system for actively monitoring user activity and potential security threats. This system monitors data continuously to detect any suspicious activity that might indicate a potential security threat or data breach. By constantly monitoring user activity and system performance, Power Diary can take immediate action if any unusual activity is detected.
✓ Technology Updates
Power Diary understands the importance of staying up-to-date with the latest security technologies and continuously updates its systems with new features. This helps protect patient data privacy from potential threats by ensuring the platform is ahead of emerging security risks or vulnerabilities.
When Power Diary becomes aware of any recent developments in cyber security, we immediately take steps to update our technology and ensure that the latest security measures are employed. This may involve installing patches, applying new security protocols, or implementing additional encryption technology to protect patient data privacy.
✓ Data Transmission
When data is transmitted from Power Diary to its users, we use secure socket layer (SSL) encryption technology to ensure that all information remains confidential. This encryption technology, which is the same as that used by online banks and other large financial institutions, renders data unrecognisable so that it can only be read by the intended recipient.
Power Diary also uses a Domain Validated Security Certificate to provide extra protection against someone attempting to impersonate the site. This certificate ensures that all traffic is securely encrypted and the website is legitimate. Without this secure certificate, data transmission may be vulnerable to malicious attacks such as phishing or man-in-the-middle attacks, designed to fool users into entering their confidential information on a fake website.
Exclusive End of Summer Offer
Then receive 50% off for the first 6 months.
Enhancing Your Healthcare Data Protection: Power Diary’s Robust Security and Compliance Program
Our Security and Compliance Program goes beyond simply adhering to industry standards. Unlike most practice management systems, Power Diary’s data security is certified against worldwide best practices to ensure the highest standards for the protection of patient information.
We understand that your data is critical to your business, and we take great care to keep it safe. We believe that trust is created through transparency, and we intend to be transparent about our commitments and what you can expect from us.
At the highest level, our security commitments when you use Power Diary’s health practice management system are:
- Your data remains yours
Power Diary is dedicated to healthcare privacy, ensuring that patient data remains confidential. Power Diary will not sell your customer data to third parties, nor give any government or other entity access unless required by law, or in order to provide the expected service. - We’re committed to international, best-practice privacy and security standards
Although the security and privacy landscape constantly changes, Power Diary is fully committed to protecting customer data using the best methods available. Our privacy and security practices are regularly audited against international standards.
We believe in creating trust through transparency, so we have outlined below the main elements of our Security and Compliance Program.
People
Security at Power Diary starts at the top and reaches every member of our workforce.
Our team members are responsible for understanding and adhering to the guidance contained in our security policies and standards. Security policies and standards are reviewed and approved by management at least annually and are made available to the Power Diary workforce for their reference.
- Team Member Background Checks
We carry out background checks, verify previous employment, and also carry out reference checks as necessary. Depending on the role or position, we may also conduct criminal, credit, immigration, and security checks. - Privacy and Security Awareness Training
During onboarding, new hires must complete applicable privacy and security awareness training, which includes information about protecting confidential information and company assets, and our commitment to the privacy and integrity of customer personal data. - Password Controls
Power Diary’s Access Management Policy is aligned with the ISO 27001 guidelines. Access to Power Diary information assets are controlled using strong password authentication or the federated authentication method. All password accounts are changed periodically, multi-factor authentication (MFA) is required where possible, and accounts are locked out after three invalid login attempts. - Team Member Access to Data
At Power Diary, we follow the principle of least privilege. This means that users and systems have the minimum level of access necessary to perform their defined function, and unnecessary levels of access are restricted. In addition, access levels are audited quarterly, and inappropriate access is revoked. - Employee Confidentiality
Our key team members are bound by confidentiality and non-disclosure agreements that comply with all relevant laws and regulations in the markets where we operate. We periodically review these agreements to ensure that any changes affecting these requirements are taken into account.
Product Design
We’ve previously outlined how Power Diary’s practice management software ensures data security, but the way we develop our software also increases security;
- Secure Software Development Life Cycle
Power Diary’s Software Development Life Cycle (SDLC) policy states the requirements for developing or implementing software and systems. It ensures that all development work aligns with the strategic goals of the company, and considers any relevant risks and all pertinent regulatory, statutory, and contractual guidelines. In addition, this policy establishes guidelines for projecting and developing software in a manner that ensures its maintainability, accessibility, security and protection against cyber-attacks. - Change Management
Changes to information resources are managed and executed according to a formal change control process. The change control process ensures that proposed changes are reviewed, authorised, tested, implemented and released in a controlled manner, and the status of each proposed change is monitored.
Data Management
How we handle customer data is a key part of our data security policy. Our core principles include;
- Ownership of Data
All data, including patient health data, is owned and managed by the Power Diary user, who acts as its custodian. Permissions are tightly controlled, and users can only access, view, and transfer their own data. Power Diary ensures that only those with appropriate access rights can access data. - Patient Data Privacy
We do not sell any individual patient’s information or use it for commercial purposes. Other companies may collect, store, and sell patient data to third parties for marketing purposes, but Power Diary refrains from any such practices, and we explicitly state this commitment in our Privacy Policy. - Data Removal
If, for any reason, you decide to terminate your account with Power Diary, you can export your data and request for your data to be completely removed from our systems. This ensures that no trace of the information remains in our databases. Data removal is completed within seven days of the request. - Data Classification
We classify data based on importance, business need, and operational risk. Our data classification policy and procedures cover all information assets and any information we may have access to directly or indirectly. - Data Assets
The executive managers are ultimately responsible for their department or division’s data and information being collected and maintained. The responsibilities of the data owners include guiding the compliance team in defining data retention and destruction requirements and ensuring they are enforced. - Data Encryption
Power Diary uses TLS 1.2 to encrypt data in transit between the customer application and Power Diary servers. Databases with sensitive customer data are encrypted at rest. - Data Access
We follow the principle of least privilege through a team-based access control model when provisioning system access. Personnel access to customer data is restricted based on business needs, role and appropriate approvals.
Power Diary team members adhere to specific data handling guidelines in conformance with the commitments in Power Diary data processing cross-border agreements. There is a limited set of circumstances in which a team member may directly interact with customer data, including as necessary for legal holds, law enforcement requests, fraud investigations, troubleshooting or providing support.
To access the production environment, an authorised user must have a unique username and password, multi-factor authentication, and be connected to the Power Diary Virtual Private Network (VPN). - Credit Card Processing and PCI
Power Diary ensures that all credit card payments are processed through a secure payment gateway, compliant with the Payment Card Industry Data Security Standard (PCI DSS). This standard provides an extensive framework of security measures to protect cardholder data and ensures its secure storage, transmission, and processing.
Internal Environment
The internal operations at Power Diary are another crucial part of providing a secure practice management system that clients can rely on. Our policies include;
- Asset Management
All Power Diary assets are inventoried and documented to determine necessary security measures. Assets are reviewed regularly to ensure they meet privacy and security standards. - Infrastructure
The Power Diary production infrastructure is primarily housed in Amazon Web Services (AWS) data centres. AWS data centres are geographically diverse, with independent power grids and redundant power, HVAC and fire suppression systems. They also use state-of-the-art practices for fault tolerance at each system infrastructure level, including Internet connectivity, power and cooling. - Network Logging Monitoring
AWS Web Application Firewall manages and secures traffic while an intrusion detection system (IDS) monitors access events, security-related events, and API authentication. Alerts are sent to security team members when anomalous events are detected. Security logs are collected within a log aggregation platform. Logs are retained based on applicable regulatory requirements.
Threat Response Measures
While our main security goals are to reduce the chance of security threats, these can never be entirely eliminated. Our threat response measures provide clarity on the handling of security threats, including;
- Security Risk Management
The Power Diary Risk Assessment Policy establishes a risk management framework aligned with business objectives that provides governance on how to identify risks, assign risk ownership, assess how the risks impact the confidentiality, integrity, availability and privacy of the information, and determine the method of treatment for identified risks. - Penetration Testing
The Power Diary system is regularly tested by independent third parties to conduct application-level penetration tests to meet compliance obligations. After identifying and documenting any vulnerabilities, we establish a process for timely correction based on the risk assessment. - Incident Response
Responding to security incidents is critical to maintaining and managing the security infrastructure and compliance with laws and contractual obligations. Therefore, we maintain a security incident management program and policies aligned with the ISO 270001 requirements to manage security incidents effectively.
Power Diary’s Incident Management Team (IMT) assesses the threat of all relevant vulnerabilities or security incidents and establishes remediation and mitigation actions. - Customer Incident Notification
The Power Diary Personal Data Breach Notification Policy defines conditions under which security incidents are responded to and reported, including levels of severity and risk for various types of vulnerabilities. Power Diary notifies customers of any incident by emailing an account’s specified contact. See the Power Diary Data Protection Addendum DPA for additional details. - DDoS Prevention
In the case of a Distributed Denial-Of-Service (DDoS) attack, Power Diary has predefined incident alerts set throughout the platform, and testing is performed during annual penetration tests. Our infrastructure incorporates multiple DDoS mitigation techniques and maintains multiple backbone connections. - Workforce Education
Power Diary’s Privacy and Security Awareness training is compulsory for all team members. This includes education on identifying possible threats, identifying high-risk behaviour, and sharing and escalating concerns.
Operational Resilience
Technical and non-technical solutions are needed to ensure the continued operations of Power Diary and the provision of the Power Diary platform. Here are some of the measures we have in place;
- Business Continuity Plans
Power Diary ensures the continued delivery of our products and services by performing an annual business impact analysis (BIA) to understand business requirements, set recovery objectives, and identify gaps and areas of vulnerability.
The requirements and objectives set during the BIA inform the strategy analysis and Business Continuity Plans (BCPs), which are tested annually. - Disaster Recovery
The Power Diary Disaster Recovery Plan (DRP) provides step-by-step processes for recovering and reinstating the business operations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with insurance companies when required, monitoring the progress of the recovery process, and transitioning the management of the business operations from the recovery team back to the regular managers. - Backups
We perform backups hourly into separate storage devices, and an additional separate daily backup is made to AWS S3 storage.
Backups are encrypted in transit and at rest, using strong encryption and stored redundantly across multiple availability zones and regions in AWS S3 buckets (cloud). Backup data is kept for two years. - Redundancy
Our AWS infrastructure is split into three separate availability zones. Each zone is backed by one or more physically separate data centres, with the largest backed by five.
Most of our systems automatically tolerate failures in availability zones with zero disruption or downtime. In the event of a complete failure of all the existing AWS availability zones, we estimate it would require one day to establish a new environment and restore the data. We use Terraform scripts to set up new, regularly tested environments. - Physical Security
Power Diary’s production infrastructure is housed in Amazon Web Services (AWS) data centres, secured by professional security staff with multiple physical controls at the perimeter and building access points.
AWS data centres are geographically diverse, with independent power grids and redundant power, HVAC and fire suppression systems. The AWS data centres also use state-of-the-art practices for fault tolerance at each system infrastructure level, including Internet connectivity, power and cooling.
Third-Party Management
We understand that our partners also play a significant role in our ability to provide data security for our customers, and we have processes to ensure we only work with trustworthy parties
- Vendor Risk Assessment and Management
Before engaging with any third party or vendor, or allowing third-party access to the organisation’s information or systems, the risks involved are identified, documented and vetted by Power Diary’s management.
Executive management reviews identified risks along with mitigation strategies and determines whether the risks are acceptable before engaging with vendors.
Compliance and Certifications
Data security is a complex field, and we are not so arrogant to profess to knowing everything. That’s why we believe in externally validated certifications and security standards recognised as worldwide best practices.
In 2023, Power Diary earned the coveted ISO 27001 Certification for its healthcare data security. ISO/IEC 27001 is the globally-recognised, standards-based approach to security that outlines requirements for an organisation’s information security management system (ISMS). In obtaining this certification, Power Diary has demonstrated adherence to the requirements of the ISO security framework, which an external audit has validated. Power Diary has also committed to the ongoing recertification process, which involves continuous improvement of security standards.
In addition to being ISO 27001 certified, Power Diary is fully compliant with all applicable healthcare data privacy and security laws and frameworks in the markets we serve. This includes;
- HIPAA – America’s Health Insurance Portability and Accountability Act
- GDPR – the General Data Protection Regulation (GDPR) in the UK and Europe
- The Australian Privacy Act and its principles
- PIPEDA – Canada’s Personal Information Protection and Electronic Documents Act
- POPIA – South Africa’s data protection and privacy law
- CCPA – the California Consumer Privacy Act for residents of California
These standards provide the necessary safeguards to ensure that users’ personal data is private and secure, and that the appropriate security measures are in place for processing such information. We are committed to abiding by contractual terms with our customers and service providers, and to complying with the security and privacy standards outlined above. See more about our Security and Privacy Certifications and Compliance.
Power Diary Security Downloadables
Here, we’ve prepared some key documents that can be downloaded for your reference.
ISO 27001 Certified
Download certificate
Penetration Test
Download certificate
Executive Commitment Declaration
Download policy
Patient Data Privacy and Security for
Practices Using Power Diary
Health practices using Power Diary as their practice management software have chosen a platform committed to world-class data security. Power Diary proudly holds ISO 27001 certification, a global standard for information security management systems.
How does this safeguard patients?
- World-Class Data Security: Power Diary’s ISO 27001 certification confirms our implementation of comprehensive security measures to safeguard your data from potential cyber threats.
- Trust in Your Provider: The certification is an assurance of your healthcare provider’s commitment to data security. By choosing Power Diary, they’ve selected one of just a few practice management systems globally that have successfully fulfilled the stringent requirements of ISO 27001.
- Continuous Security Enhancements: ISO 27001 certification requires that our software is subject to ongoing monitoring and regular audits, ensuring continuous protection against evolving threats. This commitment means data stored in Power Diary is always safeguarded by the latest, most effective security measures.
Protecting Your Privacy: Power Diary’s Commitment to
Clients and Patients
In addition to ISO 27001 certification, Power Diary complies with stringent privacy regulations, including The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California).
What does this mean for patients?
- Respected Privacy: Power Diary’s adherence to international privacy laws ensures that your personal data is handled with utmost care.
- Data Protection Agreements: At Power Diary, we enforce legally binding agreements that clearly delineate data protection rights and responsibilities between our company and our customers. These arrangements serve as a robust framework for data protection, ensuring every piece of personal data processed is handled with protection and security as the top priority.
- Transparency: Power Diary’s compliance with privacy laws ensures full transparency, letting you know exactly how your data is stored and managed – without being used for any other purposes.
By choosing a healthcare provider who uses Power Diary, you’re opting for a service that values data security and privacy.
Increase Client Trust: Showcase Your Connection with Power Diary Using Our Embeddable Logos!
Download and Embedding Instructions
Select embed code
Select embed code
Select embed code
Select embed code
Select embed code
Select embed code
Communicating Privacy and Security with
Your Clients and Patients
As a healthcare provider, you understand how crucial security and privacy are to patients. Power Diary’s robust data protection is backed by ISO 27001 certification and rigorous adherence to privacy standards dictated by The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California). We continuously monitor these standards to uphold the highest levels of data security and privacy and are subject to an annual audit to maintain ISO 27001 certification.
To help you communicate this to patients, you can use a brief explanation like,
“The security and privacy of your data is our top priority. We manage all patient data through Power Diary, an ISO 27001-certified practice management system. This ensures that your personal data is protected by software that meets the highest global standards for information security management and complies with all applicable privacy regulations.”
Or a slightly longer explanation could be something like,
“The security and privacy of your data is our top priority. That’s why we manage all patient data through Power Diary. Power Diary is ISO 27001-certified practice management software and strictly adheres to privacy regulations, including The Privacy Act (AU), HIPAA (US), GDPR (UK & EU), PIPEDA (CA), POPIA (ZA) and CCPA (US, California). Power Diary is externally audited on an annual basis to maintain ISO 27001 status, which we believe is essential for the protection of health data. Choosing software that meets the highest standards for information security management is part of our commitment to you. Learn more about how Power Diary protects your data here.
FREQUENTLY ASKED QUESTIONS
How Secure Is Cloud-Based Practice Management Software?
Cloud-based practice management software like Power Diary is designed to keep all data secure and compliant with industry regulations. Data is transmitted from your device to servers over an encrypted, secure connection. All data is stored in secure servers with built-in redundancies and backup systems.
Additionally, Power Diary has security protocols in place to protect user data, such as active system monitoring, two-factor authentication, and more. Cloud-based solutions like Power Diary are considered to be more secure than on-premise software, which is more vulnerable to network breaches, data loss and device accidents, loss or theft.
Is Power Diary ISO 27001 Certified?
Yes, Power Diary is ISO 27001 certified. This standard represents the highest level of data security standards worldwide. Power Diary is one of only a few health practice management software companies in the world to obtain this certification.
Is Power Diary HIPAA Compliant?
Yes, Power Diary is HIPAA compliant. HIPAA is the US Health Insurance Portability and Accountability Act. This requires companies that deal with protected health information to have appropriate physical, network, and process security measures in place.
Is Power Diary GDPR Compliant?
Yes, Power Diary is GDPR compliant (the General Data Protection Regulation) for both GDPR UK and GDPR EU. This is widely thought to be the world’s strongest set of data protection rules, which enhance how people can access information about themselves and places limits on what organisations can do with personal data.
Is data encrypted in Power Diary?
Yes, Power Diary uses encryption and other cryptographic controls to protect sensitive information.
For data in transit, the connection between your browser and our servers is protected so that information transferred is encrypted using 256-bit SSL technology. This prevents others from intercepting and reading any information during transit. We also use a Domain Validated Security Certificate, which provides extra protection against someone attempting to impersonate our site.
For data at rest, Power Diary encrypts this data and stores and manages encryption keys. Encryption tools and products are configured using industry best practice encryption strength to protect data at rest.
Our internal Key Management and Cryptography Policy govern our encryption. This policy establishes requirements for selecting cryptographic keys, managing keys, assigning key strengths and using and managing digital certificates.
Secure Your Healthcare Data with Power Diary
At Power Diary, we’re known for our commitment to patient data privacy and security. We understand the importance of keeping healthcare data secure and our enhanced security measures and compliance with various regulatory requirements demonstrate our continuous commitment to providing a secure platform for our customers – now and always.
With Power Diary, you can have peace of mind knowing that your healthcare data is being safeguarded by industry-leading security measures. Secure your healthcare data with Power Diary today and take advantage of our reliable and secure practice management software, loved by practitioners worldwide.If you have any questions or would like to learn more about our security processes, please contact us anytime. We’re here to help!
Awards and Recognition
