One of our greatest responsibilities at Medipass is ensuring the information that we manage is secure and confidential. We make this responsibility a priority and are committed to remaining an industry leader in this space.

What we do to protect information

In order to deliver a service that meets our high expectations for information security, we employ a range of policies and processes specifically designed to ensure a high level of security, and to keep it there.

1. We are ISO 27001 Certified
   ISO 27001 is the leading international standard for Information Security. You can view our independent certification here.
2. Data is stored in Australia
   Sensitive, private and confidential health information is processed and stored exclusively in Australia. Further, all Medipass staff are physically located in Australia.
3. Data is tokenised and encrypted end to end
   We encrypt data in transit and data at rest using strong, modern ciphers. Further, payment card details and health account information is protected through an advanced tokenisation system, similar to that employed by leading banks and payment processors.
4. We only store what is needed
   We only store information necessary for providing our services and only for the period required to meet operational or regulatory responsibilities.
5. Our partners meet our high expectations
   Our hosting partners abide by best practice security frameworks including: ISO27001, Australian InfoSec Registered Assessors Program (IRAP), SOC 1, SOC 2 and PCI DSS.
6. Regular audits and testing
   We undergo regular independent auditing and testing, and employ subject matter experts across our security framework to identify potential issues and to enhance control effectiveness. 

You can read more about how we collect, store, use and disclose personal information at our Privacy Policy.

Medipass is committed to optimising our information security performance consistent with our risk appetite. In providing services to our clients, Medipass Solutions has access to their information and we expect that all staff and contractors have a clear understanding of their information security obligations. Medipass also has our own information much of which needs to be secured to enable the business to operate effectively.  

As a medical insurance claims software developer for our clients, Medipass is committed to industry standards for the development lifecycle and the incorporation of information security into each phase of this lifecycle. We will ensure that information security is a key element of this and our ongoing client servicing.

To assist us in assuring our information security performance, Medipass is committed to the implementation, maintenance and continual improvement of our Information Security Management System. Medipass will assure the ISMS through seeking compliance with and certification to ISO 27001. The purpose of this ISMS and this policy is to achieve the following objectives:

• Confidentiality – ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes; 
• Integrity - maintaining the consistency, accuracy, and trustworthiness of information over its entire life cycle; 
• Availability – ensuring that information is both accessible and usable upon demand by an authorised party. 

Medipass is committed to ensuring that our ISMS is capable of meeting owners, clients and legal requirements for information security.  To achieve this end, Medipass is fully committed to the recruiting and skilling of its staff to deliver information security outcomes that are consistent with our risk appetite.

If you’ve discovered a security vulnerability in our platform or service, please email us at security@medipass.com.au. We will respond promptly. To help us resolve the issue quickly, we request that you:

• provide Medipass with full details of the discovered issue;
• in the best interests our users and their data, please do not publicly disclose the issue until it has been addressed by Medipass;
• never purposely disrupt services for other users;
• never attempt to access or modify data from other users; and
• to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.

We won’t take legal against you or administrative action against your account if you act accordingly.

Although we do not have a security “bounty program”, we’ll make best endeavours to recognise your goodwill.