Information Security Policy
Medipass Solutions is committed to optimising its information security performance consistent with our risk appetite. In providing services to our clients, Medipass Solutions has access to their information and we expect that all staff and contractors have a clear understanding of their information security obligations. Medipass Solutions also has its own information much of which needs to be secured to enable the business to operate effectively.
As a medical insurance claims software developer for our clients, Medipass Solutions is committed to industry standards for the development lifecycle and the incorporation of information security into each phase of this lifecycle. We will ensure that information security is a key element of this and our ongoing client servicing.
To assist us in assuring our information security performance, Medipass Solutions is committed to the implementation, maintenance and continual improvement of our Information Security Management System. Medipass Solutions is compliant and certified to ISO 27001.
The purpose of this ISMS and this policy is to achieve the following objectives:
Confidentiality – ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes;
Integrity - maintaining the consistency, accuracy, and trustworthiness of information over its entire life cycle;
Availability – ensuring that information is both accessible and usable upon demand by an authorised party;
Medipass Solutions is committed to ensuring that its ISMS is capable of meeting owners’, clients’ and legal requirements for information security. To achieve this end, Medipass Solutions is fully committed to the recruiting and skilling of its staff to deliver information security outcomes that are consistent with our risk appetite.
Health and payments information is sensitive and our users have an expectation of privacy and confidentiality over the data we process. We believe that our platform should be safe, secure and provide a high integrity of service. To fulfil this, we treat security, privacy and processing integrity as our top priority.
- We only store information necessary for providing our services and only for the period required to meet operational or regulatory responsibilities.
- Sensitive, private and confidential health information is processed and stored exclusively in Australia.
- Payment card details are encrypted and hosted on an audited, PCI compliant, system.
- Health account information is protected through an advanced tokenisation system, similar to that employed by leading banks and payment processors.
- Data is encrypted end to end through strong TLS ciphers which provide protection beyond SSL.
- Our hosting partners abide by best practice security frameworks including: ISO27001, Australian InfoSec Registered Assessors Program (IRAP), SOC 1, SOC 2 and PCI DSS.
- We are internally guided by leading risk, security and privacy control guidance including ISO27001, OWASP secure coding guidelines, AS4360 and the Royal Australian College of General Practitioners standard on management of health information and privacy.
- We undergo regular independent auditing and employ subject matter experts across our security framework to identify potential issues and to enhance control effectiveness.
Have questions about security or privacy? Contact us at firstname.lastname@example.org.
Have a issue to report or want to send an encrypted message? Find our encryption key below.
Responsible disclosure of security vulnerabilities
If you’ve discovered a security vulnerability in our platform or service, please email us at email@example.com. We will respond promptly, usually within 24 hours. To help us resolve the issue quickly, we provide these guidelines when reporting:
- provide Medipass with full details of the discovered issue;
- in the best interests our users and their data, please do not publicly disclose the issue until it has been addressed by Medipass;
- never purposely disrupt services for other users;
- never attempt to access or modify data from other users; and
- to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.
We won’t take legal against you or administrative action against your account if you act accordingly.
Although we do not have a security “bounty program”, we’ll make best endeavours to recognise your goodwill. You’ll also gain our praise and #madrespect.
Our GPG / PGP key is as follows. You may use this key to encrypt your communications with Medipass.
Key identifier: E519747D
Key type: RSA
Key size: 4096
Public keyservers: hkps://hkps.pool.sks-keyservers.net
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----