Medipass Security

Security responsibilities

Health and payments information is sensitive and our users have an expectation of privacy and confidentiality over the data we process. We believe that our platform should be safe, secure and provide a high integrity of service. To fulfil this, we treat security, privacy and processing integrity as our our top priority.  

Control framework

  • We only store information necessary for providing our services and only for the period required to meet operational or regulatory responsibilities.
  • Payment card details are encrypted and hosted on an audited, PCI compliant, system.
  • Health account information is protected through an advanced tokenisation system, similar to that employed by leading banks and payment processors.
  • Sensitive information is encrypted end to end through TLS ciphers which provide protection beyond SSL.
  • Our hosting partners abide by best practice security frameworks including: ISO27001, Australian InfoSec Registered Assessors Program (IRAP), SOC 1, SOC 2 and PCI DSS.
  • We are internally guided by leading risk, security and privacy control guidance including ISO27001, OWASP secure coding guidelines,  AS4360 and the Royal Australian College of General Practitioners standard on management of health information and privacy.

Have questions about security or privacy? Contact us at security@medipass.com.au.

Have a issue to report or want to send an encrypted message? Find our encryption key below. 

Responsible disclosure of security vulnerabilities

If you’ve discovered a security vulnerability in our platform or service, please email us at security@medipass.com.au.  We will respond promptly, usually within 24 hours.  To help us resolve the issue quickly, we provide these guidelines when reporting:

  • provide medipass with full details of the discovered issue;
  • in the best interests our users and their data, please do not publicly disclose the issue until it has been addressed by medipass;
  • never purposely disrupt services for other users;
  • never attempt to access or modify data from other users; and
  • to keep everyone safe, please act in good faith towards our users’ privacy and data during your disclosure.

We won’t take legal against you or administrative action against your account if you act accordingly.

Although we do not yet have a security “bounty program”, we’ll make best endeavours to recognise your goodwill. You’ll also gain our praise and #madrespect.

Encryption

Our GPG / PGP key is as follows. You may use this key to encrypt your communications with medipass.

Account: security@medipass.com.au

Key identifier: 21223548

Key type: RSA

Key size: 4096

Public keyservers: hkps://hkps.pool.sks-keyservers.net, https://pgp.mit.edu

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBFfg6jABEADg/qldmVabzrU5uSkK1a9IM3oBriaJif7LbJxbUgXtfyT7AXcI
sWik4WUjieuwDfQADvbnx+gf1AToGQFEWELlIyRJ0zoKBUHDIj79lnzaOIVj7nYa
Td85gezqlEFz0RPFOA7MQB5P2UXEMMR7TKg/wnb/wytyfdvn1oJyqr8/UOXWI2Pt
LHNYCUaNHq+z4aJ3IapNqC4sn3jzdOOQcl5Z2VlFg52USZOuXc3ikl3lU7PYkcrv
iaGSM0Dj6z5DoPADO53ELvFdgRjOEglSwnyiDRt8URQdxp/KsnfOjK9FJGV9+GlC
WUNYGhMJygbLlBgPY8SpE6zfb/2TQPosCGpPf6oJYb+xDLBhW3ZqdwtP/LLIUiOF
9Sb1VBgCPI8S+/G+436wfaw6JzW0x1rX5pODFg1PpgrFi0z0WCp7IQsz/f5aLNBR
dAC3Z7CpOoKiZ8XtE7mzT5epXSkTF3GuVuxg+ymumFUhdLRD9dUYi/W/7Hkbnin2
bGTzc5vEMVAeNEkJf3NjUARbBl3xejOfaLphTasWhtRQTfM82uEEgYjTk4a4cdtn
8eBMyZjwk4lvRAh+tqkO9RF1sbdMyrzfomnnxMp6xt7aQ6T3gjs4LX7OS7UeGk4J
r7MMN29z4f34tu+qPlYahAMk5QyHmc2AOaf1z0Z9+nCEFM8s2QyQVGlCMwARAQAB
tCNzZWN1cml0eSA8c2VjdXJpdHlAbWVkaXBhc3MuY29tLmF1PokCPQQTAQoAJwUC
V+DqMAIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDiQ+MpISI1
SOzrEACGC86FeCQbQCcAsXnFeLfCEaN30+UvQHZR+1isoxPhjZDCZnsBZqwCUKuP
mN4beUmRHukIRpMRVHCOzwSRu3mHbcWSbi5rYzw2CCpLjhumbxSZeVmpya3izyv2
TOtxrbQeWfqTTcadTxIsMTI5VEI1uyo3JEfssQAiTqofcgDVldBYYw5p82cV52c1
aj0pZXPzm5IwWAi7sJoQmJXU2KniHp8Sqa8jApIN6OlEj0HvstXAy4ckPxvKOiT9
YeXC/fne9iXbuZDitEns91Zs0M8TijDOuh4+dJSA00M2p6TIbhQk/2nAwjbGCtJ9
qkOTPWp/HQuDrVNEQbVeApN27ONWsn4weUco2wYv2Bvkg8Njy7gxzykojZy11nl/
en10SYJRLbMzbWocnvkueZhN3Z9covsv75z20OAwK6oTdpMeKIAHU5wD1OZ0UyaD
a7tDxLhVYPXE/zeeXTeSwoequJ0OiKXjJ7KAnqsKaI71Q8OUdKOG62OX4Fbzsqe/
huSyD5gD5qaX+V3Jwz32ZNxa38hTdRjPsmZ8cUIIAdH6iHmuhSppPNSwWoeOlqEZ
xJIhTL/YyFVlDHZ4PL5SWqtHdBjnjEQcM964aRmk9766B05M6uiHgsG3d2WeK70Y
m2Rym41C4lLJXaOR3l/5Sz5hLj89oOchvYQWphM0Oondg1TPe7kCDQRX4OowARAA
sjvbk71x6FensbdQPP9I5r5tHqafvLHclox3v+Z0zCoHQ5ZN1R7wHtEaU/+oBJZf
4GLbztDFvsSOVNpmFrqD8jNHWCtsp0Ykxd/BEJ1cCy/uiJQDa5HNnugxPCtxFbdS
6HA5gEVhfYprKw+qZ23Db+/bQY36HJrbgzTxELaRq0ElYj9xSG77fgR6gEZ7rM8r
XdEl/XuLVEuKVebsQ7XBBC608+N/wuNApc3XsNmMEmvvn9pIlDhXKHvR1bqbIKyl
Pg7CiKpL+aud92NuBTjLaPy0pe70DVP7/juiPaOXbxGPiW9E9w4XCLKG6dGtyFaG
/d7Kw+uuGtk6sgC1+aLZuxHviLouEebpZCWX0cIqhBMyKcIozSqDEPMCmsHYpWja
tQKS2UaE6U7emBSlm2oPnWRw2ygjzUidDysJfiNsHPISq4lB0KZJ+TV9+CArSqYD
5YkHFml31zX0muNp46g+CxHgULP/xGJov10txJ20nhfW6ClLWmlT6CKxsOuhQEUl
8/ikZNQWoijxwYR56h4QVKTJheSLmEYveDhUGIfNEQbjgMaEkX3lM7GIBGg8hPo2
q6CxZ5vGQSqnKnnw2tWzo0GD8cGg+PhbipKgMIxxO3EU0CjUUw87q1XWRCjOuwHp
BTip4ASD6oaIfodwDjdllbIi9/hnen/J0CHn+uEZ1yUAEQEAAYkCJQQYAQoADwUC
V+DqMAIbDAUJB4YfgAAKCRDiQ+MpISI1SMSPEADCBp+8/CKxNYMtRdFo6eahpela
4tk6nLHMFQQamadGPBSQSZneSO+O7GWo0qzaWsCGB3gd0Ugf3TcYkjrSiVpUmXBJ
f4Cxm/JywjPiYbqaCMoNkZn0Kld8Qla8YfP2mNzQ+Vp8FxQXNAOl9qrfv9lGyNva
/kP/zMFRcfqWWeixAjvyoY8Z/NNYHTAjqQYQdr3/TtOzt1Lai82aupGrpif9zrV8
brSphszyXUnRPGeMM7rVy7dOzKrSbX6uX08wQ5nfhCslbkDgvkJNMMi4HGqylYKY
OZju2bX7JAP6AiFenUpf1f6rI4yd17zZO3W2/yraWmgjDBOat0vs+swYD4f1EQvk
oiXhsIT4Aa7STvb9QWq1eLt+an0SM5oAsNGa1tggO7m+oJU88JBK2EpGUPU131Ww
ykqcrz2b92f/Eu2U04hgyG3TsqM6YTyk1TltKLc3hGLs1zhmjkJQn9MWReCDP/ej
yEy/8d7vQlabotITiPDfNFWCRBNeRcRsxXsH7b9ljkXQ0guKmhfePPeudK+RBEG0
IqTg8IIRW8l13j7qoW/5p7Ujl7o2Wvmi5Cfm5GUxK1pd5lfaZ8DNvavQ1m6BBPVW
AyCOLq1JgzizrCSNaDWU7KmasSXcGBCRcInl/en9dfiKINKmrz7bXGbR/oWJ1lvm
R/axS7LTnSfYkL7oiQ==
=Q3a+
—–END PGP PUBLIC KEY BLOCK—–

Thanks to the team at Lookout, Inc. for providing the above reference on security disclosures.