Learn all about our setups

Information Governance Policy

The purpose of Information Governance is to ensure that the confidentiality of patient information and compliance to information governance is built into the design of the 3DnetMedical service provided to healthcare professionals. Information governance and security underpins 3DnetMedical and, as an organisation, Biotronics3D strives to achieve excellence in the services we provide.

Policy

Information Governance is an umbrella term for the following key components central to their existing arrangements, in summary:

  • Security Effectiveness
  • Security Audit
  • Incidents and Complaints
  • User/Patient Involvement
  • Risk management
  • Patient Information

The existing arrangements for Information Governance within Biotronics3D are:

  1. Individual responsibilities for Information Governance:
    • Biotronics3D’s Chief Executive has overall accountability for all governance, both information and corporate arrangements within Biotronics3D.
    • The Operations Manager is responsible for ensuring the implementation and monitoring of a clear and robust information governance framework.
    • The Director of Operations is responsible for providing leadership and supporting developers and individuals with information governance.
  2. Board responsibilities for Information Governance:
    • Biotronics3D Board: Has the overall responsibility for ensuring that Biotronics3D has robust information governance arrangements in place.
    • Integrated Governance Committee: A sub-committee of the Biotronics3D Group Board, the Integrated Governance Committee (including the Director of Operations) must provide assurance that there are robust information governance arrangements being implemented across the company.
    • The Director of Operations is responsible for providing leadership and supporting developers and individuals with information governance.
  3. A programme of quality improvement activities:
    • Full information security policy audit
  4. Procedures in place to identify and remedy poor performance:
    • Monitoring of service uptime and security alerts.
    • Systems in place to identify, manage and reduce where possible risks to information security, compliant with ISO 14971 standards.
    • Incident reporting (including accidents/ concerns/ near misses) to identify adverse events.
    • Effective complaints procedures in place.

Biotronics3D achieves the Information Governance Agenda by:

  • Bi-monthly management reviews, and quarterly (Group) Board Reviews.
  • Achievement of compliance with external accreditation bodies such as the BSi Group.
  • The User’s experience is monitored through direct customer relations. Issues that arise are addressed via the Bi-Monthly Management Review.
  • When required, review investigation and analysis of information governance and security related incidents as identified by:
    • IG and corporate risk assessments.
    • Reporting of incidents.
    • Customer complaints.
  • Support of information governance and security innovation.
  • The Information Governance and Security Audit programme.
  • Effective Complaints System.

Quality Management System

Biotronics3D operates under ISO 13485:2003 (quality management system); audited by BSi and an external auditor annually. Biotronics3D complies with ISO 62304 (medical software development) and incorporates ISO 14971 (risk analysis) into product developments.

All Biotronics3D products and operations conform to industry standards including CE Annex II of directive 93/42/EEC, DICOM, HL7 and IHE.

3DnetMedical aims to deliver a fast, secure and reliable way to share information between disparate locations. Usually, healthcare providers can extend the imaging network’s resources by adding VPN; connecting consultants from remote locations to the imaging network securely and reliably.

Today faster and more reliable services are available at lower costs than VPN – technologies that use standard internet communications ports without sacrificing performance and security. The 3Dnet Gateway transmits case data to a regional data centre; so that information is available to users securely through any internet browser.

Secure data centers

Our public cloud service is collocated in dedicated spaces at top-tier data centers. These facilities provide carrier-level support, including:

Access control and physical security

  • 24-hour manned security, including foot patrols and perimeter inspections.
  • Dedicated concrete-walled Data Center rooms.
  • Computing equipment in access-controlled steel cages.
  • Video surveillance throughout facility and perimeter
  • Building engineered for local seismic, storm, and flood risks.
  • Tracking of asset removal.

Environmental controls

  • Humidity and temperature control.
  • Redundant (N+1) cooling system.

Power

  • Underground utility power feed.
  • Redundant (N+1) CPS/UPS systems.
  • Redundant power distribution units (PDUs).
  • Redundant (N+1) diesel generators with on-site diesel fuel storage.

Network

  • Concrete vaults for fiber entry.
  • Redundant internal networks.
  • Network neutral; connects to all major carriers and located near major Internet hubs.
  • High bandwidth capacity.

Fire detection and suppression

  • VESDA (very early smoke detection apparatus).
  • Dual-alarmed, dual-interlock, multi-zone, pre-action dry pipe water-based fire suppression.

Network protection

  • Perimeter firewalls and edge routers block unused protocols.
  • Internal firewalls segregate traffic between the application and database tiers.
  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.
  • A third-party service provider continuously scans the network externally and alerts changes in baseline configuration.

Disaster Recovery

  • The 3DnetMedical service performs real-time replication to disk at each data center, and near real-time data replication (usually performed after hours) between the production data center and the disaster recovery repository.

Security Monitoring

  • Our Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Key Principles, Standards and Purposes of Sharing Information

This section of the document sets out the top level commitment by Biotronics3D that covers the sharing of personal information via the 3DnetMedical platform and Biotronics3D’s adherence to the principles, standards and directions defined within it. 3DnetMedical aims to facilitate a consistent, reliable approach to sharing of accurate information in a timely manner that will benefit stakeholders and their services whilst protecting the privacy of the persons the information is about. Biotronics3D will constantly review internally as industry principles and underlying technologies continue to evolve, when there is a change in governing legislation, or at the request of any organisation using the document if there is a concern over the document’s fitness for purpose.

Purpose and Benefits of Sharing Information

3DnetMedical makes use of industry leading technologies to make sensitive data easily accessible to authenticated users for diagnostic review whilst removing all dependence on software and hardware. Biotronics3D sees this as a key enabler for the provision of effective services, particularly where a co-ordinated approach across a distributed network is required to make decisions in a timely manner. The 3DnetMedical service, Biotronics3D and their select data centre partners are focussed on managing information sharing services to the highest industry standards and to maintain a secure environment in which to review sensitive patient information. By constant revision and development of systems, operations and policies, we strive to address the evolving privacy concerns of all stakeholders while limiting any potential loss of data or confidentiality breach.

Overview of Sharing via 3DnetMedical

Biotronics3D has taken a number of measures to ensure the protection of sensitive patient information, ensuring all information acquisition and releases are securely controlled:

  • Access is granted only to authenticated named users with a username and password.
  • Authentication uses the highest industry standards – VeriSign 256-bit SSL extended validation.
  • While images and associated reports are viewed, no data is downloaded locally / to the client.
  • All users and events are fully audited while using the system.
  • Data is stored on a redundant architecture and is encrypted at rest.
  • 3Dnet Gateway’s transmission protocol, between the cloud and institution, uses 2048-bit encryption.
  • 3Dnet Gateway manages an intelligent connection that detects and recovers from faults in the line ensuring data in transit is moved losslessly and data quality remains fully diagnostic.
  • The 3Dnet Gateway only moves a copy of data; with a copy of data still residing on-site.

The Terms and Conditions, Acceptable Use Policy & Privacy Policy can be found on the footer of the 3Dnet Medical login page website (www.3dnetmedical.com) and at the end of this document. Terms and Conditions Acceptable Use Policy Privacy Policy.

Patient Confidentiality and Disclosure Control

Biotronics3D provides a trusted and independently authenticated service and maintaining patient confidentiality is a fundamental principle of Biotronics3D. We comply with the highest industry standards and are internationally accredited. Biotronics3D also takes further steps to avoid disclosure (when confidential information about a person/body is released, either directly or indirectly, in breach of public trust or legal obligations) through the novel mechanisms encompassed by the 3DnetMedical service. As a data controller, 3DnetMedical will accept and display DICOM images that are sent to it from a particular site and makes it available to relevant physicians. It will also accept HL7 messages and other information associated with a particular case. The level of detail presented to the user is entirely up to the hospital. Various permissions can be set at a user level in order to manage what a specific user accesses. Biotronics3D and its data centre partners are both compliant with ISO27000 and ensure robust, up-to-date security arrangements are in place. The 3Dnet Gateway ensures that data is encrypted to the highest industry standards during collection and transit. Data stored in the cloud is also encrypted at rest. Typically a new case is cached for 30 days although shorter terms can also be defined and long term archiving is an available service. Timely access to this information is critical to authenticated users and Biotronics3D balance this with high levels of security to ensure prompt diagnosis. At no point does data move out of the cloud, and no residual data remains with the client following disconnection. While Biotronics3D has taken the necessary steps to ensure the highest levels of security and full compliance with industry standards for data residing with Biotronics3D at its data centre partners, the responsibility of log in details lies with the user, as set out in the Terms & Conditions. Data that is moved out of the secure environment provided by Biotronics3D explicitly by the user (to PACS for example) is no longer the responsibility of Biotronics3D who cannot be held accountable for it (as set out in the company liability insurance that covers Biotronics3D from such risks and requirements). It remains the user's responsibility to ensure that use of the 3DnetMedical service complies with local clinical governance policy.

Key principles of Sharing Clearly Identifiable Data

Key principle - inclusion of any data that might identify an individual must be justified and agreed as both necessary and proportionate to achieve the purpose(s).

  1. Diagnostic cases are shared in the vital interest of the individual and only with the physician responsible for their care.
  2. Cases are shared with implied consent, as it would not be feasible to get the consent of the individual in the majority of cases, particularly stroke, where gaining consent might delay a clinical decision.
  3. Biotronics3D works within the rigid framework and legislation regarding the duty to share, related to the purposes covered by the specific protocol which makes consent unnecessary. Terms and Conditions Acceptable Use Policy Privacy Policy.

Anonymous Data Used by Biotronics3D

Biotronics3D regularly monitors the usage and user statistics of 3DnetMedical. The data does not in any way identify individuals or patient identifiable information, just the collated usage information (number of users per organisation, number of cases per month, breakdown of cases by modality, etc.).

Legislation, Standards and Guidance

Data Protection Act 1998

3DnetMedical shares personal/sensitive individual information in a fair and lawful way, sharing only necessary data. The legal basis for sharing is set out in the Data Protection Act (1998), common law duty of confidentiality and the Human Rights Act (1998). Lawful sharing usually requires consent from the individual, unless there is a legal power to share information where sharing without consent can be justified by a robust public interest, or in the vital interests of an individual. Vital interests are related to conditions in the Data Protection Act (1998) and are recognised practice in the common law of confidentiality. In addition sharing must be ‘fair’ by ensuring the subject is aware of what is being shared and for what purpose. Schedule 3 of the Data Protection Act, “Conditions relevant for purposes processing of sensitive personal data”, section 8, “the processing is necessary for medical purposes by a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional”, justifies the disclosure of patient information to the privy physician, facilitated by the 3DnetMedical platform.

Justifications and related purposes for sharing

Overall purpose(s): Initial justification (DPA based) Initial level of identity
Delivering routine care and treatment across agencies Consent of the individual. Between healthcare providers this can be implicit Identifiable data generally required
Delivering care and treatment across agencies where the failure to do so effectively carries significant risk of avoidable substantial harm to individual(s). If gaining consent would delay or put individuals at increased risk, can be shared on the basis of ‘vital interests’ of the individual(s). Identifiable data generally required
Monitoring and improving 3DnetMedical services Based on legitimate management of healthcare services, Biotronics3D actively monitors its systems and operations to ensure uptime and service levels are maintained. Identifiable data generally required

Data Protection Compliance & ‘Caldicott’

Biotronics3D has endeavoured to address the responsibilities set out to assure compliance to the stringent framework and principles.

Justification of the purpose

3DnetMedical allows the creation of a virtual site that is essentially an extension of the Trust. Unlike VPN or CITRIX clients, 3DnetMedical delivers images in full diagnostic quality, reducing the chance of missed ROIs. The data transfer mechanism is as secure, if not more, delivered by establishing an encrypted, SFTP connection between your Trust and the virtual site. Data is encrypted at rest. When being viewed, data is encrypted with the highest Verisign levels available. Upon viewing, no data is downloaded to the client – the data is never moved out of the data centre. If the connection is severed, no data remains with the client. These mechanisms allow the physician to connect with sensitive patient information to which they are privy, in a secure, timely manner; aiding accurate, timely decision making

Don’t use patient-identifiable information unless it is absolutely necessary

Biotronics3D is simply an enabler and data controller, and staff have limited access to identifiable patient information. Those that do will only access this level with explicit consent. No patient identifiable information other than the DICOM header information is shared. However, each Trust can set the level of individual user access to patient-identifiable information for each of its virtual sites, and it is up to the Trust to define a level that reflects its internal policies.

Use the minimum necessary patient-identifiable information

Biotronics3D only manages the minimum required patient information provided by DICOM header data. No data is collected / held with Biotronics3D. DICOM data is read by the system through automated rules defined by the user, to 1) automate the workflow in accordance with user needs – e.g. a user may set up hanging protocol rules to display case types in a specific way, for instance “for all MR” + “display series 1 on left” + “display series 2 on right”. 2) So that patient information is returned to the Trust after being read and/or reported, and is properly archived.

Access to patient-identifiable information should be on a strict need to know basis

All user accounts are individually authenticated before their account details are registered and associated to a particular virtual site. Users will only have access to the site they are associated with. Virtual sites can represent an individual user, or organisation. In addition, user permission can be set individually as recommended by the Trust (Stop Access, Can Upload, Can Download, Can Delete, Transfer Study, View Patient Info). An admin can thereby set individual user permissions as to whether or not they are able to view patient information, in line with the Trust’s policies.

Everyone should be aware of their responsibilities

3DnetMedical acts as a secure broker of the information, enabling diagnosis by connecting sensitive patient information with the clinical skill in a timely, secure manner. We have taken every precaution to protect patient privacy. We will follow the organisation objectives and provide an administrative account for each Trust to view (and amend) user permissions as appropriate.

Understand and comply with the law

The 3DnetMedical system has been fully accredited and compliant to both US and European laws and standards of patient information management. Terms and Conditions Acceptable Use Policy Privacy Policy.

Justifications and related purposes for sharing

Caldicott Principle Biotronics3D Adherence
Organisations must actively inform individuals of how their information may be used and to whom it may be disclosed by provision of literature and through contact with staff. It must highlight their rights to access, withhold and correct information and provide details of the process for individuals to access their records. Biotronics3D acts as the data processor with no identifiable patient information accessed by the company. Biotronics3D, through 3DnetMedical, aims to provide a method of connecting the clinical professional with meaningful patient information pertinent to them. 3DnetMedical acts as a short term repository of images for reading and reporting, hence the rights to access, withhold and correct information lies with the user of the system.
Organisations must complete and maintain a Data Protection notification detailing all sources, subjects, purposes and disclosures relevant to their business and partnerships under any agreement. Biotronics3D audits all user actions and data movements in the 3DnetMedical system, and can provide these records to hospital staff.
Organisations must maintain the accuracy and clarity of data they supply to aid usefulness and consistent interpretation. Where necessary, partner organisations will be informed of any changes to the data they have received and also notify the source of any error they discover. All data entering the 3DnetMedical database is maintained to the highest levels of accuracy. Biotronics3D endeavours to provide an environment where the information is delivered in a useful, consistent and clear manner that is quickly interpretable.
Organisations must ensure that collection and sharing of information is necessary and proportionate to the purpose(s), and neither excessive or inadequate. As a data controller, 3DnetMedical will accept and display DICOM images that are sent to it from a particular site and makes it available to relevant physicians. It will also accept HL7 messages and other information associated with a particular case. The level of detail presented to the user is therefore entirely up to the hospital. Various permissions can be set at a user level in order to manage what a specific user accesses.
Organisations must maintain the confidentiality of data in any form, during collection, transmission and storing with appropriate security arrangements, improving to general compliance with ISO27000. Biotronics3D and its data centre partners are both compliant with ISO27000 and ensure robust, up-to-date security arrangements are in place. The 3Dnet Gateway ensures that data is encrypted to the highest industry standards during collection and transit. Data stored in the cloud is also encrypted at rest.
Organisations will apply relevant regulations to the retention & disposal of records, only keeping information for as long as is necessary in relation to the original purpose(s) for which it was collected. 3DnetMedical typically acts as a short-term repository for diagnostic cases and will purge a study after 30 days of being imported (longer term archiving is available). Each specific imaging department can easily define the length of time a case may stay in the cloud, down to 24 hours.
Organisations will ensure all staff are educated to manage information appropriately in line with these principles and organisational policy on the collection and uses of information, supported by terms of employment. Information should only be accessed and shared where there is a ‘need to know’, justified either by consent or another legal basis for sharing the information The 3DnetMedical system is completely self contained and Biotronics3D staff will not access information from any site unless explicitly asked to do so, or if a problem arises and such information is required to find a solution. In the latter case, only Biotronics3D engineers who have consent and are educated to manage the information properly will do so.
Organisations will ensure that any 3rd parties providing a service to them agree and abide by these principles by inclusion in contracts/agreements Biotronics3D seeks out trusted data centre partners to host the 3DnetMedical solution. Biotronics3D has stringent processing in place to ensure that any 3rd party services providers are compliant with the necessary laws and accredited.
Organisations will have processes/systems for recording wishes/restrictions on information expressed by individuals. 3DnetMedical has a unique user interface which allows the user sharing information to restrict what details are seen by another party. Because the information is static and the system manages access to cases, rather than sending cases to the client, this can be done very well and very securely.

Data Controller / Processor

Biotronics3D is registered as a data controller by the Information Commissioner. Biotronics3D abides by the principles which govern the care and use made of personal data. Biotronics3D registration can be found using registration number z2816970.

International Accreditation

Biotronics3D security systems are FDA Approved and support the IHE ATNA profile for secure exchange of healthcare information and auditing of events. Systems comply with UK DoH and HIPAA standards and HITECH Act security and privacy requirements. Biotronics3D works with carefully selected data centre partners accredited to provide system, operational and physical security of data. In addition, their data centre partners provide skilled 24x7x365 technical support, service level monitoring and practice at the highest level of security, environmental control, power and cooling with identification access, physical guarding, integrated digital surveillance & CCTV, intruder detection with perimeter fencing, fire detection and suppression systems to LFCDA approval, UPS and backup generators at all sites. They are accredited with the following ISO Standards:

ISO 27001 for Information Security Management

ISO 27001 is the internationally recognised security standard that comprehensively defines the requirements for establishing, implementing and documenting an effective information security management system. ISO 17799 is now established as the de facto standard for information security. Along with the BS7799 information security management standard, the ISO 17799 and accompanying series’ will fall under the banner of ISO 27001.

ISO 9001 for Quality Management

ISO 9001 provides a set of standardised requirements for a quality management system. Although certification is not a compulsory requirement of the standard, it provides a tried and tested framework for taking a systematic approach to managing organisational processes to consistently meet customer expectations.

ISO 14001 for Environment Management Systems

ISO 14001 applies to environmental aspects over which the organization has control and influence and is the cornerstone of the ISO 14000 series (implementing, maintaining and improving an environmental management system; assure conformance with stated environmental policy; and ensure compliance with environmental laws and regulations). Terms and Conditions Acceptable Use Policy Privacy Policy

3DnetMedical.com has privacy and security-conscious policies that apply to all of our information handling practices.

  • Contractual Privacy Protection for Customers
    • Biotronics3D's contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer data, except under certain narrowly defined circumstances, such as when required by law.
    • Biotronics3D agrees not to access customer's accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer's request in connection with a customer support issue, or where required by law.
  • Code of Conduct, Confidentiality Agreements, and Information Security Policies
      Every Biotronics3D employee and contractor must follow the Biotronics3D code of conduct, sign confidentiality agreements, and follow the Biotronics3D information security policies.
  • Privacy Statement
    • For information collected on 3DnetMedical.com's Web site, Biotronics3D provides assurances around the types of information collected, how that information may be used, and how that information may be shared.
    • Biotronics3D offers individuals the opportunity to update or change the information they provide.

Practices

Biotronics3D comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices.

  • Internal Training and Communications for Biotronics3D Personnel. Biotronics3D regularly communicates with our personnel about our obligation to safeguard confidential information, including customer data and personal information.
    • Biotronics3D provides training around confidentiality, privacy, and information security for all new employees during its monthly new hire orientation.
    • All Biotronics3D personnel are required to complete an annual privacy and security training and are tested on the materials presented.
    • Biotronics3D communicates with all personnel about privacy and information security awareness through monthly newsletters.
  • Customer End User Awareness

    Biotronics3D strongly encourages all of our customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks.

    • We communicate with our customers about current issues and trends through our Trust web site.
    • We email end users about specific security issues when warranted.

Default Privacy and Security Features

  • Application features that protect customer data:
    • Connection to the 3DnetMedical.com service is via secure socket layer/transport layer security (SSL/TLS), ensuring that our customers have a secure connection to their data. Individual user sessions are uniquely identified and re-verified with each transaction.
    • Customers passwords are not accessible by Biotronics3D personnel.
    • Application audit logs record the creator, last updater, timestamps, and originating IP address for every record and transaction completed.
  • Logical separation of customer data:
    • Hardware and software configurations are designed to provide secure logical separations of customer data that permit each customer to view only its related information.
    • Multitenant security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
  • Network security measures:
    • Multiple layers of external firewalls
    • Intrusion-detection sensors
    • Security event management system
    • Continuous external vulnerability scanning
  • Redundancy and Scalability

    The 3DnetMedical.com service is highly scalable and redundant, allowing for fluctuation in demand and expansion of users while greatly reducing the threat of long-term outages. Load-balanced networks, pools of application servers, and clustered databases are features of our design.

  • Disaster Recovery

    All customer data is stored in secure data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore the salesforce.com service in the case of a catastrophic loss.

  • Customer-Controlled Privacy and Security Settings
    • Customers may determine which of their respective designees can access different categories of data.
    • Customers may define log-off times for inactivity.

3dnet has comprehensive privacy and security assessments and certifications performed by multiple third parties.

  1. FDA
  2. CE CLASS IIa
  3. ISO 13485:2003
  4. HIPPAA
  5. Data Protection Act (1998)
  6. UK Caldicott Principle
  7. ISO 2007 (Compliance)
  8. ISO 62304 (Compliance)
  9. ISO 14971 (Compliance)