| R1 | Misconfigured access / API exposure. | Unauthorized party gains access to PHI | Privacy breach, fines | - Penetration Testing: Undergoes regular third-party penetration testing to validate security controls.
- Data Encryption: Encrypts data both at rest and in transit.
- Authentication Protocols: Supports secure authentication protocols for secure access.
- RBAC: Provides fine-grained role-based access control (RBAC).
|
| R2 | Platform outage or network failure | User unable to retrieve or input critical data | Delay in diagnosis or treatment | Extra Horizon has implemented a set of controls to avoid outages and ensure quick recovery when distasters do take place. - High-Availability Architecture: Ensures robust system reliability.
- Disaster Recovery Testing: Regular tests for guaranteed business continuity.
- 24/7 Monitoring and Support: Continuous oversight and on-call engineering support.
- ISO 27001 Certification: Adherence to certified security management standards.
- Service Level Agreement (SLA): Clear, transparent commitments to meet client needs.
|
| R3 | Sync bug or corrupted database | Inconsistent or incorrect patient data | Misdiagnosis, incorrect treatment | In order to ensure data integrity and seamless operations, it is crucial to implement comprehensive disaster recovery strategies. These strategies should encompass several key components: - Platform Logging: Accurate and consistent logging to monitor system performance and identify issues promptly.
- Well-defined RTO & RPO Objectives: Clearly established Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to guide recovery efforts and minimize downtime.
- Disaster Recovery Plans: Detailed plans that outline specific procedures during a disaster to ensure business continuity.
- Primary & Secondary Backup Locations: Designation of multiple geographic locations for data backups to safeguard against local failures.
- Backup Management Procedures: Systematic processes for managing backups, including regular testing and validation to guarantee data can be restored quickly.
|
| R4 | Vendor updates API or backend silently | Dependent system fails or behaves unexpectedly | Unreliable performance, clinical interruption | Extra Horizon has the following controls in place to assure correct change management: - Versioning: Strict semantic version included in the SLA
- Development Lifecycle: IEC62304 compliant software development & verification methodology
- Source Code Management: Code reviews & branch protection rules
|
| R5 | Platform lacks detailed or timestamped logs | Inability to trace user actions | Regulatory non-compliance, inability to investigate | The following controls are in place to ensure auditability and traceability towards user and administrative interactions: - API Interactions: All interactions with the Extra Horizon platform occurs trough our REST API and is logged.
- Audit Trails: Audit trails are enabled and coded into the infrastructure to ensure traceability of actions and changes in each dedicated cluster.
|
| R6 | Vendor ceases operation or deprecates services | Service unavailable permanently | Permanent data loss or app breakdown | The Contract with the OTS Cloud supplier contains the following controls: - Continuity License: Commercial continuity clause in case of insolvency
- EOL clauses and general support: Clear end of support and end of life process with a large window to provide the client to adjust or modify services as required.
- Transitioning clauses: Transition services & transition planning
- Data Access Tooling: API access for data exports
|
| R8 | Platform backend is a black box | Cannot fully verify safety or performance | Unidentified faults in clinical use | Extra Horizon has proper procedures and processes in place to safely operate and manage the provide cluster to it's customers: - Compliant Management System: Extra Horizon is audited by third parties and can prove compliance with it's ISO13485, ISO27001 and IOS27701 certificates.
- Software Verification & Validation: Provide compliant documentation and test reports;
|
| R9 | Vendor slow to respond to incidents | Long MTTR impacts clinical decisions | Delayed recovery and system unavailability | Extra Horizon has a compliant business continuity management procedure in place to ensure uptime: - Incident Management: Incident management procedure
- Business continuity: Frequent disaster recovery planning & testing
- 24/7 Monitoring and Support: Continuous oversight and on-call engineering support.
- Well-defined RTO & RPO Objectives: Clearly established Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to guide recovery efforts and minimize downtime.
|