Security
Halo Connect replaces the model of one client per integrator per practice with a single, reliable integration. Through this, we aim to drive innovation in digital health by lowering the barrier to entry for solutions to integrate with Best Practice Software on-premise databases and reduce the burden on medical practice infrastructure.
The security and privacy of medical practice data is at the core of everything we do. The following outlines Halo Connect’s security practices and the shared responsibilities of Halo Connect, medical practice staff, and integrators using Halo Connect with regards to the security of patient data. It also details how customers can request more information and how to report a vulnerability.
Privacy Policy
To review Halo Connect’s privacy commitment, please see the Halo Connect Privacy Policy.
Security overview
- We do not inspect your queries or retain the data transferred -- Halo Connect is strictly a courier.
- All data stays in Australia, as Halo Connect's cloud APIs are hosted on Australian-based Microsoft Azure servers.
- Halo Link requires .NET Framework 4.8 in order to use TLS 1.3, and auto-updates to ensure you always have the most secure version.
- Every practice and integrator who uses Halo Connect is identified by an ID and key pair, to allow Halo Connect to control access, monitor connections, and identify the source of errors.
- Access to patient data is controlled by the PMS Vendors, ensuring unverified integrations or applications cannot access data via Halo Connect.
- All employees are employed in Australia and must pass criminal background checks
- We regularly undertake third-party security reviews.
- In the event of a detected breach of data, Halo Connect will notify government bodies and affected clients as per Australian Privacy Principles.
Shared Responsibility Model
While Halo Connect is responsible for securing the aspects of the Halo Connect platform and its services that are under our control, integrators and practices also have responsibilities to ensure data remains secure.
Halo Connect
Responsible for: Access, architecture, data security during transmission, and secure credential storage.
Examples:
- Ensuring the legitimacy of practices and integrators that can connect to the Halo Connect platform.
- Ensuring data transmission follows the relevant best practices and standards.
- Ensuring integrators' Halo Connect and PMS credentials are stored securely.
Integrators
Responsible for: Data security before and after transmission between practices and integrators.
Examples:
- Encryption of data before it is passed to Halo Connect to be transmitted.
- Security of Best Practice Partner Credentials that have been provided by Best Practice to the integrator.
- Security of any data retrieved from a practice using Halo Connect and stored by the integrator.
- Security of Halo Connect integrator credentials given to the integrator and used with Halo Connect.
Practices
Responsible for: Practice data security and integrator access to their practice data.
Examples:
- Security of the server the practice data is stored on.
- Security of the Halo Cloud Subscription Key used by the Halo Link Service.
- Enabling and disabling integrator access.
Requesting more information
Upon request, Halo Connect can supply current and potential customers with our Security Overview document, results of previous third-party security reviews, and other security-related information.
Reporting vulnerabilities
Suspected vulnerabilities should be reported to security@haloconnect.io.
The security inbox is actively monitored for reports. Upon receiving a report, Halo Connect will endeavour to quickly acknowledge receipt of the report, and provide a timeline for triage and confirmation. We ask the reporter to please ensure Halo Connect are able to contact them in case of questions or clarifications.
Please include clear steps for replicating the vulnerability. Screenshots, screen recordings, code snippets, copies of stack traces or console logs, operating system versions, or any other supporting evidence that would help with replicating the issue would be much appreciated.