Information Security White Paper

Information security and data protection are of great importance to us at OneLab. Our clients trust us to manage their employee’s health data, which means we are responsible for protecting their information and privacy. We take comprehensive measures to ensure our systems’ security and protect our clients’ data.

This white paper will give you and your organization an overview of our information security and data protection program.

 

Introduction

OneLab is a medical clinic based in Stockholm, Sweden. The company is registered at the National Board of Health and Welfare (Sw. Socialstyrelsen) and governed by the Health and Social Care Inspectorate (Sw. Inspektionen för vård och omsorg).

All information that OneLab receives in connection with providing the services is stored and processed electronically following the General Data Protection Regulation’s (Sw. dataskyddsförordningen) and the Swedish Data Protection Act’s (Sw. dataskyddslagen) (SFS 2018:218). Requirements regarding secure database handling and storage are fulfilled to cater to the wishes and expectations of the services. Health data is also stored in compliance with the Patient Data Act (Sw. patientdatalagen) (SFS 2008:355) and the Patient Security Act (Sw. patientsäkerhetslagen) (SFS 2010:659).

OneLab’s employee health platform is a CE-certified medical device, meaning it complies with strict quality management standards.

Compliance & Assurance

To achieve a structured and strategic approach to information security, we continuously evaluate our work and strive to work according to the standards and best practices in compliance with ISO 27001. Nevertheless, the ISO certification has not yet been obtained. We intend to begin preparations to obtain the certification in 2025.

This means that we do the following:

  • Systematically examine the organization’s information security risks, taking account of
    the threats, vulnerabilities, and impacts.
  • Design and implement a coherent and comprehensive suite of information security
    controls and other forms of risk treatment (such as risk avoidance or risk transfer) to
    address those risks that are deemed unacceptable.
  • Adopt an overarching management process to ensure that the information security
    controls continue to meet the organization’s information security needs on an ongoing
    basis.

Information Security Governance

Information Classification

OneLab applies information classification to all information used in the organization. All IT systems and services used within the organization are classified according to the CIA model (Confidentiality, Integrity, and Availability).

Information Security Risk Management

Information is one of OneLab’s most important assets. As sensitive information is processed by us, we are responsible for ensuring that such information is provided with the appropriate level of protection. Therefore, information security risk management is a continuous process at OneLab. Information security means a combination of technical and administrative controls to safeguard against threats to OneLab’s information assets and provide confidentiality, integrity, and availability of information. Therefore, OneLab has implemented policies and routines governing information security, which are reviewed annually. To evaluate risks to our IT environments and services, we perform risk assessments and plan our information security work annually. Risk management is necessary to identify and manage potential risks and further strengthen our information security. Risks that could potentially impact information security are analyzed and categorized by assessing possible consequences and the likelihood of the identified risk. The following is a brief overview of our approach to risk management, which includes:

  • Enterprise information security risk management – This is the process of identifying and understanding risks that threaten or affect information security, such as significant changes to the organization, business processes, or information processing facilities. Such threats as the above-mentioned are controlled by a risk management process.
  • Product development information security risk management – Information security risk management is applied and is an essential part of our product development. The risk assessment for product development is made to identify relevant risk areas, potential risk scenarios, consequences, and the likelihood of such risks.
  • IT service, system, and supplier risk management – Information security requirements and risks associated with new and existing IT services, systems, and suppliers arecontrolled by a risk management process. IT services, systems, and suppliers, and their engagement in our system is subject to our IT and security teams’ approval.
  • Data Protection Impact Assessment (DPIA) – We process personal data in our daily business operations. When such processing is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment (DPIA) is performed to ensure the appropriate protection of such personal data. If we engage a sub-processor to process personal data, we will always enter into a data processing agreement with the sub-processor. In addition, we will use all appropriate endeavors to ensure that the relevant technical and organisational measures are implemented
  • Vulnerability assessment – We continuously test and evaluate our information security for us to determine and improve the security of our information. We use external partners in providing information security assessments and vulnerability scans.

Incidents

All security and data protection incidents are managed according to established policies and procedures.

Supplier Assessments

To ensure compliance with information security policies and data protection legislation OneLab has processes and policies in place to review and assess all new IT systems and services that are introduced in our organisation.

Employee Vetting

All our employees are covered by information security agreements and non-disclosure agreements. Medical staff are also covered by professional secrecy and confidentiality. OneLab performs background checks on all new employees and temporary staff. The background check includes education, employment verification, references, and, for certain positions, criminal records.

Updates and Developments

For OneLab to uphold an adequate level of information security and maintain a structured and strategic approach, we use a two-step verification process when updating our platform. Development and updates of our platform are performed following best practice routines. The two step verification process is initiated during the development phase, in which at least two engineers participate. OneLab’s CTO must approve all significant updates to our platform.

Roles and Responsibilities

As part of our work to ensure an adequate level of information security, we have appointed the following:

  • Chief Executive Officer (CEO) – Represents executive management and is ultimately responsible for information security and approving the information security policy.
  • Chief Operating Officer (COO) – Is responsible for initiating information security work and, in ensuring that the responsibilities and authorities for roles relevant to information security are assigned and communicated. The COO is further responsible for analyzing, planning and managing information security and data protection activities and incidents according to strategies, policies, action plans, and Information security management systems.
  • Chief Technology Officer (CTO) – Is responsible for implementing IT security controls according to information security policies and procedures.
  • Data Protection Officer (DPO) – Is responsible for overseeing data protection strategy and implementation to ensure compliance with data protection legislation with a focus on the General Data Protection Regulation (GDPR).
  • System and Product Owners – Are responsible for information security activities within their system and in ensuring that the system and our products meet information security requirements, laws, and regulations.
  • Managers – Shall advocate and promote an exceptional security culture within their teams and ensure that the teams’ projects and activities follow information security policies and procedures.
  • Employees – Shall work actively for an exceptional security culture by reporting incidents and following information security policies and procedures.

Application Security

Access Control

Access control is role-based and limited to a need-to-know basis. Each of our users is assigned a unique user ID to provide accountability. The unique user ID applies to all employees including system administrators and operators.

OneLab has procedures to change or revoke access rights immediately following an employee’s employment status or position change. In addition to this, annual access control reviews are undertaken. Access control reviews include both role permission reviews and assignment reviews.

Multi-Factor Authentication

Strong multi-factor authentication is enforced for all OneLab’s administrators, and access is only granted when authenticated with YubiKey 5 NFC. Multi-factor authentication is also used for customer administrators and end-users. For our Swedish customers, authentication can be done using BankID.

Passwords

End-users have individual user accounts and must be authenticated with at least a valid email, password, and SMS code. OneLab has a baseline password policy to enforce strong passwords. Password reset is done by request and is sent to the user’s pre-registered email address.

Protection of Authentication Information

All stored passwords are hashed and salted. Essential authentication details, including passwords and encryption keys, are stored securely with restricted access. Password reset is done by request and is sent to the user’s pre-registered email address.

External Security Reviews

Independent security companies have conducted vulnerability scans to ensure our compliance with standards, best-practice frameworks, legislation, and regulations. We continuously evaluate how we can improve our future information security work and implement any relevant software and processes to improve our information security. If any vulnerabilities in our applications are identified, they are mitigated and resolved following our internal policies and procedures and the instructions given by the company or software providing the vulnerability scan.

User Inactivity

All users are automatically logged off if inactive.

Separation of Customer Data

All customer data is logically separated for each customer to ensure confidentiality and integrity between customers. Every customer has a unique company identifier used to separate data. Every row in the database is tagged with a unique company identifier.

Sensitive Data

All customer’s health and personal data is according to OneLab’s information classification policy classified as Strictly confidential.

Access to sensitive information is only allocated according to the principle of least privilege.

Access to sensitive information is a part of annual role permission review.

Event Logs

All activities in the application are logged. Our logs include information about the user, time and dates, user activity and critical security events.

To protect our logs against tampering the logs are protected by an integrity check mechanism and access rights are strictly limited.

Encryption

All data is encrypted in transit and at rest. In transit, all connections are encrypted with enterprise-grade SSL certificates. Unencrypted connections are not possible. At rest, all sensitive data is encrypted with AES-128 in CBC mode using a unique key and SHA512 HMAC authentication.

Web Application Vulnerability Scans

Independent security companies regularly conduct web application vulnerability scans against the OneLab application. All vulnerabilities are classified and mitigated according to internal policies and procedures.

IT Operations Security

Access Control

Privileged access to IT infrastructure assets, such as servers, monitoring, etc., is protected by multi-factor authentication.

Backup

Backups of production data are undertaken daily and are monitored. Daily backups are stored for at least a week. Weekly backups are stored for at least a month, and monthly backups are stored for at least a year. Backup data is stored encrypted and physically separated from production data.

Disaster Recovery

OneLab has a disaster recovery plan which is tested annually to verify OneLab’s capacity to recover and protect the business IT infrastructure in the event of a disaster.

Physical Security

Workplace Security

OneLab’s office is protected by access controls, security alarms, and fire alarms. Security at OneLab’s physical locations is managed according to OneLab’s Physical security policy and Workplace security policy.

Privacy

GDPR

The purpose of the EU General Data Protection Regulation (GDPR) is to reinforce the rights of individuals by protecting how their personal data may be processed. In addition to the GDPR, OneLab, as a healthcare provider, is also subject to other data protection legislation, such as the Swedish Patient Data Act and Patient Security Act.

To meet the requirements in the applicable data protection legislation, OneLab has implemented processes and IT infrastructure to ensure secure IT systems and the adequate protection of individual personal data. These information security measures and data protection processes are further described in this document.

Processing of Personal Data and Privacy Policy

OneLab processes personal data provided by its customers regarding customers’ employees to invite such employees to use OneLab’s services. Once an employee has registered an account with OneLab, such an employee becomes a user of OneLab’s services. OneLab will process personal data about the users that the users have provided to OneLab or otherwise is generated through using OneLab’s services, such as names, personal ID numbers, contact details, and health data concerning the user’s physical and mental health. The purpose of OneLab’s processing is to provide healthcare and related services. Furthermore, OneLab may process personal data to perform legal obligations outlined in statutes, court judgments, or decisions by public authorities, as applicable. OneLab may also process the users’ personal data to develop and improve the functionality of OneLab’s health platform as well as healthcare services.

More information about OneLab’s processing of personal data can be found in our Privacy Policy.

Subcontractors

OneLab’s subcontractors, such as operating, support, and hosting providers, who process personal data on behalf of and according to instructions from OneLab, may process personal data in certain cases. However, OneLab is responsible for the personal data processed by its subcontractors and will use all reasonable efforts to ensure that the subcontractors process personal data in accordance with the applicable data protection legislation from time to time. No health data will be disclosed to the user’s employer.

Storage Location

All personal data is stored on servers that OneLab fully controls. Our servers are located at Amazon Web Services in Sweden. Region Stockholm, Europe (eu-north-1).

Personal Data Retention

To ensure that personal data processing is limited to what is necessary, OneLab has adopted an internal personal data retention policy setting out OneLab’s data retention routines. The purpose of this policy is to adapt the OneLab application to the GDPR requirement of data protection by design and by default and the principles of data minimisation and storage limitation.

The policy is based on the following scenarios:

  • Erasure due to termination of agreement.
  • Erasure due to termination of employment.
  • Individual’s right to erasure and restrict processing.

In summary, users’ personal data is stored for as long as necessary to (1) provide good healthcare, (2) to offer and provide OneLab’s services, and (3) to fulfil OneLab’s legal obligations. A user’s personal data is erased or anonymised at the latest three (3) months from the time the user account is closed, provided it is not necessary to store personal data due to legal obligations. All other personal data no longer necessary for the performance and development of the services will be either erased automatically or anonymised.

Data Integrity Engine

OneLab’s statistics platform is designed to provide employers with anonymised and aggregated health and work environment data, while preventing the identification of any individual. The platform’s data integrity engine employs sophisticated algorithms to introduce noise and prevent the displaying of data in group sizes below the permitted threshold, while maintaining a high-quality data output.