Maintaining the security of customer data is our priority
As a clinical management systems provider, we are responsible for storing and maintaining access to highly sensitive personal data.
That's why we treat cyber security with the utmost of importance.
Servers and Data Hosting
AutumnCare utilises third-party providers Sitehost and Servers Australia for the server hosting requirements of our cloud-based customers. The databases and systems software are managed by AutumnCare. All servers are physically located in Australia in accordance with the Privacy Act 1988 and the Australian Privacy Principles.
Both Sitehost and Servers Australia employ 24/7 site surveillance as well as controlled access to external buildings and server rooms.
Remote access to servers is limited to whitelisted IP addresses and RDP logins are protected by multi-factor authentication.
Database backups are performed regularly, both to the server they are hosted on as well as to a separate backup server for redundancy.
AutumnCare makes use of dedicated cyber security contractors to continuously scan our servers for issues, risks and vulnerabilities.
Windows Defender and Active Threat Detection are installed on all AutumnCare servers to scan internally and externally against over 140,000 known vulnerabilities. As new threats emerge, servers are automatically scanned to check against potential vulnerabilities.
Any identified vulnerabilities are triaged based on the level of threat. System updates are applied to all devices and servers as a priority once a patch becomes available.
Where security information including client configurations, credentials and setup information needs to be stored by AutumnCare, this is stored securely with role restricted access protected by multi-factor authentication.
Regular patches are scheduled to be applied every two months, with customers being notified a week in advance of each outage.
Patches may also be applied outside of this schedule to address identified threats and vulnerabilities as appropriate.
AutumnCare encrypts all data stored locally and transferred between the client and the server using AES 256 encryption.
This is in addition to the Https encryption used by all of our webservices.
AutumnCare passwords are salted and hashed using SHA256. AutumnCare passwords are never stored or transmitted as plain text.
To enable logging in while offline, hashed passwords are downloaded locally and stored on disk using compression and AES 256 encryption.
AutumnCare's in-house cyber security panel meets fortnightly to monitor, review and address:
- Security system continuous monitoring reports
- Threat responses
- Breaches and vulnerabilities
- Improvements and best practice recommendations for the future
- Changes to the cyber security policies of any third-party systems we make use of
AutumnCare has not experienced a breach incident to date.
However, in the event of a breach, AutumnCare will comply with the mandatory breach notification scheme which falls under the Australian Privacy Act 1988.