We've built Jane with security and privacy as our main focus. It's what drives our culture, training, and hiring processes. And shapes how we've used technology to protect and secure data.
This white paper outlines Jane's approach to security and how we've ensured that securing Jane data has and always will continue to be our top priority.
Data Hosting
Amazon Web Services | Jane's physical infrastructure is hosted and managed within Amazon Web Services' secure data centers. We utilize their built-in security, privacy, and redundancy features, including AWS's ability to perform regular backups. Amazon Web Services complies with leading security policies and frameworks, including ISO 27001, SOC 1 and SOC 2. |
Resiliency | Hosting on AWS allows Jane to remain resilient, even if one location goes down. AWS spans across multiple data centres within a particular region (called availability zones), which allows Jane servers to remain resilient in the event of a failure, including natural disasters or system failures. |
Defense In Depth | We've enabled AWS's security features like intrusion protection system and Web Application Firewall. |
Encrypting Data | Data that passes through Jane is encrypted, both at transit and at rest. We also encrypt all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption. |
Datacenter Security | AWS follows industry best practices and has strict physical access policies for the data centre building. For more information see Amazon's documentation on their physical access controls: AWS Data Layer |
Data Storage | All Jane accounts are individually stored within their own database schema. |
Continuous Monitoring | Jane has continuous and automated monitoring and vulnerability scanning on the AWS infrastructure so that we are proactive and have a complete awareness of any potential vulnerabilities, incidents, and threats. |
Customer Backups | We back up customer data daily, weekly, monthly, and yearly to our primary database using multiple availability zones. All backups are encrypted in transit and at rest. We also regularly test the recovery of these backups. And we store an encrypted copy of the backups at a separate data center environment on a weekly basis. |
Data Deletion | When it comes to deleting data, we do so in a way that does not allow for reconstruction by using NIST 800-88 guidelines to destroy data. |
Application Security
Account Ownership | As per terms of use, all Jane data is owned by the Account Owner. In addition, the Account Owner controls and configures all staff permissions and access levels. View our staff access level feature here: Staff Access Levels |
Account Security | Jane secures your credentials by using leading industry standards to salt and hash your credentials before it is stored. We also have additional documentation on our security features found here: Security Features |
Activity Log Feature | The Account Owner has access to the Activity Log that gives them a detailed breakdown of all Staff activity. This can be filtered by date range, staff member, and the type of data that they access. |
Data Protection | Jane will continue to secure and protect your data so long as you have a Jane account and unless instructed otherwise by the Account Owner. If the Account Owner decides to close their Jane account, we can export your data, free of charge, or we can place the account on hold at a lesser fee. |
Development Lifecycle | Jane developers follow a strict policy to ensure that Jane features and updates are secure by design, in development, and after deployment. Jane releases weekly (or sometimes more) updates that are heavily tested by our QA Team before deployment. All updates do not require downtime. |
Third-Party Integration | Jane's optional third-party services are assessed thoroughly before implementation to ensure that they meet our security requirements. No medical data or patient health information is sent to our third-party services. View our optional third-party integrations here: Jane's Integrations |
Security Compliance
Regulatory Compliance | Jane complies with applicable legal and regulatory requirements as well as best practices. This includes Jane's compliance with all Canadian Privacy laws, GDPR, HIPAA, and Standard Codes of Practice across multiple health professions. |
PCI compliant | Jane never stores or processes credit card information. This is completed by an optional integration by Stripe or Payfirma, which are PCI compliant. Additional information can be found here: Is Jane PCI-Compliant? |
Dedicated Team | We have a dedicated Security and Privacy Team that regularly reviews our policies, updates training and ensures that Jane is one of the top EMR companies to secure data. |
Security Culture | At Jane, we implement regular security training. The training that we provide is developed by our very own Security and Privacy Team, which covers our information security policies, security best practices, and privacy principles. |
Confidentiality | Jane employees sign a confidentiality agreement upon hire. We also have a strict policy that we only access your account when you request assistance from us. Furthermore, chart access is only visible to our senior managers. In either case, all access is logged. |
Background Check | All Jane employees complete a strict background check prior to employment. |
Recovery Plan | Jane maintains a Disaster Recovery Plan, which is regularly reviewed and updated by our Security and Privacy Team. |
Incident Response Program | Jane maintains an incident response program that defines the conditions and procedures we have in place to assess any relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events. |
Privacy Breach Policy | We follow the BC Privacy Commissioner's 4 Step Privacy Breach Response Protocol. The documentation can be found here: Privacy Breach Policy |
Experimental Features
Jane sometimes offers new and experimental features that are completely optional for customers. (Access to these features may be managed within the Account Owners Settings page.) If you choose to opt into an experimental feature, we follow strict privacy and security standards that meet HIPAA and PIPEDA-compliant requirements. You can read more about this below.
Smart Preview (Beta) | Jane currently has an invite-only experimental feature that allows clinics to optionally create a natural sounding and easy to read chart summary so you can catch up on a patient’s progress at a glance without having to open up each of their charts. This AI feature is currently powered by a private version of OpenAI’s technology. It’s hosted on a Microsoft Azure server that meets our strict privacy and security standards, and that only Jane has access to. We do not train this model on customer data nor is any customer data used to train any other AI models. The Microsoft Azure server will be located in the same geography as your main Jane data center (for example, if your data is hosted in Canada, the Microsoft Azure server generating the Smart Preview will also be located in Canada). |
Resources
Here are additional resources that you might find helpful:
If you have any questions for our team, please contact us at [email protected].