Security, Privacy and Compliance

SECURITY & PRIVACY AT HOTDOC

Security

We recognise that your data is very sensitive. We combine extensive security features with comprehensive audits of our platform to ensure your data is secure.

Privacy

HotDoc has comprehensive policies and procedures that detail how we handle personal information.

The term ‘personal information’ encompasses a broad range of information that HotDoc handles and includes ‘sensitive information’ as well as ‘health information’ in accordance with the Privacy Act 1988. HotDoc will always err on the side of caution by treating your data as personal information, and handle it in accordance with the Australian Privacy Principles (APPs). Your personal information never leaves Australia.

To ensure the privacy of your information, all data is transferred between user devices and HotDoc servers using 256 bit encrypted connections via TLS 1.2 and world-class certificate management. HotDoc also employs encryption at rest (AES-256) to protect the secrecy of all data persisted by us.

HotDoc employees will only ever access personal information if it’s required for customer support. All access to personal information is tracked and audited, with access determined based on principles of least privilege and strict access control lists. Your personal information is protected through the use of native system security and add-on software products that identify, authenticate and validate access requests against authorised roles in access control lists.

Certifications and Compliance

HotDoc is committed to maintaining best practices for ensuring security, availability and confidentiality.

HotDoc was accredited for SOC 2 Type I in 2021, which verified our application of the Trust Service Principles. Despite being an Australian company and having no regulatory obligations to do this, by holding ourselves accountable to a third party, we wish to demonstrate transparency to our customers and support our ongoing efforts to provide a secure and reliable environment for our customers’ data.

Infrastructure Security

HotDoc runs all of its services from the cloud in Australia and is deployed across multiple availability zones within the region. HotDoc maintains failover capabilities in the event of physical hardware or logical software failures, with infrastructure hosted in high availability data centres. HotDoc uses modern infrastructure-as-code and security tooling to make sure our infrastructure runs reliably and securely.

Application Security

HotDoc has built application security into its culture, with a dedicated team to help mentor and coach best practices within the product. All code is peer reviewed with an extensive set of automated testing as part of our build pipeline. HotDoc keeps up to date with software patching and vulnerability management with automated tooling. HotDoc uses layered defence to maintain separation between production and development environments and ensure the principles of least privilege are maintained as it relates to customer data.

Vulnerability Disclosure

HotDoc makes it a priority to resolve any security vulnerabilities in our products within the timeframes identified in our security policies. HotDoc follows coordinated vulnerability disclosure and kindly asks that anyone reporting a vulnerability to us does the same in the interests of our customers.

If you are a customer, please submit a ticket to our support team.

If you are a security researcher, please join our bug bounty program, or email our security team.

Bug Bounty Program

HotDoc invites you to test and help secure our primary publicly facing assets – focusing on our web, and mobile applications. We appreciate your efforts and hard work in making the internet (and HotDoc) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

FAQs

Why is data security so important to HotDoc?

HotDoc makes a promise to our customers to apply the same standard of ethics for confidentiality that they give to their customers. Since we were founded with that promise, HotDoc has built privacy and security into the way we engineer our product from when we first built it. We’re proud that security is part of the core of our product instead of retrofitting security onto our product when legislation has come out.

Our security team is our first line of defence, but to make sure that there are no holes in our internal processes, in 2021 we were accredited in an independent third-party security framework called System and Organization Controls (SOC) 2 Type 1. This is a very stringent international standard for Security that demonstrates how we achieve key compliance controls and objectives.

On top of that, as far as we know, we’re the only Australian HealthTech provider that runs a Bug Bounty Program, which means that we pay external security researchers (hackers but with honour) to try and compromise our system and verify its security.

We’re also committed to not using data we sync from practices for anything other than the services the practice engages us to deliver in our privacy policy.

HotDoc will never sell or use patient data we collect from you for commercial purposes. We will only use patient data we collect from you to provide the services that you engage us to provide.

Who looks after HotDoc’s security, and what do they do?

HotDoc has a dedicated security and reliability team inside our Platform team, who are committed to defending the data you store on our platform against increasing security threats.

The team works with our developers and other staff to ensure that our systems, platforms and processes are secure. We check our systems for vulnerabilities and make sure they’re resolved, and they work with different staff across HotDoc to implement our SOC2 controls, including checking the security of our suppliers, staff (via checks, access control and training), systems (including our platform and our internal systems) and everything we do.

The team has made sure the platform is available 99.5% of the time, and they continuously work to improve the reliability of our platform.

What has the HotDoc team done recently to bolster its data security?

HotDoc’s dedicated security team has been working on reviewing our internal maturity and control effectiveness to make sure that as we grow and build new products, we still provide excellent security processes.

Has HotDoc had any cyber-attacks?

HotDoc is frequently attacked by people on the internet trying to hack our systems and sending us spam, like any business that is connected to the internet. We have strong protections in place to prevent these attacks from leading to exploitation or unauthorised access.

What does HotDoc do to prevent cyber-attacks?

No business can prevent cyber-attacks, but HotDoc takes steps to prevent them from being successful by denying malicious actors access to data and access to our environment. This includes protections to prevent malicious actors from being able to install malware on our staff laptops, limiting the access that our staff have to customer data or our environments, and making sure our environment is resilient to attacks and free of exploitable vulnerabilities.

We also monitor our environment to detect if a cyber attack might be progressing so we can manage and actively defend our system.

Does HotDoc have access to patient information?

HotDoc collects Patient information from patients directly when they create accounts with us and book appointments. Practices can also give us appointment information so we can support appointments and provide our services to the practice or patients. All the data that HotDoc accesses can be found in our privacy policy.

The data is securely saved in our platform, hosted in Australia on Amazon Web Services (AWS) and is encrypted.

What does HotDoc do with stored payment details?

HotDoc never has access to your card details: your card information will be sent directly to a secure payment provider. HotDoc does not collect or store your card details and only has access to an anonymised token that allows you to use your card for future payments if you choose to save your card. For more information click here.

How does HotDoc transfer data securely?

We encrypt the data using industry-standard HTTPS/TLS encryption to prevent any malicious actors from intercepting the data while we transfer it to you, and we enable practices to authenticate using MFA to ensure we’re transferring the data to an authorised user in our staff or at your practice.

Does HotDoc have to comply with certain medical privacy regulations?

HotDoc complies with the Australian Privacy Act. HotDoc does not store medical records, and if we do collect them, we delete them after we transfer them to your Practice Software (PMS). As we do not store medical records (that’s your PMS), we don’t have to comply with the retention requirements under Medical Records laws.

What would HotDoc recommend practices to do and don’t do?

Practices should follow the RACGP guidelines for data security.

When using our product, practices are recommended to:

Authenticate to our platform strongly: make sure that each user has their own HotDoc account and that they’re not shared. Turn on Multi-factor authentication via email or App for every Practice user
Patch the Software on their practice computers and servers, including the HotDoc connector and the HotDoc sidebar, your operating system, practice management software and your browser
Make sure you connect to the HotDoc dashboard using HTTPS in your browser (look for the :lock: at the start of the URL)

Contact Security

HotDoc has a dedicated security team that handles everything from application security through to infrastructure security and anything in between. Have any questions? Feel free to contact the team directly.