New SDK Release: Build secure medical apps faster with our tools for EHRs, devices, and patient-doctor solutions. Explore CardinalSDK

Hoofdmenu
Producten
Cardinal Backend & SDK Cardinal Data Exchange Module Cardinal Free Health Connector Gebruikscases
Nieuws
Neem contact op
Back to blog

November 27, 2023

Introduction to End-to-End Encryption for Medical Data

post illustration

Why Protecting Medical Data is Vital

Imagine medical data as a rich tapestry woven with the most personal and sensitive threads of information. It’s a detailed portrait of our health, capturing everything from our past medical issues to DNA secrets.

This information is crucial in modern healthcare, like a lifeblood that must be fiercely protected.

Why? Because it’s not just about keeping data safe — it’s about honoring the trust patients place in healthcare systems when they share their most intimate health secrets. This trust is fundamental, and any breach in data security can shatter it, potentially leading to patients withholding crucial information or avoiding care altogether.

The stakes are high.

Unauthorized access to medical data can lead to identity theft, insurance fraud, or worse — exploitation of sensitive health information for harmful purposes. This isn’t just a problem for individuals, it strikes at the heart of the healthcare system. Trust in healthcare is critical for effective care, and once it’s damaged, the whole system feels the impact.

In our digital world, where medical records zip through networks and systems, reinforcing data security is more crucial than ever. It requires strong cybersecurity measures, strict access controls, and vigilant monitoring to keep medical data confidential, intact, and secure.

End-to-End Encryption: The Digital Guardian

Enter End-to-End Encryption (E2EE) — a sophisticated technology protecting data as it travels from one system to another. It ciphers medical data at the source, which only the intended recipient can decode — like sending a locked safe through the mail, where only the receiver has the key.

E2E encryption is more than a security feature. It ensures that whether data is zooming over networks, sitting on servers, or being shared among doctors, patients, insurance companies, and other industry participants, it remains invisible to unauthorized eyes. This technology is a shield against data breaches and cyberattacks, offering peace of mind to both patients and healthcare professionals.

post illustration

In an era where medical data faces constant cyber threats, adopting E2E encryption means upholding the highest privacy and data protection standards, reinforcing the trust between healthcare providers and patients. By integrating E2E encryption into its security arsenal, the healthcare industry protects its data and honors the trust patients place in it.

Understanding End-to-End Encryption

Basic Principles of E2E Encryption

  • Data Encryption: The heart of E2E encryption lies in its ability to transform readable data (plaintext) into a coded form (ciphertext). This process is akin to translating a message into a secret language.

The ciphertext is “gibberish” to anyone who doesn’t have the special decoder — the decryption key. This ensures that even if the data is intercepted, it remains undecipherable and secure.

  • Key Management: The real power of E2E encryption is in how it handles keys — the tools used to lock (encrypt) and unlock (decrypt) data. These keys are created and exchanged in a manner that keeps them secret from everyone except the intended communicators. Proper key management is crucial; if keys are compromised, the whole encryption process can be rendered useless.

Types of Encryption Algorithms

  • Symmetric Encryption: This method is like having a single key that both locks and unlocks a door. In symmetric encryption, the same key is used to both encrypt and decrypt the data. It’s efficient and fast, making it suitable for encrypting large volumes of data.

However, the challenge lies in securely exchanging this key between parties, as anyone who possesses the key can decrypt the data.

  • Asymmetric Encryption: Imagine a mailbox where anyone can drop a letter in (public key), but only you have the key to open it (private key). This is asymmetric encryption. It uses two different keys: a public key for encryption and a private key for decryption.

The public key is shared openly, allowing anyone to encrypt data, but the receiver keeps the private key secret, ensuring only they can decrypt the information. This method is more secure regarding key distribution but is generally slower and requires more computational power, making it less practical for encrypting large amounts of data.

  • Hybrid Systems: Often, E2E encryption uses a combination of both symmetric and asymmetric methods. For example, a symmetric key could be used to encrypt the data because of its efficiency, and then the symmetric key itself is encrypted using asymmetric encryption for secure transmission. This hybrid approach leverages the strengths of both methods — efficiency and secure key distribution.

Challenges and Considerations

  • Key Recovery: One of the challenges of E2E encryption is the risk of losing access to data if the decryption key is lost. Effective key recovery mechanisms are essential to prevent permanent data loss while maintaining security.
  • Regulatory Compliance: E2E encryption must be balanced with legal and regulatory requirements. Some jurisdictions may require access to encrypted data for law enforcement purposes, which poses challenges in designing encryption systems that both protect privacy and comply with legal obligations.
  • User Experience: Implementing E2E encryption must also consider the user experience. It should be seamless and transparent so that users are not burdened with the complexities of the encryption process.

Let’s move to the fundamentals of E2EE in medical data exchange now.

E2E Encryption in Medical Data Exchange

In an era where the exchange of medical information has transcended traditional boundaries, End-to-End Encryption emerges as a crucial safeguard for the healthcare industry. Let’s delve deeper into its applications and how it ensures compliance with essential regulations.

Application in Healthcare

  • Electronic Health Records (EHRs): Imagine EHRs as the life story of a patient’s health journey, filled with personal health narratives and medical episodes.

E2EE acts like an invisible shield around these stories during their “digital voyage” from one healthcare provider to another. This ensures that sensitive details like medical history, diagnoses, and treatment plans are securely cloaked from unwanted eyes during transit.

  • Telemedicine: Telemedicine is connecting patients and doctors across digital landscapes.

Here, E2E encryption strengthens this connection, ensuring that conversations, whether they’re video calls or message exchanges, remain private and protected. This is especially crucial when discussing sensitive health issues, ensuring patient-doctor confidentiality is preserved, regardless of physical distance.

  • Wearable Health Devices: Wearable devices have now become our personal health assistants, constantly collecting health data. E2EE wraps this data in a secure blanket as it travels from the device to healthcare providers. This means that personal health metrics like heart rates, sleep patterns, and exercise data remain confidential, only accessible to authorized individuals.
  • HIPAA (Health Insurance Portability and Accountability Act): In the United States, HIPAA is the gold standard for patient information security. E2E encryption helps play by these rules, ensuring that the data adheres to HIPAA’s stringent standards when it is shared or transmitted.

This includes safeguarding against unauthorized access and ensuring confidentiality, which is pivotal in maintaining patient trust and legal compliance.

  • GDPR (General Data Protection Regulation): For European patients, GDPR sets the standard for data protection. It’s a rigorous framework ensuring that personal health data is handled with the highest care.

E2E encryption steps up to this challenge by ensuring that data exchange involving European patients meets GDPR’s strict privacy guidelines. This includes not just securing the data, but also ensuring patients have control over who accesses their information.

  • Beyond Borders: The application of E2E encryption isn’t confined to just HIPAA or GDPR. With healthcare data increasingly crossing international borders, encryption ensures that global data exchange adheres to a diverse array of international laws and regulations, each with its own set of requirements and standards for data privacy and security.
  • Audit Trails and Accountability: Part of meeting regulatory standards involves keeping detailed records of data access and transmission. E2E encryption systems can be designed to provide comprehensive audit trails, ensuring transparency and accountability in how patient data is accessed and used.
  • Adapting to Evolving Standards: The world of data security is ever-evolving, as are the laws that govern it. Implementing E2E encryption in healthcare means continuously adapting to new technological challenges and changing legal landscapes. This adaptability ensures that patient data remains secure, not just today, but also in the future as new threats and regulations emerge.

This way, E2E encryption is not just a technical tool in healthcare — it’s a critical component in the ecosystem of patient care and trust.

By encrypting medical data, healthcare providers not only protect sensitive information but also build a foundation of trust and compliance that is essential in the digital age of medicine. This encryption acts as a guardian, ensuring that as healthcare continues to embrace digital innovation, it does so with the utmost respect for the privacy and security of patient information.

The High-Stakes Game of Key Management

  • Managing Encryption Keys: Think of encryption keys in E2E encryption as the most precious keys in a kingdom. They are crucial for keeping data safe. If these keys get into the wrong hands or are lost, it’s like the kingdom’s defenses are down, and the data is exposed. The safety of patient data relies heavily on keeping these keys secure.
  • Dealing with Lost Keys: Imagine losing the key to a treasure chest. Losing an encryption key can be just as problematic in the world of encryption.

Accessing data that’s been locked away by encryption becomes extremely difficult if the key is lost or forgotten. Creating a reliable way to recover these keys without weakening security is a delicate balance. Having a backup plan for key recovery is important, but this plan needs to be as secure as the original method of protecting the keys.

The Intricate Dance of Integration

  • Blending New Beats into an Old Song: Integrating E2E encryption into existing healthcare systems is like blending a new, complex rhythm into an old, familiar song.

The goal is to enhance the melody (security) without disrupting the ongoing rhythm (healthcare services). It’s a delicate dance, requiring precision and careful coordination to ensure that introducing encryption enhances data security without causing discord in the existing system’s functionality.

  • The Jigsaw Puzzle of Compatibility: Each healthcare system is a unique jigsaw puzzle of software and processes. Fitting E2E encryption into this puzzle without forcing the pieces can be challenging. It involves ensuring compatibility, seamless data flow, and maintaining system efficiency, all while elevating the security level.

Striking a Balance Between Fortress and Gateway

  • Building a Fortress with a Gateway: The ultimate goal of E2E encryption in healthcare is to create a fortress around patient data, but this fortress also needs a gateway. This means while the data needs to be impenetrable to unauthorized access, it should remain readily accessible to authorized healthcare providers, particularly in critical, time-sensitive situations like emergencies.
  • The Art of Accessible Security: Imagine a secure vault that can be opened instantly when needed by the right person. Achieving this level of accessible security in healthcare data requires sophisticated encryption protocols that allow swift and secure access to data for authorized personnel. It’s about finding the perfect balance where security measures do not impede the swift flow of essential medical information.
  • Emergency Protocols: In emergencies, time is of the essence. Encryption systems must be designed with fail-safes and rapid access protocols for such situations. It’s about ensuring that authorized individuals can navigate security layers swiftly and safely when every second counts.

Implementing E2E encryption in healthcare is a journey fraught with intricate challenges and critical considerations. As the healthcare sector continues to evolve in the digital age, navigating these complexities is not just a MedTech endeavor but a fundamental component of providing safe and effective patient care.

Implementing E2E Encryption in Healthcare: Strategies and Future Directions

Best Practices for Robust Encryption

  • Regular Audits and Compliance Checks: Just like a health check-up, regular audits are essential in ensuring that E2E encryption practices are up-to-date and compliant with current laws and standards. These checks act as preventive care, helping identify and address any potential security issues before they become problems.
  • Robust Key Management Systems: Think of this as the high-security vault where the keys to patient data are stored. It involves not just safekeeping the keys but also routinely updating them to stay ahead of potential threats. Secure storage solutions ensure these keys are accessible only to authorized individuals, much like a controlled-access pharmacy in a hospital.
  • Training and Awareness for Healthcare Staff: Educating healthcare workers about encrypted systems is akin to training them in first aid—it’s essential for the safety of everyone involved. This involves teaching them the importance of encryption and using these systems effectively, ensuring that every staff member is a competent guardian of patient data.
  • Blockchain Technology in Healthcare: Imagine a future where patient data is stored securely, transparently, and immutably. Blockchain technology offers this by creating a decentralized ledger for medical data. This means each piece of data can be traced back to its origin, ensuring authenticity and security, much like a digital chain of custody in medicine.
  • Artificial Intelligence and Machine Learning Enhancing E2E Encryption: AI and ML are set to revolutionize how encryption systems operate.

They can predict and counteract security threats, automate key management processes, and optimize the efficiency of encrypted systems. Imagine AI as a smart assistant that protects patient data AND anticipates and neutralizes threats before they manifest.

  • Customized Solutions for Specialized Healthcare Needs: As healthcare technology evolves, there’s a growing need for encryption systems tailored to specific areas like telemedicine, genetic data, or wearable health devices. This means developing unique encryption strategies for each area, ensuring the highest level of security and functionality for different types of sensitive data.
  • Interoperability Challenges and Solutions: As healthcare systems become more interconnected, the need for encrypted data to be shared across different platforms while maintaining security is paramount. Innovations in interoperability and secure data exchange protocols are crucial for seamless, safe healthcare operations in the digital age.

Implementing E2E encryption in healthcare requires technological solutions, organizational commitment, staff training, and adherence to legal standards.

Looking forward, the integration of advanced technologies like blockchain and AI presents exciting possibilities for enhancing the security and efficiency of E2E encrypted systems, paving the way for a safer, more secure healthcare landscape.

Conclusion

End-to-end encryption is essential in protecting medical data. It keeps sensitive health information private and secure, helping patients trust the healthcare system. This encryption also ensures that healthcare providers follow all necessary regulations and laws.

Yet, as technology changes, so do the methods to protect medical data.

It’s important for healthcare data professionals to keep learning and adapting to new ways of securing the information.

In the future, new technologies will mean that we need to evolve to meet these new challenges, but for now, E2E Encryption is key to maintaining a safe, trustworthy healthcare system in our digital world.

Back

Terms of use

www.iCure.com

1. RECITALS

ICure SA is incorporated in Geneva, Switzerland, with a registered office at Rue de la Fontaine 7, 1211 Geneva, Switzerland registered in the commercial registry under CHE-270.492.477 (“iCure”).

These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and iCure SA (“we,” “us” or “our”), concerning your access to and use of the https://www.icure.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Website”).

When you accept, these Terms form a legally binding agreement between you and iCure. If you are entering into these Terms on behalf of an entity, such as your employer or the company you work for, you represent that you have the legal authority to bind that entity.

PLEASE READ THESE TERMS CAREFULLY. BY REGISTERING FOR, ACCESSING, BROWSING, AND/OR OTHERWISE USING THE iCURE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, DO NOT ACCESS, BROWSE, OR OTHERWISE USE THE ICURE WEBSITE.

iCure may, in its sole discretion, elect to suspend or terminate access to, or use of the iCure to anyone who violates these Terms.

All users who are minors in the jurisdiction in which they reside (generally under the age of 18) must have the permission of, and be directly supervised by, their parent or guardian to use the Website. If you are a minor, you must have your parent or guardian read and agree to these Terms of Use prior to you using the Website.

The original language of these Terms and Use is English. In case of other translations provided by iCure, the English version shall prevail.

2. INTELLECTUAL PROPERTY RIGHTS

The Content of the documentation stated on this Website is ours. All Marks, Content that concern iCure cannot be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

Provided that you are eligible to use the Website, you are granted a limited license to access and use the Website and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Website, the Content, and the Marks.

3. USER REPRESENTATIONS

By using the Website, you represent and warrant that:

  1. All registration information you submit will be true, accurate, current, and complete; you will maintain the accuracy of such information and promptly update such registration information as necessary.
  2. You have the legal capacity, and you agree to comply with these Terms of Use.
  3. You are not under the age of 13.
  4. Not a minor in the jurisdiction in which you reside, or if a minor, you have received parental permission to use the Website.
  5. You will not access the Website through automated or non-human means, whether through a bot, script, or otherwise.
  6. You will not use the Website for any illegal or unauthorized purpose.
  7. Your use of the Website will not violate any applicable law or regulation.

4. PROHIBITED ACTIVITIES

You may not access or use the Website for any purpose other than that for which we make the Website available. The Website may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved between you and iCure.

As a user of the Website, you agree not to:

  1. Publishing any Website material in any other media.
  2. Selling, sublicensing, and or otherwise commercializing any Website material.
  3. Publicly performing and or showing any Website material.
  4. Using this Website in any way that is or may be damaging to this Website.
  5. Using this Website in any way that impacts user access to this Website.
  6. Using this Website contrary to applicable laws and regulations, or in any way may cause harm to the Website, or to any person or business entity.
  7. Engaging in any data mining, data harvesting, data extracting, or any other similar activity in relation to this Website.
  8. Using this Website to engage in any advertising or marketing.

5. NO WARRANTIES

This Website is provided “as is,” with all faults, and iCure expresses no representations or warranties, of any kind related to this Website or the materials contained on this Website. Also, nothing contained on this Website shall be interpreted as advising you.

6. LIMITATION OF LIABILITY

In no event shall iCure, nor any of its officers, directors, and employees shall be held liable for anything arising out of or in any way connected with your use of this Website whether such liability is under this agreement. iCure, including its officers, directors, and employees shall not be held liable for any indirect, consequential, or special liability arising out of or in any way related to your use of this Website.

7. INDEMNIFICATION

You hereby fully indemnify iCure from and against any and/or all liabilities, costs, demands, causes of action, damages, and expenses arising in any way related to your breach of any of the provisions of these Terms.

8. SEVERABILITY

If any provision of these Terms is found to be invalid under any applicable law, such provisions shall be deleted without affecting the remaining provisions herein.

9. VARIATION OF TERMS

iCure is permitted to revise these Terms at any time as it sees fit, and by using this Website you are expected to review these Terms on a regular basis.

10. ASSIGNMENT

iCure is allowed to assign, transfer, and subcontract its rights and/or obligations under these Terms without any notification. However, you are not allowed to assign, transfer, or subcontract any of your rights and/or obligations under these Terms.

11. ENTIRE AGREEMENT

These Terms constitute the entire agreement between iCure and you in relation to your use of this Website and supersede all prior agreements and understandings.

12. GOVERNING LAW & JURISDICTION

These Terms shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of law provisions.

The parties shall attempt to solve the matter amicably in mutual negotiations. In case of a non-amicable settlement that has been found between the parties, the Court of Geneva will be competent.

13. PRIVACY

Please refer to our Privacy Policy and Cookie Notice for the Data that we collected from the contact form and the Matomo cookie.

IMAGE ATTRIBUTION

In the development of our website, we have incorporated various icons to enhance visual appeal and convey information effectively. We extend our sincere appreciation to the talented designers and contributors who have generously shared their work with the community. Below is an acknowledgment of the resources we have utilized:

SVG Repo: A repository SVG icons. We integrated their icons into our website. Specifically:

  1. Work by author vmware, Key Badged SVG Vector under MIT License
  2. Work by author Twitter, Cloud SVG Vector under MIT License
  3. Work by author Garuda Technology, Node Js SVG Vector and React SVG Vector under MIT License

Thanks to the authors who contributed to the: SVGRepo, Unsplash, Maxipanels community.

iCure features logos from various products, libraries, technologies, and frameworks that our project interacts with. It is important to note that iCure does not hold any proprietary rights to these logos or the products they represent.

iCure SA

Contact: contact@icure.com

Last update: February 20th, 2024.

Information Security Policy

www.iCure.com

1. Introduction

The iCure universe is built on trust. Guaranteeing the confidentiality of the data that are entrusted to us is our highest priority.

The Information Security Policy of iCure abstracts the security concept that permeates every activity and abides by the ISO 27001:2013 requirements for Information Security, so that we ensure the security of the data that iCure and its clients manage.

Every employee, contractor, consultant, supplier and client of iCure is bound by our Information Security Policy.

2. Our Policy

iCure is committed to protecting the confidentiality, integrity and availability of the service it provides and the data it manages. iCure also considers protecting the privacy of its employees, partners, suppliers, clients and their customers as a fundamental security aspect.

iCure complies with all applicable laws and regulations regarding the protection of information assets and voluntarily commits itself to the provisions of the ISO 27001:2013.

3. Information Security Definitions

Confidentiality refers to iCure’s ability to protect information against disclosure. Attacks, such as network reconnaissance, database breaches or electronic eavesdropping or inadvertent information revealing through poor practices.

Integrity is about ensuring that information is not tampered with during or after submission. Data integrity can be compromised by accident or on purpose, by evading intrusion detection or changing file configurations to allow unwanted access.

Availability requires organizations to have up-and-running systems, networks, and applications to guarantee authorized users’ access to information without any interruption or waiting. The nature of data entrusted to us requires a higher-than-average availability.

Privacy is the right of individuals to control the collection, use, and disclosure of their personal information. Our privacy policies are based on the GDPR(https://gdpr-info.eu/) and can be augmented by added requirements of specific clients or law areas.

4. Risk Assessment

The main threats iCure is facing as a company are:

  1. Data Theft;
  2. Data Deletion;
  3. Denial of Service attacks;
  4. Malware;
  5. Blackmail and Extortion.

As providers of a solution used by developers active in Healthcare, we also have to anticipate the risks of:

  1. Attacks on our clients’ data, which could lead to major social damages and a loss of trust in our solution;
  2. Abuse of our solution by ill-intentioned clients, that could impact the quality of the service provided to the rest of our clients.

The motivation of the attackers in the latter cases can range from financial gain to political or ideological motivations.

A last risk is linked to the nature of the healthcare data we handle. We must ensure, that the data we handle are not used for purposes other than those for which they were collected:

A piece of data collected from a patient for the purpose of a medical consultation should not be available to third parties, not even a government agency.

5. Risk Management

The main principles we apply to manage the risks we face are:

  1. Confidentiality by design: All sensitive data is encrypted end-to-end before being stored in our databases. We do not have any access to the data we store. Our client’s customers are the only ones who can decrypt the data we store.
  2. Anonymization by design: Healthcare information that has to be stored unencrypted is always anonymized using end-to-end encryption scheme. This means that the link between the healthcare and administrative information must be encrypted.

Those two principles allow us to minimize the risks of data theft, blackmail, extortion, and coercion by government agency.

  1. Multiple real-time replicas, with automatic failover: We use a distributed database architecture to ensure that our data is available at all times. We use a master-master architecture, each data is replicated at least 3 times. Snapshots are taken every day to ensure that we can restore the data in case of a malevolent deletion event.
  2. Automatic password rotations: no single password can be used for more than 48 hours. Passwords are automatically rotated every 24 hours. In case of a password leak, we can limit the window of opportunity for an attack.

Those two principles allow us to minimise the risks of data deletion, denial of service attacks, and malware.

  1. Minimization of the attack surface: we deploy our systems in the most minimal way. We only expose the network services that are strictly necessary.
  2. Strict dependency management: we only use open-source software that is regularly updated and audited by the community. We favor dependency management software and providers that minimize the risk of supply chain poisoning.

Those two principles allow iCure to minimise the risks of intrusion by vulnerability exploit or supply chain attacks, two risks that could lead to data theft or data deletion.

6. Further Information

This policy is valid as of November 10th, 2022. For futher information please connect with us at privacy@icure.com

Impressum

iCure SA

Place de la Bourse-aux-Fleurs 2, Case postale 45, 1022 Chavannes-près-Renens, Switzerland

CHE-270.492.477

Website: https://icure.com/

Contact email: client@icure.com

Privacy request: privacy@icure.com

cookie

Deze website gebruikt cookies

We gebruiken slechts één cookie-applicatie voor intern onderzoek naar hoe we onze service voor alle gebruikers kunnen verbeteren. Het heet Matomo en slaat de informatie geanonimiseerd en voor beperkte tijd op in Europa. Voor meer details verwijzen we u naar onze Privacybeleid en .

Cookie Notice

www.iCure.com

1. Cookies basic information

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology (for further information, visit allaboutcookies.org.)

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

2. Types of cookies

Types of cookies depending on the organisation managing them:

Own cookies: these cookies are sent to the user’s terminal from a computer or domain managed by the owner of the website from which the service requested by the user is provided.

Third-party cookies: these cookies are sent to the user’s terminal from a computer or domain not managed by the owner of the website from which the service requested by the user is provided, but by another organisation that processes the data obtained through the cookies. In addition, if the cookies are installed from a computer or domain managed by the Website owner but the information collected by them is managed by a third party, they will also be considered third-party cookies.

Types of cookies according to the length of time they remain active:

Session cookies: these cookies are designed to collect and store data when the user accesses a website. They are generally used to store information that only needs to be kept for the provision of the service requested by the user on a single occasion (for example, a list of products bought) and disappear when the user logs off or ends the session.

Persistent cookies: with these cookies, the data continue to be stored in the terminal and may be accessed and processed for a period defined by the person/entity responsible for the cookie, which may range from a few minutes to several years.

3. How and what cookies do we use

Strictly necessary/ functional cookies (these cookies are Mandatory): are essential to help you move around a website and use its features. They don’t collect information that identifies a visitor.

Analytical cookies (with your consent): collect information about how visitors use a website and help website owners improve site performance. They don’t collect information that identifies a visitor.

4. Cookies used on our website

Our web analytics open-source program, Matomo, uses two types of cookies for analyzing page usage: a session cookie ("MATOMO_SESSID") that lasts for 30 minutes and a persistent cookie ("_pk_id.xxx") that remains beyond the browsing session, allowing anonymous tracking of website usage for up to 13 months (without collecting personal information). Matomo temporarily stores user data, including IP addresses, on our server in anonymized form for evaluation before deletion. This data is solely used for our personnal analysis, with no sharing with third parties.

  • Host: Matomo
  • Cookie name: MATOMO_SESSID
  • Expiration: Session 30 min

  • Host: Matomo
  • Cookie name: _pk_id.xxx
  • Expiration: 13 months

For the purposes of analyzing website usage and to optimize its services. The legal basis for the use of Matomo is Article 6, 1 (a) of the GDPR (consent).

5. Users preference

The user can, at any time, allow, block or delete the cookies installed on his/her device by changing the settings on the browser installed on his/her computer:

  • Chrome Chrome Settings -> Advanced -> Privacy -> Content settings. For more information, consult Google support or your browser Help.
  • Explorer or Edge: Tools -> Internet options -> Privacy -> Settings. For more information, consult Microsoft support or your browser Help.
  • Firefox Firefox: Tools – > Options -> Privacy -> History -> Customised Settings. For more information, consult Mozilla support or your browser Help
  • Safari Safari Preferences -> Security. For more information, consult Apple support or your browser Help.
  • You will not access the Website through automated or non-human means, whether through a bot, script, or otherwise.
  • You will not use the Website for any illegal or unauthorized purpose.
  • Your use of the Website will not violate any applicable law or regulation.

6. Withdrawing consent

The user may withdraw his/her consent relating to the Cookies Policy at any time, and may delete the cookies stored on his/her device by adjusting his/her internet browser settings, as described above.

7. Cookie settings

This Cookies Policy may be modified when required by the legislation in force at any time or when there is a change in the type of cookies used on the website. For this reason, we recommend that you review this policy every time you access our website so that you are appropriately informed of how and why we use cookies.

8. Contact

Please contact us with any questions or comments about this Policy, your Personal Data, and our use and disclosure practices by email at privacy@icure.com

iCure SA

Contact: contact@icure.com

Last update: September 13th, 2023

Quality Policy

www.iCure.com

At iCure SA, we are committed to excellence in all aspects of our work. Our quality policy is designed to provide a framework for measuring and improving our performance within the QMS.

1. Purpose of the Organization

The purpose of the QMS is to ensure consistent quality in the design, development, production, installation, and delivery of Data processing, security, archival, technical support and protection solutions for medical device software, while ensuring we meet customer and regulatory requirements. The document applies to all documentation and activities within the QMS. Users of this document are members of the iCure Management Team involved in the processes covered by the scope.

2. Compliance and Effectiveness

We are committed to complying with all applicable regulatory and statutory requirements, including ISO 13485: 2016 and ISO 27001:2013. We strive to maintain and continually improve the effectiveness of our quality management system.

3. Quality Objectives

Our quality objectives are set within the framework of this policy and as defined by our Software Development Lifecycle and are reviewed regularly to ensure they align with our business goals. These objectives serve as benchmarks for measuring our performance and guide our decision-making processes.

4. Communication

We ensure that our quality policy is communicated and understood at all levels of the organization. We encourage every member of our team to uphold these standards in their daily work whether they are employees, contractors, consultants, suppliers, clients or any other person involved in building our medical data management software.

5. Continuing Suitability

We regularly review our quality policy to ensure it remains suitable for our organization. This includes considering new regulatory requirements, feedback from customers, and changes in our business environment. By adhering to this policy, we aim to enhance customer satisfaction, improve our performance, and contribute to the advancement of medical technology

iCure SA

Contact: contact@icure.com

Last update: April 17th, 2024