Cupris Data security

Cupris takes information governance and the security of patient data extremely seriously. 
It is at the heart of everything that we do. 

Security Standards

Cupris is compliant with all relevant information governance and data protection standards:

UK-based N3 approved servers

  • We use UK-based data servers
  • Supplied by a company that is approved to provide N3-connected services
Write here...
 

End to end encryption

  • AES 256 encryption is a standard required by NHS Digital

  • All data is AES 256 encrypted on a user’s phone and on our UK-based servers

  • SSL 2048 bit encryption is used on data transit so that no one can carry out a ‘man in the middle’ attack

  • Messages can only be decrypted by the intended recipient and is also AES 256 encrypted on their phone

  • Uses origin tracking technology – a unique token is issued each time a user communicates with our servers that logs their IP address and phone ID, even if someone intercepts this token they will be blocked as their IP address and phone ID will not match

Triple-layer user authentication

  • In addition to a user’s PIN protection on their phone, users must sign in to Cupris with a secure username and password as well as setting a separate PIN to unlock the Cupris app
  • Even if the user loses their phone or someone else picks it up, they will not be able to access data stored on the Cupris app
authentication2.png
time out2.png

Time-out

Mimicking banking security protocols, a user needs to re-enter their PIN if the app isn’t used for a set period of time or after they leave the app

Data not stored in native phone gallery

  • No data is stored on the phone’s native gallery or any public area of the file storage system

  • This means that you will not find confidential patient information appearing amongst your personal images / videos

phone gallery storage2.png
audit2.png

Management audit and oversight

  • Management can have oversight of who is using Cupris and how they are using it

  • A full audit history is securely stored

  • Invaluable for any freedom of information acts that might arise

Full audit trail

  • Know when a message has been sent, delivered and read

  • This audit trail can be exported and added to the patient record if required

Notification

Hidden notifications


To prevent someone inadvertently seeing confidential patient data appearing on a user notification, the notifications don’t contain these details. Users will see “you have received a message” and will have to enter the pin to open the message.

Already used in the NHS

  • Cupris is used in Medway NHS Foundation Trust and multiple other NHS organisations

EMR integration

  • Cupris is integrated with EMIS and is integrating with other widely used EMRs

CQC-registered

Cupris is CQC-registered to provide the following regulated activities: 

  • Diagnostic and screening procedures

  • Transport services, triage and medical advice provided remotely

  • Treatment of disease, disorder or injury

Sounds Good, but why not just use whatsapp?

Using WhatsApp to share patient-identifiable information is insecure.  A data-breach because of its use in a healthcare setting is inevitable.

The legal framework detailed in the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act, and the Human Rights Act, works to preserve the confidentiality of patient data.  Using WhatsApp to share patient information does not comply with these laws for the following reasons:

  • Data is not stored on UK-based, N3 approved servers
  • WhatsApp data is not encrypted on the user’s phone
  • No PIN / login required to open WhatsApp so anyone with access to the phone can access your WhatsApp data
  • By default, all media shared on WhatsApp is saved to your native phone gallery, mixing patient images with a user’s personal photos. Family and friends could inadvertently access confidential patient information if sharing is enabled (a common situation)
  • Users who automatically back up their photos will then be storing patient information on non-compliant cloud storage services like Dropbox
  • Even if you switch off WhatsApp backing up photos on your phone, you have no way of knowing whether the person you’re sharing data with has done the same. This data could be accessed by unauthorised third parties or backed up to unauthorised cloud services
  • WhatsApp enables the automatic back-up of unencrypted conversations to the cloud
  • No management oversight or ability to carry out audits. Cannot extract usage data for freedom of information requests.