Is the CuresDev platform secure and compliant?
Answers to common questions from IRBs / Ethics committees on use of Prevalence Dashboard
Here is a series of FAQs on the privacy and compliance of CuresDev Platform specifically for the purposes of using the Prevalence Counting dashboard. Please comment if you have other questions or clarifications you want me to include here:
TL;DR CuresDev is *not* a data bank / repository. You are providing tokenized de-identified data, under a contract, for us to process your data and display patient counts in the dashboard. We don’t have the rights to share or sell your tokenized data. CuresDev only has rights to the aggregated data and statistics.
How does the CuresDev Prevalence Dashboard work?
What data is used by CuresDev platform?
CuresDev operates on de-identified information about patients from your databases. We have built an open source de-identification process called Tokenization that converts Name, Date-of-Birth, Gender and many other identifiers into irreversible and encrypted tokens. As a data owner, you will de-identify patient information into tokens using our software and transmit only the tokens to CuresDev.
Are we sending Personal Information (PII) with CuresDev?
NO. CuresDev never transmits, handles or stores raw Personally Identifiable Information (PII). You will convert the PII data into tokens and only transmit the tokens to CuresDev. You can use CuresDev’s web application to generate the tokens by uploading a CSV/Excel file.
Are the tokens secure?
Tokens generated by CuresDev are irreversible, de-identified and encrypted. We use algorithms such as Hashing and Differential Privacy to ensure the tokens cannot be reversed back to the personal information. We also encrypt your tokens so they are always safe with us.
Who owns the tokens stored by CuresDev?
You own your tokenized data, always. We will sign a contract with your institution formalizing this expectation.
Can we delete our tokens from CuresDev platform?
Yes. At any point, you can ask us to delete your tokenized data or terminate the contract. We will also automatically delete your tokenized data at the end of the contract term, if not renewed.
Will CuresDev sell our tokenized data?
No. CuresDev does not have the rights to sell your tokenized data.
Will CuresDev share our tokenized data with anyone else?
NO. Your tokenized data is yours.
As a customer of CuresDev, will I have access to tokens that others have shared?
NO. Each customer will have access to only the tokenized data they had provided. Everyone will have access to the aggregated prevalence counts displayed on the dashboard.
How does CuresDev make money?
Our goal is to make money when data silos are broken. We don’t yet have a clear path to monetization as outlined in our Roadmap to CuresDev 1.0. We are currently funded through Grants and are exploring several potential business models.
Will our consent language allow me to use the CuresDev platform?
It depends, but usually, yes. If your consent has the ability to share de-identified data, you should be able to use the CuresDev platform.
Do we need to re-consent patients to use CuresDev platform?
It depends on the consent language originally used. Typically, if your consent allows you to share de-identified data, you should be able to use the CuresDev platform. Data owners following the GDPR privacy policies might have to re-consent patients depending on how the original privacy policies and consent languages are drafted. Consult your IRB / Ethics committee / Data Privacy Officers for final evaluation.
Should we be storing any information in our databases?
No. To use the Prevalence Dashboard, you don’t have to store any information in your database.
Should we be installing CuresDev software?
No. You will simply log-onto CuresDev website on a web browser and upload a CSV containing patient information. CuresDev website will tokenize your data on your web browser without patient information ever leaving your computer. Only the tokens will be uploaded to CuresDev to power the Prevalence Dashboard.
Can CuresDev platform be used globally?
Yes. We built the platform ground-up to comply with privacy laws of most countries including HIPAA and GDPR.
Can CuresDev accommodate country-specific data residency requirements?
Yes. The main CuresDev platform is hosted in the United States. Because of the tokenization technology, your raw personally identifiable information never leaves your country. If you want us to store the tokens within the country of your choice, we can also accommodate that. Please contact us to talk more.
What security practices are used by CuresDev?
CuresDev utilizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to develop and benchmark our cybersecurity program. The controls, process, and policies we implement will align to NIST 800-171 and thus, several organization chosen regulatory and compliance frameworks including SOC 2, ISO27001, HIPAA, GDPR, and the California Consumer Privacy Act (CCPA). Some of the controls include, but not limited to:
Access Control: We manage access with the use of unique credentials with strong authentication that uses multiple factors (MFA).
Encryption: We protect sensitive data by enforcing encryption for all data in transit and at rest (backups included). Keys will rotated on a regular basis
Availability: We protect the availability of our code, data, and configurations with frequent backups to support business continuity and ransomware protection
Endpoint Security: We protect our devices and systems with a combination of endpoint security, firewalls, change control procedures
Vulnerability Management: We protect against exploited vulnerabilities by enforcing OS updates on a regular basis. Devices, infrastructure, and code are scanned to detect unresolved vulnerabilities
Training: We annually perform training based for CuresDev staff that’s specific to their roles. Securing training for developers and phishing simulations for all