Back to Blog

Security & Compliance

Spread the good news: UpHill is now ISO 27001 certified by BSI

UpHill is built on a broad culture of security that meets the demands of the healthcare industry. Today we are delighted to share some exciting news that reaffirms our commitment to providing the highest standards of security and trust in our products and services: UpHill is now certified with ISO 27001:2022 by the prestigious British Standards Institution.

Duarte Sequeira

September 11, 2023 · 3 min read

In the digital age, where healthcare information is stored electronically and medical devices become smarter by the day, ensuring the security and privacy of patient data is paramount. Cyber threats have been on a relentless rise, with staggering numbers indicating the magnitude of the problem. According to a Norton report1:
  • Global cybercrime costs are expected to reach $10.5 trillion annually by 2025;
  • In 2020, the FBI received more than 2,000 internet crime complaints per day;
  • And the healthcare industry is expected to spend $125 billion on cybersecurity from 2020 to 2025.
In fact, the healthcare industry has increasingly become a prime target for cybercriminals. These attacks are motivated by the value of medical data on the black market, as well as the potential for disrupting critical healthcare services.
  • “HCA Healthcare says hackers stole data on 11 million patients”2
  • “Madeira Health Service: cyberattack leaves users without appointments and exams”3
  • “Hospital Clínic suffered a "sophisticated" external cyberattack and is unable to use the IT system”4
  • “Hospitals: France faces a cyber storm”5
  • “More than a million NHS patients’ details compromised after cyberattack”6
This is just a sample of the cyber-attacks that have already made the news this year. A phenomenon that knows no boundaries, to which not even the most developed health systems have escaped unharmed, and which calls for increasingly robust security requirements.
Today we are proud to announce a significant step in our journey to establishing safety as our primary core value. We are now certified with ISO 27001:2022, reinforcing our commitment to protect healthcare information with the utmost care and diligence.

Back to basics: what is ISO 27001 certification?

ISO 27001 is an internationally recognized standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive information and ensuring its confidentiality, integrity, and availability. ISO 27001's best-practice approach ensures that organizations manage their information security by addressing people, organizational, technology and physical aspects.
UpHill is continuously monitoring its overall security posture, with more than 200 distinct controls being actively checked in our assets, that map with the requirements from ISO 27001 and ISO 27002.

What does it mean to be certified under the 27001:2022 version of the standard?

One of the aspects that sets UpHill’s certification apart is that it was achieved using the latest version of the standard - ISO 27001:2022, a major update of this standard (the previous version was from 2013, with minor changes in 2017).
ISO/IEC 27001:2022 has raised the bar for information security by incorporating a set of important controls that are in line with the current cybersecurity context. These additions cover a wide spectrum of essential domains, including threat intelligence, cloud service security, business continuity preparedness, and robust measures for physical security monitoring. The introduction of controls such as configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding further fortify organizations against modern cybersecurity challenges, ensuring comprehensive protection in today’s digital landscape.

Who audited and certified UpHill?

For the last months, we’ve submitted UpHill to a meticulous and structured external audit, covering information systems, data protection, security software, authentication and access control, risk assessment and management, security policies, software development practices, among others. The successful completion of this audit underscores our dedication to adhering to the highest international standards of information security.
The audit was conducted by the British Standards Institution (BSI) – the entity who originally published this standard. BSI Group supports 84,000 clients in 193 countries worldwide and is the preferred choice of renowned companies.  

Benefits of choosing UpHill as a tech partner

Being ISO 27001 certified is testament to the fact that UpHill prioritizes and ensures data security. But it also ensures the following:
  • Your patients’ data is protected with the highest level of security measures;
  • We assess, minimize, and eliminate risks and vulnerabilities by applying routine audits and updates of security protocols;
  • UpHill is compliant with the highest standard for information security, increasing our compliance maturity with other regulations like GDPR in Europe.
  • We have an internal culture of security, and our team is educated about the importance of cybersecurity and trained to recognize and respond to potential threats.
Finally, a message of commitment and appreciation to all healthcare institutions – from hospitals to primary care units – and health professionals that have trusted us and continue to grow with us. We will keep working relentlessly so you all can be at your best.

References

  1. Stouffer, C. (2022, September 1). 115 cybersecurity statistics + trends to know in 2023. Norton. Retrieved September 11, 2023, from https://us.norton.com/blog/emerging-threats/cybersecurity-statistics
  2. Ivanova, I. (2023, July 11). HCA Healthcare says hackers stole data on 11 million patients. CBS News. Retrieved September 11, 2023, from https://www.cbsnews.com/news/hca-healthcare-data-breach-hack-11-million-patients-affected/
  3. Caires, M. (2023, August 7). Serviço de Saúde da Madeira: Ataque informático deixa utentes sem consultas e sem exames. Expresso. Retrieved September 11, 2023, from https://expresso.pt/sociedade/2023-08-07-Servico-de-Saude-da-Madeira-ataque-informatico-deixa-utentes-sem-consultas-e-sem-exames-e0cee143
  4. Tovar, A. L. (2023, March 6). El hospital Clínic sufrió un ciberataque exterior "sofisticado" y no puede usar el sistema informático. La Vanguardia. Retrieved September 11, 2023, from https://www.lavanguardia.com/vida/20230306/8803304/hospital-clinic-ciberataque-barcelona.html
  5. Lebon, P., Durand, A., & Laurent, B. (2023, January 9). Hôpitaux : La France traverse une véritable tempête cyber. La Tribune. Retrieved September 11, 2023, from https://www.latribune.fr/opinions/tribunes/hopitaux-la-france-traverse-une-veritable-tempete-cyber-947101.html
  6. Thomas, R. (2023, June 29). More than a million NHS patients’ details compromised after cyberattack. Independent. Retrieved September 11, 2023, from https://www.independent.co.uk/news/health/nhs-patient-data-attack-b2364202.html

Duarte Sequeira

COO & Co-founder

Duarte has an integrated Master's Degree in Medicine, whose thesis dissertation covered the area of medical informatics and management, giving rise to the first pilot version of UpHill Simulate software. In his academic background he also has a postgraduate degree in Information Management and Business Intelligence in Healthcare. His professional career focused on Digital Health, with the management of several projects in the area of Health IT, and on components of interoperability and business intelligence, with his multi-year collaboration with the Shared Services of the Ministry of Health, EPE. He is also an invited assistant at University of Beira Interior and is currently a PhD student in Information Science and Technology.

Get the latest on UpHill resources.