Jane's Guide Here's all the help you need to use Jane.

Cloud Security White Paper

Securing Jane data has always been one of our top priorities, and so our cloud security white paper outlines Jane's approach to security and the organizational and technical controls we have in place to protect your data.

We've broken down our cloud security white paper into three different safeguards:

  • Administrative: Controls we have in place to secure Jane on a human-level.
  • Technical: Technologies implemented to help secure Jane data.
  • Physical: How Jane protects the physical devices that our team uses.

Administrative Safeguards

Regulatory Compliance

Jane complies with applicable legal and regulatory requirements as well as best practices. This includes Jane's compliance with all Canadian Privacy laws, GDPR, HIPAA, and Standard Codes of Practice across multiple health professions.

PCI compliant

Jane never stores or processes credit card information. This is completed by an optional integration by Stripe or Payfirma, which are PCI compliant. Additional information can be found here: Is Jane PCI-Compliant?

Security Culture

At Jane, we implement regular security training. The training that we provide is developed by our very own Security and Privacy Team, which covers our information security policies, security best practices, and privacy principles.

Dedicated Team

We have a dedicated Security and Privacy Team that regularly reviews our policies, updates training and ensures that Jane is one of the top EMR companies to secure data.

Confidentiality

Jane employees sign a confidentiality agreement upon hire. We also have a strict policy that we only access your account when you request assistance from us. Furthermore, chart access is only visible to our senior managers. In either case, all access is logged.

Background Check

All Jane employees complete a strict background check prior to employment.

Recovery Plan

Jane maintains a Disaster Recovery Plan, which is regularly reviewed and updated by our Security and Privacy Team.

Incident Response Program

Jane maintains an incident response program that defines the conditions and procedures we have in place to assess any relevant vulnerabilities or security incidents and establishes remediation and mitigation actions for all events.

Privacy Breach Policy

We follow the BC Privacy Commissioner's 4 Step Privacy Breach Response Protocol. The documentation can be found here: Privacy Breach Policy

Technical Safeguards

Data Security

Data Backups

We use redundant database servers for high-availability and we perform database snapshots daily, supplemented by transaction logs to enable point-in-time recovery to within 10 minutes. In addition, we perform nightly backups, and then backup files are stored utilizing AWS redundancy across multiple availability zones to enable offsite backups. All backups are encrypted in transit and at rest.

Data Defense

Our servers are equipped with intrusion detection and prevention systems, and our application sits behind a web application firewall. We also block IP addresses that exhibit excessive suspicious behavior.

Data Deletion

When it comes to deleting data, we do so in a way that does not allow for reconstruction by using NIST 800-88 guidelines to destroy data.

Database Storage

All Jane accounts are individually stored within their own database schema so that each account's data is properly isolated.

Encryption at Rest

We encrypt all volumes where customer data is stored, including backups. Data is encrypted using our own AES 256 encryption keys.

Encryption in Transit

All data in transit, that is data travelling between the Jane servers and your browser, or between Jane's servers and any service providers, is encrypted. The default level of encryption and authentication to Jane's servers is TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.

Server Monitoring

Jane has continuous and automated monitoring to alert us for any unusual activity. We also scan our application and infrastructure so that we have complete awareness of any potential vulnerabilities, incidents, and threats.

Application Security

Account Ownership

As per terms of use, all Jane data is owned by the Account Owner. In addition, the Account Owner controls and configures all staff permissions and access levels. View our staff access level feature here: Staff Access Levels

Account Security

Jane secures your credentials by using leading industry standards to salt and hash your credentials before it is stored. We also have additional documentation on our security features found here: Security Features

Activity Log Feature

The Account Owner has access to the Activity Log that gives them a detailed breakdown of all Staff activity. This can be filtered by date range, staff member, and the type of data that they access.

Data Protection

Jane will continue to secure and protect your data so long as you have a Jane account and unless instructed otherwise by the Account Owner. If the Account Owner decides to close their Jane account, we can export your data, free of charge, or we can place the account on hold at a lesser fee.

Development Lifecycle

Jane developers follow a strict policy to ensure that Jane features and updates are secure my design, in development, and after deployment. Jane releases weekly (or sometimes more) updates that are heavily tested by our QA Team before deployment. All updates are completed without downtime.

Email Encryption

While normal email protocol doesn't allow for encrypting emails, some email vendors support encrypted emails between Jane's email provider and the their email servers. So Jane's emails get encrypted whenever that is supported (it's called opportunistic encryption). As well, support messages sent from within the application are also encrypted.

Telehealth Encryption

Our Telehealth feature, called Online Appointments, is built directly into Jane (we don't use a third-party) and it uses end-to-end encryption for all our 1-on-1 virtual appointments. We also do not allow for recordings or data storage of the session, so this ensures complete security of these calls.

Third-Party Integration

Jane's optional third-party services are assessed thoroughly before implementation to ensure that they meet our security requirements. No medical data or patient health information is sent to our third-party services. View our optional third-party integrations here: Jane's Integrations

Physical Safeguards

Infrastructure Security

Jane's physical infrastructure is hosted and managed within Amazon's secure data centers. Amazon Web Services complies with leading security policies and frameworks, including ISO 27001, SOC 1 and SOC 2. Jane uses AWS regions based in Canada (Montreal), USA (Oregon), UK (London), and Australia (Sydney). Accounts are automatically created in the matching country's AWS region, with all EU data stored in the UK region. And if there is no matching region, the account will be created in the Canadian region.

Infrastructure Resiliency

AWS's infrastructure gives Jane access to multi-site resiliency; each AWS region is comprised of multiple "Availability Zones" which are essentially standalone (and geographically separated) data centers. If there is an incident at a single data centre, Jane will nearly instantly switch to using a different data centre within that region.

Workstation Security

All devices that are provided to Jane Team Members are encrypted, configured, and managed by Jane to ensure that all devices are secure and operating systems are up to date.

Workstation Use

All Jane-issued devices also have anti-malware installed automatically and we disable all USB connections to prevent malicious attacks.