Health data security matters. It matters to you. And it matters to us.

New UK standards of digital security can give you confidence that your health information is being handled properly at Mumo. Here is our latest white paper on security.

Mumo’s approach to security

Introduction

Mumo’s mission is to simplify people’s communications around their health: to put people’s relevant health information, tracking tools and communications in their pockets, so they can access the information they care about and share it with whom they choose. We want chronic health management to be easier – for people managing their health and for their loved ones who support them.

To do that we have to start with transparent security and governance policies that protect your data and ensure our security practices and how we handle and store your data are compliant. We have been working according to UK guidelines and review processes with the National Information Board, NHS England, NHS Digital, Guy’s and St. Thomas’ Foundation Trust in London, UK and Digital Health London.

Each user’s health data belongs to them. We are working to put users at the centre of their health management.

How we structure our organisation for security

Mumo is leading with the best standards to secure your health data and communications and to give you confidence in how we manage your data. Our security programme is compliant with the NHS Digital Security and Protection Assessment Toolkit so that users can attach NHS or other health numbers to patient and clinician user information and correspondence and be confident that it will be handled securely.

Personnel security

Our personnel practices apply to all members of the Mumo team.This includes both regular employees and independent contractors. Everyone in the Mumo team is required to understand and follow internal policies and standards.

All workers must agree to confidentiality terms, pass a background screening, and attend security training before gaining access to Mumoactive systems. Training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

All access to systems is removed immediately upon termination of work at Mumo.

Security and privacy training

All team members are required to complete an annual refresh of privacy and security training – they are required to acknowledge annually that they’ve read and will follow Mumo’s information security policies. Some engineers, operators and support personnel with extra access to systems or data, will receive additional job-specific training on privacy and security. Team members are required to report security and privacy issues to appropriate internal contacts. They are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Dedicated security roles

Mumo has defined roles and responsibilities for operating the various aspects of our Information Security Management System (ISMS). The responsibilities of each role are detailed in Mumo’s security documents.

The team executes responsibility for Mumo’s security program as follows:

●  Product Security

○  Establish secure development practices and standards
○  Ensure project-level security risk assessments
○  Provide design review and code review security services for detection and removal of common security flaws

○  Train developers on secure coding practices

●  Security Operations

• Build and operate security-critical infrastructure including Mumo’s public key
  infrastructure, event monitoring, and authentication services
• Maintain a secure archive of security-relevant logs
• Consult with operations personnel to ensure the secure configuration and
  maintenance of Mumoactive’s production environment
• Respond to alerts related to security events on Mumo systems
• Manage security incidents
  

● Risk and Compliance

○  Coordinate penetration testing
○  Manage vulnerability scanning and remediation
○  Coordinate regular risk assessments, and define and track risk treatment
○  Manage the security awareness program
○  Coordinate audit and maintain security certifications
○  Respond to customer inquiries
○  Review and qualify vendor security posture

Mumo’s Security Team has been active in the larger information security community to improve the overall state of the art of information security and to maintain their own expertise.

Policies and standards

Mumo maintains policies, standards, procedures and guidelines (“security documents”) that provide the Mumo team clear rules for operating the Mumo ISMS. Our security documents help ensure that Mumo users can rely on our team to behave ethically and for our service to operate securely.

Security documents include, but are not limited to:

• Fair, ethical, and legal standards of business conduct
• Acceptable uses of information systems
• Classification, labelling, and handling rules for all types of information assets
• Practices for worker identification, authentication, and authorisation for access to system data
• Secure development, acquisition, configuration, and maintenance
  of systems
• Workforce requirements for transitions, training, and compliance with ISMS policies
• Use of encryption
• Description, schedule, and requirements for retention of security records
• Planning for business continuity and disaster recovery
• Classification and management of security incidents
• Control of changes
• Regular use of security assessments such as risk assessments, audits,
  and penetration tests
• Use of service organisations
  

These policies are living documents: they are reviewed regularly and updated as needed. They are made available to all team members to whom they apply.

Compliance and data requests

The Mumo team has extensive expertise in data privacy and security. The team reviews products and features for compliance with applicable legal and regulatory requirements. Mumo’s business code of conduct makes legal, ethical and socially responsible choices and actions fundamental to our values.

The key applicable regulatory requirements are outlined by the NHS Digital Information Governance Toolkit and the National Information Board. Mumo is compliant to NHS Digital DSP Business Partner classification. Mumoactive has been added to the NHS app library and produced data sharing agreements and other supporting documents for Guy’s and St. Thomas’ Foundation Trust. The baseline for patient security on the patient pathway requires that any patient identifiable data in the UK NHS must have an NHS number attached to it. To attach NHS numbers requires DSP Business Partner Status. Mumo’s DSP Business Partner Compliance can be found here.

In addition to UK national security approvals, the Mumo team has worked with the Information Governance Team at Guy’s and St. Thomas’ Foundation Trust in London. We have a System Level Security Policy and Data Sharing Policy in place with GSTT. Supporting documents for compliance include the following:

• Access control policy
• Audit trail
• ISO 27001 certification of Mumo’s hosting service
• Backup and recovery policy
• Backup plan
• Business continuity policy
• Business continuity risk assessment and plan
• Disaster recovery plan
• End user access controls
• Incident policy
• Network security configuration
• Physical security policy
• Remote access policy

The Data Protection Act 1998 gives you the right to ask us for a copy of all the information we hold about you. You can find our Privacy Policy here.

Protecting user data

Mumo’s security program is designed to prevent unauthorised access to user data. We take exhaustive steps to identify and mitigate risk, implement best practices, and constantly evaluate ways to improve.

Data encryption in transit and at rest

Mumo transmits data over public networks using strong encryption. This includes data transmitted between Mumo clients and the Mumo service. Mumo supports the latest recommended secure cipher suites to encrypt all traffic in transit. Transit from device to database: over TLS 1.2 using RSA 2048-bit key defaulting to minimum AES-256. Transit from web client and mobile clients to database: over TLS 1.2 using RSA 2048-bit key defaulting to minimum AES-256. TLS certificates are supplied by reputable certificate providers. Mumo monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

All data stored in Mumo application databases are encrypted to at least AES-256. This applies to all types of data at rest within Mumo systems—relational databases, file stores, database backups, etc.

The Mumo service is hosted in data centres maintained by industry-leading service providers. Data centre providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Mumo service. These service providers are responsible for restricting physical access to authorised personnel to Mumo’s systems.

All data is hosted on Mumo’s servers, which are based in England. Security arrangements are detailed in the Mumo Cryptography Policy and the Network Security Configuration document.

Mumo uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

Mumo divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Mumo’s production systems. Customer data submitted into the Mumo services is only permitted to exist in Mumo’s production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.

Network access to Mumo’s production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of Mumo’s service to its users are open at Mumo’s perimeter. Mumo deploys mitigations against distributed denial of service (DDoS) attacks at its network perimeter. Changes to Mumo’s production network configuration are restricted to authorised personnel.

Classifying and inventorying data

To better protect the data in our care, Mumo classifies data into different levels and specifies the labelling and handling requirements for each of those classes. Mumo’s ISMS considers data classifications in its encryption standards, its access control and authorisation procedures, and incident response standards, among other security documents. User data – and in particular, patient identifiable data like health or insurance numbers, or clinic host identifiable data – is classified at the highest level.

Data classifications are maintained as part of the asset management process. Mumo inventories hardware, software and data assets annually to maintain correct data classification levels. Mumo restricts the flow of data to ensure that only appropriately classified systems may contain user data.

Authorising access

To minimise the risk of data exposure, Mumo adheres to the principle of least privilege—team members are only authorised to access data that they reasonably must handle in order to fulfil their current job responsibilities. To ensure that team members are so restricted, Mumo employs the following measures:

• All systems used at Mumo require users to be approved by the Information Security Officer
• Each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities
  

Team members may be granted access to a small number of internal systems, such as the corporate Mumo instance, by default upon hire. Requests for additional access follow a documented process and are approved by the ISO.

System monitoring, logging, and alerting

Mumo monitors servers to retain and analyse a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in Mumo’s production network are logged.

Mumo’s Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

Endpoint monitoring

Mumo workstations run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behaviour. Mumo’s Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

Responding to security incidents

Mumo has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Mumo’s Computer Security Incident Response Team. Mumo defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Data and media disposal

Mumo defines policies and standards requiring media be properly sanitised once it is no longer in use. Mumo’s hosting provider is responsible for ensuring removal of data from disks allocated to Mumo’s use before they are repurposed.

Protecting secrets

Mumo has implemented best-practice safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Workstation security

All workstations issued to workers are configured by Mumoactive to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software, and be tracked by Mumo’s endpoint management solution. Mumo’s default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorised software and mobile storage devices.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorised access.

Controlling change

To minimise the risk of data exposure, Mumo controls changes, especially changes to production systems, very carefully. Mumo applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, Mumo’s production network is subject to additional safeguards against malware.

Server hardening

New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying Mumo’s custom configuration settings to each server before use.

3rd party suppliers

Mumo relies on industry-leading third-party organisations for data hosting. Where those organisations may impact Mumo’s environment security, Mumo takes appropriate steps to maintain its security posture. Mumo establishes agreements requiring that service organisations adhere to confidentiality commitments Mumo has made to its users. Mumo reviews these agreements annually.

Conclusion

Security and governance standards are the foundation for any effective digital ecosystem in health. Rendering those standards transparent and implementing them in the Mumo environment is crucial for giving users confidence about the way in which their data is handled and used. Safeguarding this data is a critical responsibility we have to our users and we are helping push national standards for security and governance to establish a transparent set of safeguarding rules that can be applied across any digital ecosystem in health.