Balancing convenience and security
Medit’s main goal is to help healthcare professionals discover the best medical content quickly and to tap into the experience of their peers. To do this we must focus on making our users working life simpler and more productive. There are core pieces of data we need in order to deliver our service:
- We are a platform for healthcare professionals only so we ask our users to register and provide details on their profession, work email, etc.
- To filter the medical web for our users, curating content that matches their needs and interests, we ask our users what topics interest them
- To remove content you’ve already read, provide CME summaries, and to continuously personalise the experience to our users – providing content recommendations based on their activity within Medit and the activity of like minded peers – we track what you are reading
- We want to ensure that a user can access Medit on more than one device if they wish to – for example their smartphone and their tablet. As such, we need to have secure login processes and data exchange between devices.
Protecting your data
We have implemented appropriate technical security measures to protect the personal information that we have under our control from unauthorised access, use and disclosure and accidental loss. We only allow those who absolutely should and must have access to production servers, configurations, and details. We use key-based access to prevent brute-force attacks against our servers. We also use IP filters to prevent access to our servers from unknown locations.
Your personal data is never shared with any third party. In the cases that Medit provides trend reports to Medical Associations or other groups, these always consist of anonymised aggregated data. This is without exception.
Medit’s users’ passwords are always encrypted using secure password hashing algorithms such as bcrypt.
bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
Content is only delivered to users who have the proper rights/access i.e. Each request to the Medit API validates the user access permissions to ensure to ensure private content stays private.
Public, Private and Unlisted Content
With Medit, you’re in control of what you share with other Medit users and the wider community. You can:
- Make your profile private or public (visible to other Medit users)
- Allow Collections or Lists you create to be public (discoverable by others), private (only you can see them) or unlisted (only people who have a link to the content can view it)
Transparency is a cornerstone of the Medit experience. In such instances that content (articles, videos, event overviews, etc.) are sponsored/paid for by partners (Medical Associations, Schools, event organisers, Life Sciences firms, etc.), this is always transparently disclosed. You will see that the content is clearly labelled ‘sponsored by’ or ‘promoted by’. The positioning of this text and clarity of the language has been validated by healthcare professionals.
Medit Groups (private messaging ) & encryption
Groups are private and accessible only by Group administrators (including Medit staff as-needed) and Group members. People are invited to join a Group via unique, secure link to the Group. Group administrators have the ability to remove, or request the removal of any member from a Group.
We use encryption that is as strong as possible for all data transmitted between Medit users and the Medit service. The data is sent via a TLS (Transport Layer Security)-encrypted connection, using certificates and keys that are regenerated every 90 days.
Not only is all the content for Groups sent over TLS, but comments are encrypted for storage. Every single comment has its own salt (used to safeguard passwords in storage) too, preventing reverse engineering of the encryption key based on any individual messages.
Technical product security information
All of Medit’s code is reviewed with a Code Review(CR)/Pull Request(PR) process to help reduce the number of bugs introduced into production as well as help prevent nefarious code being introduced intentionally or by accident. We have an automated build and deployment pipeline to reduce/remove the need for potentially harmful manual changes to our environments.
All of our business logic code is stored in private repositories to prevent unauthorised access and any accidental leaking of sensitive code or configurations.
If you have general questions about the security of your account or data being used, you can contact [email protected]