SECURITY & PRIVACY

The privacy and security of your personal information and of your patients’ personal information is our highest priority. The following security page describes the features we have in our product as well as the organizational policies Brainlab has in place to ensure the confidentiality of your personal information as well as all Protected Health Information (PHI) of your patients.
Quentry receives Grade A rating from Intel® McAfee security assessment
Sensitive patient data should remain secure and not fall into the wrong hands. That is why we have gone to great lengths to ensure a high level of security is built into Quentry, to minimize the threat from outside risks. A recent security assessment conducted by Intel® McAfee evaluated exposure to known security vulnerabilities to determine the extent to which these services are susceptible to an attack or penetration from the Internet. The test concluded that Quentry is subject to a low risk of attack and received a Grade A (highly secure) rating!

See Affirmation Letter from Intel for more details.

EuroPriSe Seal

Quentry received the EuroPriSe Data Privacy Seal on April 6, 2016, being the first cloud-based medical service in Europe to obtain this certification. With the increasing number of worldwide data security breaches, it is vital to protect patient and user data in Quentry. The seal certifies that Quentry is compliant with EU data protection directives.

A Short Public report that describes the results of the evaluation is available on the EuroPriSe website.

EuroPriSe Certification

EuroPriSe certification process addressed regulations on privacy and data security for all European states. Quentry underwent this robust audit, which improved upon and validated the platform’s technical and organizational measures and multilayered encryption technology embedded in the architecture.

A thorough technical and organizational review by EuroPriSe concluded the following:
  • Sensitive data is safeguarded through advanced encryption and access control technologies
  • Data uploaded and stored in Quentry can only be accessed and viewed by authorized individuals
  • Users are obliged to confirm identity of other users before sensitive patient data is shared
  • User data is collected and processed for registration and authorization purposes only

HIPAA Compliance

Brainlab is committed to comply with applicable rules and regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) through the implementation of stringent privacy and security policies and procedures. Brainlab has defined the following roles and responsibilities and has measures in place to meet or exceed HIPAA compliance.

HIPAA Roles and Responsibilities

Brainlab employs a HIPAA/Chief Privacy Officer who is responsible for compliance with HIPAA/HITECH rules as well as Federal, and State laws relevant to privacy and compliance.

Brainlab also has dedicated HIPAA responsible personnel for individual products. It’s their responsibility to coordinate compliance with the HIPAA Security Rule, to fully understand how it applies to their product, to oversee the enforcement of patient privacy rights for the complete product lifecycle, and to receive and respond to complaints of alleged non-compliance with HIPAA.

Brainlab trains all employees on HIPAA and Data Privacy Protection as well as dictates guidelines for handling personal data as per HIPAA.

Data Protection and Privacy

Quentry, a Brainlab cloud-based service for image sharing and collaboration, is designed to protect all its data from security breaches and malicious attacks. The sophisticated security measures and architecture implemented for Quentry when working with PHI under HIPAA are carefully and responsibly in accordance with the provisions of HIPAA and are designed in accordance with European Union Data Protection Directives.
  • User access to patient data in Quentry is audited. Audit logs are accessible to the data owner.
  • Patient data for US customers is processed and stored only on servers located within the US.
  • Patient data for European customers is processed and stored only on servers located within the EU.

User access rights

Images, attached documents and comments are only viewable by the individual user and those contacts which have been granted access to the specific patient folder. Quentry users are able to define specific data handling permissions for each contact with whom they share patient data. Users define permissions for tasks including viewing, downloading and uploading additional medical data.

Password Security

Quentry user passwords must be a minimum of 8 alphanumeric characters, contain a mix of upper-case and lower-case letters, at least one numeral, and are case sensitive.

Encryption

SSL
Quentry encrypts patient data during upload and download, as well as throughout the entire storage period. Quentry employs the SSL/TLS data transmission protocol. The supported protocol versions and signature algorithms are frequently monitored and tested. Client handshakes with insecure or deprecated protocol versions are blocked by the Quentry platform. All files stored within Quentry are encrypted using the AES symmetric-key encryption standard with a 256-bit key. The underlying Quentry.com certificate is issued by GlobalSign.

Session and Data Transfer Security

Users access data stored in Quentry through the quentry.com web portal or Quentry-connected applications using a combination of encoded session keys and SSL/TLS encryption protocols.
  • All Quentry web pages and web services, and all components communicating with the Quentry secured cloud platform must connect over an HTTPS encrypted connection and must have a valid session token.
  • Upon logging in, a user session is created. User sessions remain active until the user logs out, but are also subject to a timeout period.

De-identified Patient Data

Quentry offers the option to upload and share de-identified patient information by choosing an "Anonymization" option when uploading data. When this option is selected, users are reminded to remove visible patient information from the DICOM dataset before uploading.

Individual and Group Privacy Settings

Quentry is a password-protected platform, which prohibits profile and group information to appear on Internet search engines. Users and groups may choose to prevent their contact information from being visible to other Quentry users.

Secure Data Centers

Quentry stores all user-generated data on servers that are located in secured facilities with 24/7/365 surveillance. Quentry utilizes data centers which are ISO 27001, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), and FISMA certified and accredited.

Data Storage

Quentry file data is stored within Amazon Web Services AWS (S3), a robust storage service designed for 99.999999999% durability.
  • Quentry user credentials, account data, and patient data are stored separately for increased security.
  • Advanced key management and access control systems ensure that Quentry patient data is accessible only to users who own the data or have been explicitly granted access rights by the data owner.
  • All patient data for registered users in the United States are stored only on servers located within the US, and all patient data for registered users in Europe are stored only on servers located within the EU.