Security
PASS has been evaluated to assess the extent to which it is helping social care providers to demonstrate and deliver safe, efficient, high quality care, and accountability.
What is PASS?
PASS is a digital care planning, monitoring and inclusion solution that has been developed by everyLIFE. It is available for care providers to purchase to manage their care business. When a care business partners with PASS, they maintain all care records on the system instead of paper records.
Security
At everyLIFE, we take the security of personal information very seriously and have taken technical and organisational measures to ensure the security of the information that we hold. We are registered with the Information Commissioner’s Office (ICO) and adhere to their information governance standards as demonstrated through self-assessment and submission of the IG Toolkit. All our employees have received the NHS Digital Data Security Awareness Training which meets the minimum mandatory requirement set out by the ICO. We are ISO 27001 certified / accredited, having achieved compliance for the last two consecutive years. ISO 27001 is the international standard which is recognised globally for manging the risks to the information that you hold. This includes, inter alia, having in place policies and procedures for establishing, implementing and monitoring an information security management system. In addition, we take the following measures to protect the information contained within PASS. These include:
- Access control for care workers that is differentiated between that afforded to care managers
- We have regular (at least yearly) independent penetration tests of our system performed by approved testers such as Portcullis and Cobalt
- The database is not public facing and access is secure due to its location behind two highly protected gateways
- We take a backup, 5 times per 24hr period and store one of these in a geographically separate data centre
- We have Highly-Available (HA) clustered infrastructure which means that if our application or database were to ‘break’, another would kick in within a matter of seconds seamlessly
- This infrastructure is hosted by Amazon Web Services (AWS), whom provide significant physical security layers to their data centres.
All customer data is stored at data centres in the UK, with a back-up of this data stored separately in Ireland.
Confidentiality
Data confidentiality means that it must not be possible for any unauthorised users to view your data. To achieve this, all data must be encrypted in transit and at rest.
- ‘In transit’ refers to when data is transmitted between server and database, or over a network between our servers and a care worker’s mobile application, for example.
- ‘At rest’ refers to data that is stored on our servers or databases.
Security & Confidentiality – Data in Transit
All data transmitted to and from the web and mobile applications is encrypted using industry standard secure https connections. We use SSL certificates to verify the identity of the server the data is sent to. This is the same type of encryption used to secure internet banking details and is proven to be secure.
Security & Confidentiality – Data in Transit
Particularly sensitive data at rest on our servers is also hashed. Hashing is different from encryption, as encrypted data can be decrypted with the encryption key. Hashed data can never be reversed to reveal the original input data. We hash all passwords in addition to our transport encryption, so not even authorised users with access to the database could ever discover a user’s password. everyLIFE are responsible for securing access to your data in our cloud infrastructure. Security of the cloud infrastructure itself is provided by Amazon who are the market leaders in cloud web services. For more information on the security provided for our services by Amazon, see https://aws.amazon.com/security/ for more details. Amazon are also audited by an independent third party to verify they are providing the services they state with specific regard to security, availability and confidentiality. See https://aws.amazon.com/compliance/soc-faqs/ for more details.
Integrity
Data integrity means verifying that no-one can edit or manipulate data they should not have access to. This requires effective access management. At everyLIFE, we have a process for managing access to information within PASS, ensuring that only those individuals whose job role requires them to have access to information can do so.
Availability
We architect PASS for high availability. This means that we expect hardware failures to occur and build our platform with this in mind. Many elements of our service span data centres called Availability Zones and PASS can continue to run in the event of a hardware failure or even the sudden loss of an entire Availability Zone. All customer data is backed up regularly and stored on highly durable storage in a separate physical location from the source of the backup. The IG Toolkit is an online system which allows organisations to assess themselves or be assessed against information governance policies and standards and sets out what health and care organisations must do to look after information properly. It also allows members of the public to view participating organisations’ IG Toolkit assessments.
Inspection Ready Checklist
If you are considering an audit, we can help you make sure that you have made the right preparations. Audits not only ensure compliance with the CQC and other regulators, such as Care Inspectorate Wales and Care Inspectorate Scotland, but also makes sure that your company is being run as effectively as possible. A successful audit can maintain or improve your reputation in the community, help increase confidence in management, and can be used as a “due diligence” review for current or potential investors.
Evidence is the key to passing any inspection. This provides proof that you are following the correct policies and procedures and that you are fully compliant. Digital systems ensure continuous evidence.
You can pursue a self-audit or use specialist consultants but in both cases you need to make sure you meet the standards for your next inspection. The questions and information below will help you to achieve a smooth and successful audit. Feel free to talk to us for further advice. Just call us on 03300 940 121. We are happy to help.
Are the following up to date?
- Staff and service user surveys
- Supervision and spot checks
- Annual staff appraisals
- Service user quality monitoring checks
- Service user diary notes
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- Care and support plans are up to date and signed by the service users and registered manager
- All risk assessments are up to date
- There is a “One Page Profile” on file
- Review due dates are recorded on your IT management system
- Care and support plan matches purchase order/ private contract
- Are “hoist” services up to date and diarised on your IT management system, where applicable
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- Signed private contracts, or copies of local authority purchase orders on file
- Consent from service user and staff re the use of private data
- All recruitment checks
- Right to work in the UK
- Two references – validated (from current or previous employer)
- Enhanced DBS check
- Full work history – with gaps in employment validated
- Copies of supervision and spot checks on file
- Staff training records
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- Are all health & safety risk assessments up to date – including moving and handling risk assessments, (where applicable)
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- All staff training is up to date
- All training and updates due, are diarised on IT management system
- Copies of all staff training and qualifications are on file, including annual staff appraisals
- Are copies of staff personal development plans on file
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- All complaints and associated documentation are in a “Complaints folder” with a complaints log
- All complaints are fully up to date
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- All staff safeguarding training is up to date
- All safeguarding concerns and subsequent investigation documentation are in a “Safeguarding folder” with a safeguarding log
- All safeguarding concerns are fully up to date
- Local authority and relevant inspectorate have been informed (where applicable?)
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
Are the following up to date?
- All MAR are on file an up to date
- All errors have been investigated and subsequent actions have been recorded
If you have answered “No” to any of these questions and would like further advice call us on 03300 940 121. We are happy to help.
- Evidence is of the utmost importance for passing any inspection.
- Evidence provides proof that you are following the correct policies and procedures and that you are fully compliant.
- Digitisation is encouraged to provide continuous evidence.
- This checklist has been prepared to help you complete your DSPT:
Download checklist