How we work
MRDM is a Trusted Partner in Medical Data. Therefore, privacy and security are core elements in all our activities.
MRDM is NEN7510 and ISO27001 certified and complies to EU regulations. MRDM mainly acts as a data processor for healthcare institutions.
Before MRDM can deliver their services, the required legal documentation, such as a Data Processor Agreement, needs to be put in place. These documents detail the scope and purpose of the data handling services and allow MRDM to work with medical data on behalf of the data controller. This is usually the healthcare institution.
Local legislation dictates how MRDM manages data. In many occasions, explicit consent from patients is required to process patients’ healthcare data.
MRDM collects, anonymizes, aggregates and encrypts data. Data is encrypted at all times during transport (encrypted in transit) and storage (encrypted at rest). The encryption of data and traffic is designed in accordance with the best practices as identified by the Dutch National Cyber Security Center and international institutes (ENISA/NIST).
Access to various parts of the infrastructure depends on the user’s authorization level. The authorization and authentication method is linked to personal accounts with two-factor authentication. We specifically put effort into ensuring the user’s identity in relation to his or her organisation.
We proactively manage incidents, perform penetration-tests and monitor the security of our data continuously. For example, unauthorized access attempts are registered and analysed.
Data is stored redundantly and separately from the production environment. The key goal for back-ups is to provide disaster recovery, losing a minimal amount of data in the event of a disaster, while making sure systems are quickly back up and running.
Data is only shared with agreed upon parties and in accordance with existing contracts.
Our privacy and information security office designs, implements and oversees secure work processes. Its staff is trained in accordance with industry standards (CIPP/E, CIPM and CIPT). Through training and both formal and informal sessions within the company all staff are kept up-to-date with current privacy and security rules and regulations. Furthermore, staff are asked to submit certificates of conduct and are obliged to secrecy.
MRDM deploys security and privacy by design, which means that both aspects are integrated into the design of a product or service. All steps in the data handling process are taken into account.
To additionally ascertain our full compliance with all relevant legislation regarding privacy, data security and other relevant issues, we cooperate closely with law firms specializing in Dutch, European and international privacy regulations, with a specific focus on the healthcare sector.
Third parties and suppliers are screened at all times and questioned on fixed subjects. That guarantee a level of security and privacy that is at least comparable to the standards of MRDM. Suppliers and third parties are explicitly asked to demonstrably mitigate specific risks. The suppliers and third parties are regularly monitored based on our demands for collaboration.