How we work

MRDM is a Trusted Partner in Medical Data. Therefore, privacy and security are core elements in all our activities.

MRDM is NEN7510 and ISO27001 certified and complies to EU regulations. MRDM mainly acts as a data processor for healthcare institutions.

We facilitate required legal documentation

Before MRDM can deliver their services, the required legal documentation, such as a Data Processor Agreement, needs to be put in place. These documents detail the scope and purpose of the data handling services and allow MRDM to work with medical data on behalf of the data controller. This is usually the healthcare institution.

We respect patient consent

Local legislation dicates how MRDM manages data. In many occasions, explicit consent from patients is required to process patients’ healthcare data.

We encrypt

MRDM collects, anonymizes, aggregates and encrypts data. Data is encrypted at all times during transport (encrypted in transit) and storage (encrypted at rest). The encryption of data and traffic is designed in accordance with the best practices as identified by the Dutch National Cyber Security Center and international institutes (ENISA/NIST).

We manage access to data

Access to various parts of the infrastructure depends on the user’s authorization level. The authorization and authentication method is linked to personal accounts with two-factor authentication. We specifically put effort into ensuring the user’s identity in relation to his or her organisation.

We manage security

We proactively manage incidents, perform penetration-tests and monitor the security of our data continuously. For example, unauthorized access attempts are registered and analysed.

We back-up

Data is stored redundantly and separately from the production environment. The key goal for back-ups is to provide disaster recovery, losing a minimal amount of data in the event of a disaster, while making sure systems are quickly back up and running.

You are in control of data distribution

Data is only shared with agreed upon parties and in accordance with existing contracts.

Our staff has extensive knowledge

Our privacy and information security office designs, implements and oversees secure work processes. Its staff is trained in accordance with industry standards (CIPP/E, CIPM and CIPT). Through training and both formal and informal sessions within the company all staff are kept up-to-date with current privacy and security rules and regulations. Furthermore, staff are asked to submit certificates of conduct and are obliged to secrecy.

MRDM deploys security and privacy by design, which means that both aspects are integrated into the design of a product or service. All steps in the data handling process are taken into account.

We have access to additional legal advice

To additionally ascertain our full compliance with all relevant legislation regarding privacy, data security and other relevant issues, we cooperate closely with law firms specializing in Dutch, European and international privacy regulations, with a specific focus on the healthcare sector.

Other parties in the data supply chain

Third parties and suppliers are screened at all times and questioned on fixed subjects. That guarantee a level of security and privacy that is at least comparable to the standards of MRDM. Suppliers and third parties are explicitly asked to demonstrably mitigate specific risks. The suppliers and third parties are regularly monitored based on our demands for collaboration.