For IT Security & Compliance Experts
Novarad places Organizational Resilience and Security First and Foremost.
Novarad knows that you entrust your patients' sensitive data to us. We have created the following compendium of certifications, documentation, and FAQs for use in Organizational Resilience and Compliance questionnaires. This page is for clients or potential clients seeking specific answers to Novarad's IT infrastructure and security processes.
Operational Resiliency Program Governance
Organizational Resilience Program Overview
- Does Novarad have an Organizational Resilience program that includes business continuity, technology disaster recovery, or crisis response/incident management?
- Yes
- Which elements are included in Novarad's Organizational Resilience program?
- Business Continuity (BC)
- Technology Disaster Recovery (DR)
- Crisis Response/Incident Management
Policy and Compliance
- Is Novarad's company policy reviewed and approved on an annual basis?
- Yes
- List the date of the last review and approval for Novarad's company policy.
- 27 March, 2024
Management and Evaluation
- Is executive or senior management at Novarad (either an individual or group) responsible for organizational resilience program oversight, support, and guidance?
- Yes
- Has an independent external third party evaluated Novarad's Organizational Resilience Program within the past 36 months?
- Yes
- List the date of the last evaluation of Novarad's Organizational Resilience Program.
- 01 Nov 2024
Standards and Documentation
- Is Novarad's program aligned to current industry standards, such as HITRUST, SOC2, BS65000 standard, NFPA 1600, ISO 22301, or others?
- Yes
- List the standards Novarad's program is aligned to.
- ISO 27001, SOC2
- Please provide Novarad's organizational resiliency policy documentation.
Operational Resiliency Business Impact Assessment
Impact Assessment
- Novarad has conducted and maintains a thorough risk assessment to determine the organization's risk level regarding interruptions to business processes, accounting for both human-caused and natural events. This essential practice ensures that Novarad is well-prepared to identify potential risks and put in place effective mitigation strategies. Additionally, Novarad's Business Impact Analysis (BIA) is designed to quantify the impact of disruptions on service delivery, thoroughly assess the risk to service delivery, and establish clear recovery time objectives (RTO). The company's proactive approach in these assessments underscores its commitment to maintaining operational resilience and ensuring continuous service delivery to its clients.
Operational Resiliency Plans
Documentation and Guidelines
- Does Novarad have documented business continuity plans, manuals, playbooks, or other written guidance for restoring and resuming business processes during disruptions?
- Yes
- Does Novarad have documented plans specific to pandemic/health emergencies?
- Yes
- Does Novarad have documented incident or crisis management plans, with a defined leadership structure, escalation, communication, and coordination protocols?
- Yes
- Documented incident management responsibilities and procedures have been established to ensure a quick, effective, and orderly response to security incidents per ISO27001.
Strategic Continuity and Impact Planning
- Which events are covered by Novarad's continuity strategy?
- Loss of Facility
- Loss of Technology
- Loss of People
- Loss of Critical Vendor
Recovery Planning and Objectives
- Do Novarad's plans identify critical business functions, processes, and RTOs?
- Yes
- What is Novarad's actual RTO for provided processes/services?
- 5.8 hours
Plan Review and Maintenance
- Are Novarad's business continuity plans reviewed and updated at least annually?
- Yes
- Are Novarad's crisis management plans updated at least annually?
- Yes
Employee Training and Awareness
- Does Novarad provide employee training for the following: Business Continuity, Technology Disaster Recovery, Crisis Management, Site Emergency?
- Yes
InfoSec
Comprehensive Security and Deployment
- Novarad leverages the Novarad Central Command (NCC) for deploying our software products, updates, and upgrades efficiently and securely. Our Install Manager facilitates remote connections to NCC for seamless installation and maintenance, ensuring proactive maintenance and error monitoring without requiring access to customer networks or servers, upholding the highest standards of security and privacy.
- Describe at a high-level the information technology resources used for providing applications, services, and data specific to customers, or for accessing customer-provided resources or systems.
- Novarad utilizes the Novarad Central Command (NCC) to deploy our products, along with updates and upgrades. This system, featuring the Install Manager, allows for secure remote connections to the NCC for installing servers, NOVARIS, and maintaining licenses, ensuring proactive maintenance and error monitoring without needing direct access to customer networks or servers.
Robust Application and Data Management
- At Novarad, security is embedded in every stage of our Software Development Lifecycle (SDLC), with rigorous controls, processes, and training. We enforce policies that prohibit simultaneous logins from multiple workstations using the same user ID and offer configurable timeout settings for enhanced security. Our applications support modern web browsers like Microsoft Edge and Google Chrome, deliberately excluding online tracking technologies to protect user privacy. Furthermore, Novarad implements stringent controls to ensure data accuracy and secure deletion, emphasizing our in-house management of all technical operations and support to prevent outsourcing risks.
Advanced Access and Encryption Protocols
- Novarad empowers customers with self-managed account provisioning, supporting Single Sign-On (SSO) and Active Directory (AD) integration for seamless access management. We apply the principle of least privilege through role-based access controls, ensuring users have appropriate access levels. Additionally, Novarad prioritizes data security by encrypting data at rest and employing TLS 1.2 or later for data in transit, demonstrating our unwavering commitment to protecting sensitive information against unauthorized access and threats.
- Do you implement controls to ensure data accuracy, such as integrity checks or other controls (for example, input and/or data validation)?
- Yes
- Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data?
- Yes
- Do you outsource any aspect of your product's technical operations or support?
- No
- Who is accountable for provisioning customer accounts in the application? Is Single Sign-On (SSO) available? Is Active Directory (AD) integration available? Does your system/service support role-based access controls/rights that may be applied to customer accounts?
- Our customers self-manage account provisioning. Yes, Single Sign-On (SSO) and Active Directory (AD) integration are available. Our system supports role-based access controls/rights for customer accounts, ensuring secure and efficient user access management.
- Does your product/service encrypt data at rest? Do you use TLS 1.2 or later?
- Yes, our product/service encrypts data at rest and uses TLS 1.2 or later for securing data in transit, upholding the highest standards of data protection.
Incident Response and Regulatory Compliance
- Novarad has established a robust incident response framework, including monthly reviews of security event logs for on-premises solutions, to proactively monitor and respond to potential security incidents. Our remote support model prefers the use of trusted solutions like Beyond Trust and BOMGAR, aligning with our proactive approach to incident management. In regulatory compliance, Novarad's on-premises software products meticulously manage Protected Health Information (PHI) within customer data centers, and follow a documented change management process, ensuring compliance with ISO9001 and other relevant standards.
Unified Threat and Vulnerability Oversight
- Novarad takes a proactive stance in threat and vulnerability management, regularly providing software updates, patches, and security fixes to address potential risks and ensure system integrity. Our approach includes a rigorous process for identifying and remediating critical flaws, with immediate communication and deployment of patches to affected customers. Through these practices, Novarad underscores its commitment to maintaining a secure, reliable, and compliant operational environment for all our healthcare software products and services.
Technology Recovery (Disaster Recovery)
Technology Recovery at Novarad
- At Novarad, technology recovery, an essential facet of our business continuity planning, ensures IT infrastructure protection and rapid recovery following any disruptive event. Recognizing the potential for various threats, from cyber-attacks to natural disasters, Novarad is committed to minimizing operational impacts, protecting data integrity, and maintaining our reputation. Our approach is meticulously tailored to align with industry best practices while addressing unique organizational needs and client dependencies.
Planning and Preparation
- Our planning and preparation process is anchored in a detailed risk assessment, pinpointing potential vulnerabilities within our IT product offerings. Novarad's comprehensive disaster recovery plan delineates explicit procedures and responsibilities, ensuring clarity and efficiency in times of crisis. This proactive stance empowers us to uphold service continuity, safeguarding client trust and operational integrity.
Data Backup and Storage Solutions
- Central to Novarad’s resilience is our data backup and storage strategy. Regular, encrypted backups safeguard patient data and critical company information, reflecting our dedication to security and confidentiality. We ensure comprehensive data availability and integrity by leveraging cloud technology and maintaining offsite backups. This multifaceted approach guarantees that, in any event, Novarad can restore vital services swiftly and securely, adhering to our stringent recovery objectives.
Recovery Strategies and Solutions
- Well-designed recovery strategies at Novarad prioritize essential services, ensuring minimal downtime and operational disruption. We efficiently align our technological solutions and organizational priorities by defining precise recovery time and point objectives. Our investment in redundant systems and cloud-based failover mechanisms exemplifies our commitment to uninterrupted service. Collaborations with leading service providers further augment our capabilities, offering scalability and expertise crucial in crisis scenarios.
Continuous Improvement
- At Novarad, the efficacy of our technology recovery plan is always dynamic; regular drills and reviews foster an environment of continuous improvement. Adapting to new technological advancements, evolving threats, and changing business requirements ensures that our strategy remains robust and relevant. Ingrained in our corporate ethos, this iterative process solidifies Novarad's standing as a resilient, forward-thinking partner in healthcare technology solutions.
International Locations
Canada
- Novarad's Medical Device Licence (Canada)
Indonesia
- Government of the Republic of Indonesia: Business License for Supporting Business Activities - Import Health Equipment License
- Government of the Republic of Indonesia: Business License for Supporting Business Activities - VisAR Import Health Equipment License
- Government of the Republic of Indonesia: Business License for Supporting Business Activities - NovaPACS Import Health Equipment License
Philippines
- Certificate of Medical Device Notification - Republic of the Philippines, Department of Health
European Union
- NovaPACS - EU Quality Management System according to Regulation (EU) 2017/745, Annex IX Chapter I and III, Certificate Number: MDR 720744
- OpenSight - EU Quality Management System according to Regulation (EU) 2017/745, Annex IX Chapter I and III, Certificate Number: MDR 72074
United Kingdom
- NovaPACS – UKCA Certificate Number: UKCA 759126