The assessment was carried out using the list of data security and data protection requirements for social welfare and health care procurement and the response material provided by Tamro Oy and JDM Group9.
Minor deficiencies
Based on the response material, the service meets the most essential requirements of data security and data protection, but during the assessment we noticed a deficiency in the service’s password management practices.
Risk management and data security testing
The service provider has processes for managing and preventing data security risks as well as an action plan for security incidents. The manufacturer has included data security as part of the software development. Based on the response material, the cloud service has undergone a penetration test, the third-party software in use has been manually audited and the hardening of the hardware has been verified by an external audit.
User management
The service does not support two-step authentication or federation of user data to an external service. Support for two-step authentication is under development, according to the response material.
The service supports the management and restriction of user rights. It is mandatory to specify separate user rights in the service. A tracing log of user activity and data viewing is available.
During the assessment, we detected a deficiency in the password management practices of the service. The technology used for password management was not up-to-date according to generally accepted practices during the assessment, but the company had an action plan to address the deficiency. The deficiency was not seen as preventing implementation, but the client organisation should be aware of the risks associated with outdated password management practices.
Equipment
The Smila medication dispenser automatically performs software updates according to a predefined schedule. Any updates will be notified to the client organisations in advance. The updates are digitally signed and their authenticity and right will be ensured as part of the update process. The device manufacturer can manage and update devices over a network connection.
The device uses Bluetooth 4.0, GSM, and WiFi connections. When using a WiFi network, it is the responsibility of the client organisation to set it up in a secure manner.
The devices have been hardened against physical tampering.
Data protection
Tamro Oy acts together with the equipment supplier as a data processor. The client organisation acts as a data controller. As a result, the client organisation owns the registry data and the data protection impact assessment required by GDPR is the responsibility of the client organisation.
The data stored in the Service shall be stored as confidential within the European Economic area. The information stored on the devices is encrypted at rest. Different parts of the Service store as little personal data as possible in accordance with the principle of minimising data collection.
Other considerations
The Service only works as a SaaS (Software as a Service) service model.
The assessment only includes an assessment of the information security and data protection of the Smila medication dispenser unit and the cloud service. Any attachments, additional services or integrations of the device are not covered by this assessment and must be assessed separately if they are introduced by the client organisation.
In addition, we recommend that health care districts utilise the European Union Agency for Cybersecurity (ENISA) data security manual for purchases.10