Security Policy

Our Security Protocols Overview

Independent Med Management specialises in providing expert medication reviews for work cover claims, helping insurers enhance patient outcomes through evidence-based recommendations. Our ISO27001 & SOC2 compliant AWS infrastructure ensures continuous availability and fault tolerance, enabling us to deliver a robust platform that stakeholders depend on for critical medication review operations.

We exclusively maintain data sovereignty within Australian borders, with all data securely isolated within the system. This fundamental principle underpins our entire security framework. Our platform operates under strict protocols, ensuring claim data is accessed only with explicit permission and through documented procedures. We ensure comprehensive control over information, including data export and removal capabilities.

Infrastructure Security

Data Centres

Through our strategic collaboration with AWS's Australian data centres, we harness world-class cloud infrastructure for our platform hosting. This partnership leverages AWS's proven track record in delivering superior performance, reliability, and security features. AWS maintains an extensive portfolio of compliance certifications, including ISO27001, SOC1, SOC2, SOC3, PCI DSS, IRAP, ISO9001, CSA, ICO 27017 and ISO27018.

Network Security

Our security architecture implements multiple protective layers through advanced monitoring and threat detection systems. Customised firewall configurations actively block unauthorised access attempts and defend against malicious traffic patterns. We maintain complete network separation between development environments and production systems. Our security protocols enforce strict control over active users, protocols, and ports, while automated monitoring tools continuously scan for and flag suspicious activities.

Network Redundancy

Our platform leverages cloud architecture designed for dynamic scaling and system redundancy. When infrastructure challenges arise, automated failover mechanisms maintain service continuity, ensuring users experience uninterrupted access to critical medication review functions.

Intrusion Detection and Prevention

We deploy sophisticated monitoring tools across network and host systems to identify and block potential security threats. Our defence strategy minimises attack surfaces through intelligent entry point controls and automated incident response systems. Security monitoring combines signature-based detection with algorithmic behaviour analysis to identify malicious activities. At the application layer, we implement a web application firewall (WAF) utilising both allowlist and blocklist rules. A formalised process is used to document, track, and resolve vulnerabilities promptly, with regular monitoring and reporting. This approach, aligned with industry standards like ISO 27001 and SOC 2, helps us provide a secure and reliable environment for handling sensitive work cover claim data.

Data Security

Application Development

Our strict change control processes oversee all code modifications before production deployment. Engineers follow comprehensive security guidelines, utilising specialised tools for automated security testing and performance analysis. Drawing from OWASP security standards, we implement robust protections against SQL injection, cross-site scripting (XSS), and denial of service (DOS) attacks. Modern version control systems track every code change, enabling swift rollback capabilities when needed. Our quality assurance process thoroughly evaluates all modifications before release.

Data Isolation

We maintain separate database instances for each environment, ensuring complete data segregation. Each work cover claim maintains its isolation within the system, preventing any unintended data exposure between different cases or insurers.

Encryption

All data transmission occurs over Transport Layer Security (TLS 1.2/1.3) protocols. We strengthen web security through HTTP Strict Transport Security (HSTS) headers and secure cookie configurations.

Data Retention and Disposal

Claim data remains active throughout our service period. Following service termination, we initiate systematic data removal from production databases and file storage within 14 days. Encrypted backups containing historical data automatically expire after the 30-day retention window, following our established data lifecycle policies.

Data can be exported in standard formats including CSV and Excel.

Media Sanitisation

AWS classifies storage devices containing claim data as critical assets, managing them under strict security protocols. Their decommissioning process follows NIST 800-88 guidelines, ensuring secure device disposal. Hardware remains under AWS control until proper decommissioning completion.

Test Data

We strictly prohibit production data usage in development and testing. Our test environments utilise carefully curated synthetic data sets that exclude personally identifiable information.

Web Content Security

We protect application integrity through comprehensive input validation and output encoding mechanisms. These measures guard against code injection, SQL injection, and cross-site scripting (XSS) vulnerabilities. Enhanced Content Security Policies (CSP) provide additional protection against web-based attacks.

Regular Security Audits and Penetration Testing

Independent Med Management conducts penetration testing every two years, or more frequently if needed, to proactively assess and reinforce data security measures. This practice aligns with our commitment to continuous risk assessment and ensures that our security protocols effectively defend against potential threats.

Identity and Access Control

Passwords

Our system enforces robust password requirements: minimum eight characters, incorporating uppercase, lowercase, numbers, and special characters. Account lockouts trigger after multiple failed login attempts. We block common passwords and previously compromised credentials, while advising against password reuse across services.

Session Timeout

Applications implement carefully calibrated session timeouts to protect users from unauthorised access through lost or compromised devices.

User Management

Each staff member receives unique login credentials with customised access permissions. Our Role-Based Access Control (RBAC) system enables precise permission management based on organisational responsibilities.

Platform Data Access

We classify all data at the highest sensitivity level. Technical controls and internal policies prevent unauthorised data access. Staff interactions with claim data require explicit authorisation and follow documented procedures. Our least-privilege approach minimises potential exposure while maintaining comprehensive audit trails.

Operational Security

Logging and Monitoring

Our centralised logging infrastructure captures detailed records from applications, systems, and infrastructure components. We preserve logs according to compliance requirements to support security investigations. Applications provide comprehensive audit trails of user activities, including administrative operations. Automated monitoring alerts technical staff when security thresholds are exceeded.

Vulnerability Management

We employ continuous security scanning across our application environments. Our tracking system manages all identified vulnerabilities through resolution, following security best practices and internal protocols.

Malware and Spam Protection

Email security incorporates DMARC protocols for message authentication and spoofing prevention. Our detection systems actively identify potential service abuse, including phishing and spam campaigns, with immediate response procedures for security alerts.

Backup

Our comprehensive backup strategy aligns with business continuity requirements. Daily automated snapshots capture RDS instance states, with 30-day retention supporting point-in-time recovery. AES-256 encryption secures all backup data, distributed across multiple Australian data centres. We verify backup integrity through quarterly recovery testing.

Patch Management

Security updates follow a systematic, risk-based approach prioritising critical vulnerabilities. Each patch undergoes thorough testing in isolated environments before production deployment, ensuring system stability.

Business Continuity and Disaster Recovery

Our infrastructure design emphasises high availability and fault tolerance, incorporating comprehensive backup systems and disaster recovery procedures. We maintain documented continuity plans, reviewed annually, detailing response strategies for various scenarios.

Multi-availability zone replication and point-in-time backup capabilities support our Recovery Point Objective (RPO) of 5 minutes and Recovery Time Objective (RTO) of 30 minutes.

Security Awareness

Our robust security policies guide development practices and operational decisions. New team members receive security training during onboarding, with ongoing education covering privacy, compliance, and incident response.

Endpoint Security

We enforce strict policies preventing claim data processing outside production environments, including restrictions on own device usage for data administration.

Incident Management

Our incident response framework details procedures for addressing security events and data breaches, emphasising:

  • Proactive incident preparation and response strategies
  • Swift containment and recovery measures
  • Ongoing improvement of security capabilities
  • Protection of sensitive claim data as highest priority
  • Clear stakeholder communication

We notify affected parties immediately upon confirming security incidents, including impact assessment and remediation steps. Notifications occur through direct communication channels including phone and email.

Change Management

Our change management framework integrates security considerations throughout the development lifecycle. This process encompasses:

  • Detailed impact analysis
  • Technical peer review
  • Release timing evaluation
  • Functional testing protocols
  • Rollback procedures
  • Complete change documentation

Major system modifications require advance notification, enabling proper evaluation and integration with existing workflows.

Risk Management

Our risk management strategy addresses all aspects of operations, stakeholder relationships, and technology infrastructure. This comprehensive approach emphasises data privacy and cyber security, reflecting our commitment to protecting sensitive work cover claim information and maintaining operational excellence.

Shared Responsibility

Platform security requires collaboration between all stakeholders. We recommend these essential security practices:

  • Strong password implementation
  • Regular software updates and security patches
  • Careful data sharing practices
  • Vigilance against phishing attempts and suspicious communications

Privacy Policy

Our commitment to privacy shapes every aspect of our service delivery. By maintaining all operations within Australia, we ensure complete data sovereignty. We develop our privacy frameworks in accordance with Australian Privacy Principles and Privacy Act requirements.

View Privacy Policy

Contact Information

If you have any questions or concerns about this Security Policy, please contact us at:

Phone: 1800 466 669 or 02 4036 5333
Email: admin@imedmanagement.com.au
Address: PO Box 2390, Dangar NSW 2309
ABN 642 286 333

Last updated: November 2024