In an ever-connected digitalized world, healthcare institutions are becoming the target of hacking and extortion attacks. Just in the US alone, more than 500 hospitals and health centers have become victims in 2020. As very sensitive and personal information is involved, healthcare data security has never been more critical.
For Sleepiz, protection and privacy of our customers have always been of upmost importance. We are excited to announce our two latest certifications from the International Organization of Standardization in information security (ISO 27001) and privacy information (ISO 27701). We are proud to be one of the first healthcare start-ups in Switzerland to receive ISO 27701 certification.
Today we are talking to our Vice President of Software Engineering, Ankit Anand, who led the team through the certification process.
What is ISO 27001 and ISO 27701?
The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations. The organization develops and publishes worldwide technical, industrial, and commercial standards. ISO 27001 is the standard for information security, while ISO 27701 is for data protection. Achieving certifications in these areas means your organizational practices are at par with the standard as certified by the notified body during an independent audit.
Why are these certifications needed in the healthcare sector?
Such certifications are not only needed in the healthcare sector but all sectors. Considering the current age where data is regarded as the new oil, there is a rat race milking this cow. Users are constantly losing their rights over their personal information and data security. Cyberattacks on healthcare organizations are on the rise. Being in the healthcare sector, we need to provide our patients and stakeholders confidence that their data is safe and will not be misused. This is what we stand for in Sleepiz.
What value do these certifications bring to Sleepiz and its customers?
The certifications ensure that we put a framework that will make our processes follow the highest standards. Having these processes in place gives confidence to our customers that their personal data is safe. Sleep especially is a private matter as it contains a lot of insights into your health status and lifestyle. Would you want to share that with Google or Alexa? At Sleepiz, we make sure that we keep it private. We use our customer data as per their consent and ensure any health condition cannot be traced to a patient’s personal identity, which means this cannot be misused for other purposes. We are also constantly working upon keeping our messaging simple so that our customers do not have to go through a several-page small font privacy policy to understand it.
What was the process of the audit and certification?
Considering the current situation, the audit was conducted virtually, so auditors enjoyed our secure remote working experience. The audit was divided into two phases. During the first phase, all the processes we have defined in our documents were audited. In the next phase, the auditors interviewed several employees across the company to ensure these processes are followed. They collected evidence through what we have logged over the years and were given virtual tours of our offices. I was personally grilled for several days, because I am the one who should know all the processes and their implementation as the Information Security Officer. Overall, it was as a very professional but also fun experience, full of learnings.
Did you come across any challenges? What did you learn through the process?
It was a year-long journey to implement it all. So indeed there were several challenges. The first thing is realigning the working and organizational culture. As a start-up, none of us are a fan of processes and we are generally scrappy. Therefore, implementing a new process is a challenge. However, all our team members soon started to understand the long-term implications and adapted accordingly. Our consultants also helped us significantly in drafting the processes and conducting the training.
We also learned several points which were not so evident in the beginning. For example, a common misconception is that data protection is only a 21st Century problem, and if we are not connected to the internet, we are automatically protecting all our data. Even if you store your customer details in a physical file that gets accessed without authorization, it is a data breach. It is obvious but not clearly understood. The internet and digitalization facilitates easy access to data remotely, so it brings more risks, but going off the grid does not make us immune. This is a common conception in the healthcare sector where major actors resist moving to the cloud. However, the pandemic taught us that is not a sustainable way either. We do not have to stop innovation but we should use technology responsibly.
How is data protection and information privacy practiced daily at Sleepiz internally and externally?
We are building a culture and creating an awareness around it to our external collaborators. For example, policies as simple as clear-desk makes a huge difference. Obviously, one should not write their password on a sticky note, but if you walk across several offices, it will be common to see that. These aspects are embedded in our company culture and our products. We could have followed the path of other health-tech companies and collect patients‘ personal information to open a new revenue channel, but we decided to stick to our core offering. Such that we do not need a sneaky way to make money. We do not need to know the name and the address of a patient to diagnose or monitor them so why should we collect this data from them? This is one of the principles followed in the standard (called data minimization).
In addition, we have made a significant investment to ensure that data is kept safe to the highest standards. We have our internal hackers who constantly try to hack our own system to find security loopholes in our system and mitigate them in time.
Any future plans for further certifications?
Oh yes! But I am not sure if I can make those statements publicly. All I can say is we are one of the few health-tech start-ups in Switzerland, respecting all the compliances along our way and even going beyond our way, and we will continue doing so. Of course, we do that without losing our speed and agility, and an enjoyable and exciting work culture. We do not need to wear a tie in the office to be compliant with a global standard. We rather need the mindset and the commitment for quality and towards the vision of a safe and bright future.
About Us
Sleepiz AG (Ltd.) is a Zürich based startup with a mission to provide patient-centric disease management through seamless integration of contactless monitoring into people’s homes. Sleepiz leverages the power of sleep insights with a device that is simply placed on the bedside table. The device operates in a non-contact fashion and measures movements originating from heart contractions and breathing patterns, as well as body motions with medical grade accuracy.
While currently focusing on respiratory illnesses, Sleepiz aims to improve people’s lives by creating the future of healthcare. By making use of wireless millimeter wave technology, sensor fusion and artificial intelligence, in the future Sleepiz will not only be able to diagnose sleep disorders but also perform long-term monitoring. Thereby, the progression of chronic diseases will be monitored to allow faster intervention and better treatment.
Sleepiz is touching lives without touching.
Contact for Press Enquiries
Ema Bojevaite
Business Development & Marketing Assistant
ema.bojevaite@sleepiz.com
