Security:

My Personal Health Record ("myPHR") security is just as, if not more, secure than most banks! 

SECURITY COMPARISON TO MOST BANKS:

All personally identifiable data (such as your name, address, SSN etc.) is encrypted in our database using official AES algorithm with 128-bit key length. Our staff cannot even view your data to determine your identity. Data viewed without the matching key and decryption shows up as hashed, meaningless data.

All passwords are encrypted and can't be seen or decrypted by anyone (even myPHR staff) ....... if you lose your password a new secure random password will be issued to the email for the account."

About this Web Site:
There is no Microsoft software on the server (i.e. most viruses are geared towards Microsoft software.)

We use the newest operating software and protection software available

Firewall - router

SSL - 128 bit encryption (see below) (256 bit encryption for some browsers)

All data sent to and from myPHR.ca is encrypted

Server is in a secure private and alarmed location (no public access)

myPHR.ca restricts the number of individuals who have access to the server (only two people have access)

All employees and agents must sign confidentiality and nondisclosure clauses

Every user is assigned a unique login and password and all their actions are tracked

All actions are tracked and any member can ask at any time for a record of who has looked at their information (this feature is required by the Privacy act)

Responders and Health Professionals are advised to only look at the minimal information that is required

No credit card information is stored on the myPHR.ca server. We use PayPal for all transactions.

All actions to see a member's files are followed up with a confirmation to make sure that an emergency did occur and that there was no malicious activity.

All report pages are not stored in a computer or PDA's cache memory (so that they can not be retrieved later)

Web pages have a time limit and expire (time out) after a few minutes of inactivity

No usernames/passwords stored on user's computer/device from a program side. (User still can use client side password management programs which is beyond control of the program. On the web pages we advise users not to store passwords and close browsers after logging out from the program.)

For the virus detection - "we are not running any programs, which are usually affected by Viruses and we have limited ports opened for viruses outside to get in." We also have virus scanning and intrusion detection software installed on the system.

The myPHR.ca web site uses or may in the future use technology features such as log-in registration, cookies, or click through tracking software.

The site also logs information such as Web site IP addresses and browser types. This information is used for analysis purposes and to provide better service for users.

1. Use of Cookies:
A "cookie," is a block of text the site places in a file on your computer's hard drive to track your activity. While a code in the cookie file enables the site to label you as a particular user, it doesn't identify you by name or address unless you've provided the site with such information or set up preferences in your browser to do so automatically. Newer versions of browser software let you decide whether you want to receive cookie files, and some programs notify you when a web site is about to deposit a cookie on your hard drive. You can check for cookies on your computer. If you have a PC, look for a file on your hard drive called "cookies.txt" or for a file labeled "magic cookies" if you have a Macintosh. You can delete these files from your hard drive. There are also utility software programs (called "cookie cutters" or "anonymizers") that allow you to edit cookie files selectively within Web browsers.

2. External Links:
This site contains links to other sites. myPHR.ca is not responsible for the privacy practices or the content of external Web sites.

3. Web Site Security:
The myPHR.ca Web site uses the latest 128 bit SSL encryption technology to protect your on-line privacy and all transactions which you may conduct. The site is secure when the "padlock" icon is in the closed position, or when the URL address begins with https://.

4. SSL offers the following security benefits:
Privacy: Data is encrypted to and from clients, so privacy is ensured during transactions.
Message validation: An encoded message digest accompanies data to detect any message tampering.
Server authentication: The server certificate accompanies messages to assure the client that the server identity is authentic.
Client authentication: The client certificate accompanies messages to assure the server that the client identity is authentic. Client authentication is optional, and may not be a requirement for your organization.

5. About SSL certificates and Certification Authorities
SSL security is based on certificates used by both the client and server. Our web-server uses 128 bit certificates, which is currently the most widely-recognized certificate format. This allows servers and clients with certificates created by the web-server certificate applications to exchange certificates easily between our server and other applications.

Certificates contain a public key, a name, an expiration date, and a digital signature. Client certificates are stored in browsers and server certificates are stored in files called key ring files. A key ring file is a binary file that is protected by a password and stores one or more certificates on the server hard drives. Public and private keys are a unique pair of mathematically-related keys that are used to initiate SSL-encrypted transactions.

The link that allows a server and client to communicate is a Certification Authority (CA). Like a mutual friend, a CA vouches for the identity of a server and client by issuing certificates stamped with the CA's digital signature and including the CA's trusted root certificate in the key ring file. The digital signature ensures the client and server that both the client certificate and the server certificate can be trusted. If the client and server can identify the digital signature on the certificate, then a secure SSL session can be established. Otherwise, the client and server cannot authenticate each other, and the session cannot be established. Clients and servers identify digital signatures by comparing them against the trusted root certificate in their key ring files.

A CA can be an external, commercial certifier, such as VeriSign, or an internal certifier that you establish at your organization. External and internal CAs create both server and client certificates.

6. Contacting myPHR.ca 
If you have any questions about the practices of this site, or for general inquiries about myPHR.ca, to update/change your contact information, or to be removed from any mailing lists, please contact us.

In the minutes that decide life or death, will your doctors have all your vital medical information?

back to home page