Leyr Security
At Leyr, we prioritise the protection of patient data privacy. To ensure the confidentiality of the data entrusted to us, we have implemented robust security measures at the core of our services.
In summary:
- Leyr does not store any patient data. It only facilitates the passing of data through our services. This means that if Leyr's systems were to be attacked, it would not lead to unauthorised access to patient data.
- Data transmission is secure and encrypted following industry best practices. Even if data were to be intercepted, it would be incomprehensible in its encrypted form.
- Double encryption is used when setting up developer applications. This involves creating a key on your side and another key on Leyr's side. Without access to both keys, no requests can be made towards an Electronic Health Record (EHR). We employ machine-to-machine credentials to ensure that requests come from authorised accounts.
- A strong password is required for a developer portal account, and we regularly back up developer apps to mitigate any potential harm caused by an account being breached. Again, no patient data is available from the developer portal.
As a Leyr customer, you can confidently utilise our API to read and write EHR data from your applications. However, it is important to note that if a breach occurs on your side and an intruder sends requests through your systems, it may appear to us as legitimate requests.
Therefore, it is crucial for your organisation to have sound cybersecurity measures in place for systems that interact with Leyr. You are dealing with patient data, after all.
Data at Rest
Leyr does not store any data, except our customerβs authorization details and credentials to EHR systems. No patient data, practitioners data, or clinical data that can be related to a person is ever stored at Leyr.
When handling credentials to EHRs, Leyr has built double encryption mechanism, where:
- credentials are stored in Leyrβs DB only in encrypted format, where two different keys are used for encryption simultaneously
- one key is provided by Leyr
- another key is provided by Leyrβs customer through developer portal, when connecting new EHR. Leyr never stores nor logs that key.
Leyr follows best industry standards for encryption and data protection. When data (including backups) is at rest, it is encrypted using AES-256 encryption algorithm. Storage encryption is always on and cannot be disabled.
Data in Transit
Leyr uses industry standard security practices across all operations, when it comes to data in transit, like:
- all the inbound and outbound traffic is happening via HTTPS, encrypted using TLS, where certificates are renewed regularly
- TLS/SSL is enforced on Leyr database server by default, ensuring that all data is encrypted in transit