Service "SberHealth" passed certification for information security

2021: Comprehensive IT audit of online medical service infrastructure

"National Certification Center" (NAC), which is part of the group of companies Informzashchita"," performed a comprehensive audit IT Infrastructure medical of the online service. SberHealth (formerly - DocDoc) This was reported on June 8, 2021 in "Information Protection." The main purpose of the certification is to determine the overall level of safety the system, simulate potential threats and develop recommendations for improving the level of security.

Regular monitoring cyber security of information systems allows you to be ready for new challenges and threats from potential attackers. Often organizations underestimate the level of modern. cyberthreats Different attacks can cause many problems. For example. In Denial of System Service this case, the company will not be able to provide medical services until the normal operation of the system is restored. Attacks can also provoke theft of information that is (medical secret doctors' opinions, medical histories), which will entail fines from regulators and lawsuits from the patients themselves to personal data whom they were subjected. to leak

"Business should be interested in the safety of its customers," said Director of NAC Dmitry Poigin. - Certification is not just a formality. Confidence in your own security is also a manifestation of concern for the user who leaves his data in the system. The organization's certification for information security is credible on the part of potential customers, who now more consciously approach the protection of their own personal data. "

In order to verify and prevent potential threats, including those related to the security of personal data, the management of the SberHealth service decided on the need for certification. As part of the project, Information Defense experts conducted a comprehensive survey of the IT infrastructure of the service, modeled possible attack vectors of attackers and developed recommendations for improving the level of information security.

The SberHealth service provides a wide range of medical services. The main ones are telemedicine consultations with doctors, appointment to specialists and diagnostics, visits to doctors on VHI and much more. Clients of the service are more than 13 million people. The base includes over 360 thousand practicing specialists of 4 thousand clinics. Preventing the loss of personal data is a priority for critical health information infrastructure.

Following the results of certification tests, SberHealth confirmed compliance with the requirements for information protection in state information systems of the second security class (K2) and information systems of personal data of the second security level (UZ-2).

The resulting certificate makes it possible for the SberHealth service to provide secure interaction with EGISZ, which allows expanding the range of services for users.