Good afternoon, each province and territory will have its own certification process.
Many jurisdictions recognize and require vendors to have an Information Security Management program that aligns with known standards, such as ISO/IEC 27001 or NIST. You may need to obtain third party validation of your security program. As a service provider, providing an independent SOC2 report can give additional assurances.
For cloud services, many jurisdictions will reference the Cloud Security Alliance cloudsecurityalliance.org/ and you may be asked to complete documentation of your controls against the CSA framework. Data residency will be a consideration, so as a cloud vendor it is important to know which regions the data is stored, including temporary storage.
Additionally, you may wish to reference the following document which covers Privacy and Security Requirements and Considerations for Digital Health Solutions including cloud-based services.
I am looking for general information on the certification process and requirements for digital health software.
Our company created a platform (dashboard) that integrates with existing hospital's EHR and core IT systems to provide retrospective, prospective and predictive analytics – at both management and frontline staff level.
As we are moving it on Cloud, the Quebec Regulatory body is asking us to obtain their certification to insure that Personal Identifiable Information (PII) and PHI are well respected.
From a first glance the requirements are very similar to ISO 27001.
While is pretty clear the certification and regulation procedures in Quebec province, I am looking to find more information on other provinces certification requirements.
I hope somebody can guide me to find the right source of information and the regulatory body that is governing this process in your province.
Imprimer
Courriel
Regulation and certification process
Twitter