Initial Certification: 04/2016

Brainlab AG provides the cloud-based service Quentry, which facilitates the collaboration of medical professionals. Quentry enables medical professionals to share medical images, to display medical images in a web-based viewer and to add comments such as medical opinionsCustomers of Brainlab are provided with meaninful information on how to make use of the service in compliance with EU data protection law. Particularly, they are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality and that they must verify the identity of other customers prior to sharing medical information with them. Quentry comes with a functionality which allows the de-identification of meta data about patients prior to data being uploaded to the service. Customers who adhere to Brainlab's privacy advice can be sure that processing of sensitive health data by means of Quentry is in line with the high requirements of EU data protection law.

https://www.quentry.com

Press Release Image 

Image

European Privacy Seal for Brainlab AG

Product/Version

Bild

Quentry® service as provided to EU customers

Function as provided in March 2016

Qualification: IT-based service

View the Quentry Certificate 

Cert. No.

EP-S-QCYQ9S

Validity

06/04/2016 - 30/04/2018

Monitoring

12/2016 (O.K.) 

08/2017 (O.K.)

Public report

Quentry Short Public Report Image   

Manufacturer/Provider

Brainlab AG

Olof-Palme-Straße 9
81829 München
Germany

BEST

Brainlab AG implemented a sophisticated multi-layered encryption solution which provides a high level of confidentiality regarding sensitive patient data that is processed within Quentry. Brainlab went to great lengths to implement a solution that approximates the level of a true end-to-end encryption to the greatest extent possible. Note: End-to-end encryption is impossible in the Quentry context since the service involves processing of patient data in the cloud.

In detail, confidentiality of personal data within Quentry is secured by means of an interplay of the following encryption methods:

  • All communication between the user (client) and the Quentry-server is secured over TLS.
  • User data and patient data are encrypted during transmission to the Quentry-server by TLS communication.
  • User login process (External Authentication Service) is encrypted and secured by TLS-Webserver-Authentication and TLS-Web-Client-Authentication.
  • During processing, patient data is encrypted in the CPU/RAM of the Quentry-server through a multi-layered encryption process.
  • Only after the patient data is encrypted, the data is stored in a secured environment.  

ATTENTION

Regarding the processing of patient data, it must be highlighted that users of Quentry qualify as controllers whereas Brainlab acts as processor on behalf of the customers. Brainlab provides customers with meaningful information on how to make use of the service in compliance with EU data protection law. Particularly, customers are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality. The customer must verify the identity of other customers prior to sharing medical information with them. More detailed information on this topic is available under"Details" as well as in the Short Public Report.

Brainlab uses Salesforce as a cloud service provider for the authentication of users (customers). For the time being, Brainlab relies on standard contractual clauses (SCC) for the transfer of minimum authentication data to the U.S. In this context, it must be stressed that Brainlab will adhere to future guidance of the Article 29 Working Party regarding the impact of the so-called "Schrems judgment" of the European Court of Justice on the eligibility of SCC to legitimize international data transfers and make changes to the authentication solution (if necessary).

SUMMARY

Brainlab provides the cloud-based service Quentry that can be accessed via https://www.quentry.com. Quentry enables medical professionals to share medical images, to display medical images in a web-based viewer and to add comments such as medical opinionsThe service relies on Amazon Web Services as cloud provider (sub-processor). Since medical data is processed in the cloud, Quentry is not able to provide for true end-to-end encryption. However, Brainlab implemented a sophisticated multi-layered encryption solution which provides a high level of protection against unauthorized access to patient data. More details on this topic are available under "BEST" above and in the Short Public Report

In respect to the processing of medical data relating to patients, customers of Quentry such as hospitals qualify as controllers whereas Brainlab acts as a processor on behalf of these controllers. Customers are provided with meaningful information on how to make use of the service in compliance with EU data protection law. Particularly, they are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality. Customers must verify the identity of other customers prior to sharing medical information with them. Quentry comes with a functionality which allows the de-identification of patient meta-data prior to data being uploaded to the service.

When it comes to the processing of customer data when providing the Quentry service, Brainlab qualifies as controller. Salesforce provides cloud-based services for the authentication of customers on Brainlab's behalf.

DETAILS

The user ("controller") is responsible for the collection of consent and release from medical confidentiality from the patient. However, Brainlab advises and requires the customer (user) within the upload process to confirm that the user obtained consent and release from medical confidentiality from the patient. This holds true even if only de-identified patient data is processed, because images themselves may qualify as personal data.

When obtaining patients’ consent, users must inform data subjects (patients) about the following in particular:

  • Patient data is processed in the cloud.
  • Brainlab processes patient data as a processor on behalf of the user. Customers must conclude a controller–processor agreement with Brainlab prior to uploading any patient data to the cloud.
  • Brainlab relies on Amazon Web Services as cloud provider (sub-processor). Encrypted patient data is stored exclusively in a data center in Ireland for customers who are located in Europe. Sub-processors responsible for maintenance may be located in third countries outside of the European Economic Area (EEA). Standard contractual clauses between Brainlab and Amazon Web Services are in place.
  • End-to-end encryption is impossible in the Quentry context since the service involves processing of patient data in the cloud. However the encryption approximates the level of a true end-to-end encryption to the greatest extent possible.  
  • Brainlab is capable of decrypting encrypted patient data, but safeguards are in place that this is only performed in exceptional cases such as major database maintenance or system restoration. A secure process ensures the coordinated decryption and re-encryption of the database. Individual employees of Brainlab are not able to decrypt patient data on their own.
  • If applicable: That the user shares patient data with hospitals / doctors in countries outside of the EEA which do not provide an adequate level of data protection.

Prior to establishing a connection with other Quentry users, customers must confirm that they verified the identity of the other user by means of an appropriate channel (e.g., via phone).  

Technical Evaluator

Dr. Michael Foth
IBS Schreiber GmbH
Zirkusweg 1
20359 Hamburg
Germany

Legal Evaluator

Johanna Laas
intersoft consulting services AG
Beim Strohhause 17
20097 Hamburg
Germany

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk.