Cortico takes patient privacy very seriously.

Cortico Security Compliance:

• Cortico is compliant with North American privacy laws including HIPAA, PIPA, PIPEDA, PHIPA.

• Cortico has undergone a TRA (Threat Risk Assessment) PIA (Privacy Impact Assessment) with the help of certified (CIPP/C & CISSP) outside reviewers.

• Cortico has been subjected to a 3rd party penetration test within the last year and undergoes quarterly vulnerability scans. These processes have not discovered any high level unmitigated risks.

• Cortico has been reviewed by the Office of the Privacy Commissioner in BC, and implemented recommendations.

• Ontario Health has been verified by Ontario Health’s Virtual Visits Verification program. See https://otn.ca/providers/verified-solutions.

• Cortico is compliant with the Ontario Health Online Booking Standard.

• Cortico holds SOC 2 Type 2 certification.

• Cortico is ISO 27001 certified, reflecting our operational processes in place to protect private information.

Cortico Security Features:

• Corticio avoids storing personal health information (PHI) except when necessary to retain a record for your own access. We scrub our logs of any such info. Where possible, we store PHI in your clinician's EMR directly, rather than storing on our systems.

• Any PHI/PII in transit is encrypted using TLS 1.2+ .

• Cortico doesn't display PHI from Oscar online when updating demographics. That's only allowed at a secured terminal in your office (if at all).

• Cortico may store PHI when authorized by the doctor or patient, on their behalf.

Cortico Security Governance:

• All staff undergo required ISMS training.

• Cortico staff are not authorized to access personal health information for reasons other than providing our services. PHI is only accessed when necessary for the patient's care delivery, safety or to comply with applicable law.

• When integration with certain EMRs - temporary, encrypted, auditable and redactable storage of PHI takes place as part of patient workflows.

• Cortico stores non-PHI non-PII business data as needed for the general course of our operation. This includes confidential company data and non-confidential data.

Telehealth

• We perform basic verification that the patient in video calls is the same person who booked the appointment with their Care Card. We also open the correct EMR demographic screen for the doctor, so there's not a risk of accidentally loading the wrong patient (not to mention wasting time searching for them). We use a long, cryptographic link to link the Cortico video to an EMR appointment.

• We have one secure appointment room per appointment, which is then never re-used.

• Cortico uses WebRTC for actually streaming video. It's great from a privacy and security perpsective because it's encrypted at the data layer and is truly peer-to-peer (no servers can record it). Analysis here from one of our engineers is here: https://docs.google.com/document/d/1RZ0RkjDVDGBVYKKH1EJwG6P7UzxVGNwH2UcUDgluHEY/edit?usp=sharing

* To facilitate patients and doctors sending files in cases a specific EMR does not support, Cortico may store such files encrypted using BYOK (Bring Your Own Key), minimizing our own access to said files. This storage is temporary, auditable and redactable.

Patient Messaging

• Cortico Patient messaging is a more convenient and more secure alternative to conventional email (commonly used by providers in Canada). With email, attachments persist forever (or an extended period) by default.

• Files sent via Cortico to the patient are stored temporarily, encrypted, auditable and redactable, unlike regular email attachments.

• Messages are encrypted in transit using TLS 1.3 to encrypt in transit over HIPAA eligible channels, and are never stored by Cortico. This is the most common transport mechanism used by HIPAA compliant messaging platforms. Files sent are end-to-end data-layer encrypted, which adds an additional layer of protection. End to end data-layer encryption of messages is on our development roadmap as well.

• Cortico is pursuing verification under the Ontario Health Virtual Visits Secure Messaging Standard, as we have for Telehealth (timeline is TBD).

AI

• Raw patient data are not used for training purposes.

• Patient and customer data processed by AI models are not accessible to other parties (outside Cortico, your practice, and anyone you share the summary with)

• In the case of errors or mistakes, or abuse, are anonymized data reviewed by Cortico to make corrections and ensure a safe system.

• Data are not shared with OpenAI.

• Hosting on Microsoft Azure: See https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy?tabs=azure-portal

Identity Theft

Verifying the identity of patients is not in the scope of Cortico's services, and is left to the individual clinic. We have not seen any evidence that online booking helps prevent (nor increases the incidence of) identity theft to date. We have only one report of an identity theft ever occurring in a clinic using Cortico, and we held an investigation that led to finding it was a misunderstanding and the doctor had booked an appointment for their patient using Cortico.

In practical terms, the difficulty of performing identity theft in primary care is relatively high (at least to do it undiscovered), and the payoff is low so we believe it is quite are. Where Cortico does help is in discovering and investigating identity theft and therefore dissuading incentives to perform it in the first place, because there is a significant paper trail of interactions with the patient. The report above was flagged because the patient received an unexpected email regarding an appointment, and we have an API log to track suspicious activity such as updating contact info, in the event of an investigation.

Architecture

Cortico's Privacy officer is Clark Van Oyen, who is reachable at privacy@cortico.health