Cybersecurity, a priority for ThermoHuman’s software
The commitment to our customers and to the continuous improvement promoted by our quality policy, has driven us to carry out a voluntary cybersecurity audit, whose results have certified that we have a high level of protection against malicious attacks on our customers’ data. This allows us to continue to stay ahead of the curve in cybersecurity and digital transformation.
Safety incidents in applications such as ThermoHuman are growing quickly, both in number and effectiveness, so cybersecurity is a must.
At ThermoHuman we attach great importance to cybersecurity as a fundamental part of our technology and our products and services. The use of cloud-computing technology has benefits, but at a general level there is a lack of awareness about the importance of the vulnerabilities caused by the speed of digital transformation; vulnerabilities that are often difficult to recognize and intercept, since they cover a perimeter beyond the technological. It is therefore necessary to verify, monitor and secure the system, covering aspects beyond the technological.
In addition, ThermoHuman has implemented a Quality System based on the EN-ISO 13485: 2016 standard, which considers the commitment to continuous improvement a fundamental point of its Quality Policy, which resulted in 2021 in obtaining our CE certificate as a medical device.
As part of this commitment and together with our privacy policy, we try daily to improve the quality of our services as well as the security and integrity of the data provided by our customers. To do this, we address the issue of cybersecurity from all its aspects: infrastructure, people and corporate culture.
Infrastructure
ThermoHuman is an active application with an ever-growing volume of data that is based on interconnectivity and cross-platform services, so we are obliged to apply effective solutions for the protection of the data it contains. To this end, we have adopted cybersecurity architectures like “zero trust”, which include identity and access management to minimize the risk of unauthorized access to sensitive resources or data.
We guarantee the availability of data through a policy of rapid backup and recovery against failures or unexpected interruptions of services, offering an optimal safety net for the continuity of our software and for its protection against new threats.
All our infrastructure is in Azure, a provider that meets our demands by having a high level of commitment to security and the use of components in permanent update.
People
Within the Information Security Policy that we carry out, a training plan has been included so that our employees learn to maintain the security of their passwords and credentials, since we think that this has a fundamental value for their protection. Often, the human factor is the weakest link and added to it an increasing number of attempts at external attacks can cause even a minimal interruption of the operation of the security perimeter to cause very significant damage.
From this perspective, we also have the constant work of our team of engineers who, in their work of updating, maintenance and development of the software, work following the quality standards required by EN-ISO 13485:2016, EN-ISO 14971:2020, EN-ISO 15223-1:2017, EN-ISO 62304: 2007, EN-ISO 62366-1:2015
Corporate culture
Our Quality Policy requires us to constantly monitor and neutralize the threats that prevent us from providing the best service to our customers. ThermoHuman has voluntarily experimented with a vulnerability assessment and testing procedure, the purpose of which is to identify and prioritize potential security gaps and attempt to use them to gain unauthorized access to the application or customer information.
Our idea is based on the change of perspective, that is, to get the point of view from the side of the “hacker”. To achieve his goals, the hacker looks for the most efficient method, sometimes using infrastructure failures and other times human mistakes. Therefore, we have based our analysis on the following methodologies:
- BlackBox is a methodology in which the “hacker” does not have details or access credentials about the system that is being attacked. The goal of the test is to simulate an attack from the point of view of a real hacker.
- GreyBox is a methodology in which the “hacker” does know basic details about the use of the application and credentials to access the system being tested.
The following results were obtained:
- From a BlackBox point of view, the application showed no critical vulnerabilities.
- 1. From the GreyBox point of view, the application was seen to be vulnerable to several types of attacks, which have been reported with reduced impact.
- Finally, some minor configuration mistakes have also been reported.
During the last months we have worked to solve all the vulnerabilities and mistakes found, so it can now be said that ThermoHuman has become a much safer application.
Conclusion for cibersecurity
Cybersecurity is one of our top priorities as software creators and developers.
We constantly evaluate our system to avoid the risk of malicious attacks that may compromise the integrity and security of our customers’ data and to understand everything that could be working in a wrong way. Based on the results, we create updates and implement all necessary improvements.
In this way we ensure that our system is increasingly secure and that it provides our customers with responsible, ethical and functional use.
ThermoHuman has had the support of the Funds of the European Union and the Community of Madrid through the Operational Programme on Youth Employment. Likewise, ThermoHuman within the framework of the Export Initiation Program of ICEX NEXT, had the support of ICEX and the co-financing of the European Regional Development Fund (ERDF). 
