Skip to content

Data security

This document provides an outline of implemented security measures for protecting, processing,
storing, transmitting, deleting patient and user data in the Registry. The SITS International stroke
registry, often called “SITS Registry” is referred to just the “Registry” in this document.

Data Encryption
All data transmitted to and from the Registry is protected through strong encryption, utilizing industry standard protocols. This ensures that data is securely encoded during transmission, mitigating the risk
of unauthorized access by third parties. Within the database, personal data of both users and patients
is stored in an encrypted format. This means that sensitive information such as names, medical records,
and contact details are encoded into unreadable code, providing an additional layer of security against
unauthorized access or data breaches.
The encryption extends to various aspects of the system, including user and employee passwords,
communication protocols (such as HTTPS), backups, and the underlying code base. By encrypting these
critical components, SITS ensures that data always remains protected, whether it is being transmitted
over networks or stored within the system. This comprehensive approach to encryption helps
safeguard the integrity and confidentiality of the data within the SITS International Stroke Registry.
Application security

The data management system utilizes an enterprise-grade content system with security principles

  • Protection against SQL injection through object database usage
  • Sanitized input to prevent malicious code entry
  • Permission checks for every view or method accessed
  • Advanced sandboxing for limiting browser-based vulnerabilities
  • Automatic CSRF protection and clickjacking prevention
  • Multi-factor authentication for all users
  • Authorization ensures data access based on user roles, with patient data organized in a
    hierarchical structure
  • Encryption of data transfer using HTTPS
  • Logging of all actions performed in the registry
  • Prevention of unvalidated redirects and forwards to external sites
  • Protection against Cross Site Scripting (XSS)
  • Edit checks prevent invalid data input from users by rejecting invalid data to be saved, e.g. data
    format, out-of-range values, future date/time or inconsistent data across separate data forms
  • Limited support for out-dated web browsers and versions that are no longer officially
    supported, maintained or receiving security updates from the browser vendor
  • User Authentication
    By design, all user accounts in the Registry, including administrators, are using two-factor
    authentication (2FA) for logging in to the application. The principle of 2FA is that it requires two pieces
    (factors) of evidence to prove the user’s claimed identity, which adds an extra layer of security to the
    Outline of data security in SITS Registry. Version 1.1. Dated 2024-04-17.
    user account. This helps to protect against unauthorized access, especially in cases where passwords
    may be compromised.
    The 2FA code in the Registry is a one-time password, which means it will expire after use, or within a
    certain time limit, or after a few failed login attempts.
  • User Access Control
    Role-based access controls ensure that users only have access to data that aligns with their roles in
    the Registry. Any requests for additional access must be approved by SITS operational staff.
    Internal access to the Registry is determined by the Principle of Least Privilege, which means
    personnel of SITS Coordination Office are given the minimum user rights necessary to perform their
  • Data Storage Security
    The Registry platform is hosted on a dedicated server in a hosting-centre sharing facility. The hostingcentre has high-level physical access control. The server is protected by software and hardware
    firewalls. The server is managed using VPN tunnelling. Code base is only accessible through SSH
    connection. Both SAN array storage and virtual machine disks are encrypted, additional data is
    behind a second firewall – away from the frontend server.
  • Data Housing
    The Registry data is housed within the European Union and is processed from countries within EU as
    well as countries outside of the EU. Collection, storage, and transfer of data in SITS is compliant with
    the General Data protection Regulation (GDPR) 2016/679 from May 25th, 2018, and the Swedish
    national guidelines, laws, and policies. All SITS operational staff are familiar with and obliged to
    comply with national regulations of Sweden and EU regulations regarding data privacy and
    protection policy, as well as ethical conduct relating to human research.
  • Patient Data Handling
    When patients’ data is entered into the Registry, each patient is identified by a Treatment File
    Number (TFN), ensuring the accuracy and reliability of the data. This TFN serves as a local identifier
    and pseudonym within the registry. The registry does not collect identifiable patient data, such as
    date of birth, social security number, or name. Instead, SITS urges that each centre stores this
    sensitive information separately from the registry itself, e.g. at the local/centre coordinator’s office
    along with the TFN. This separation implies that no patient identification is stored within the registry
    or accessible outside national borders, thereby safeguarding patient privacy.
    The patient data recorded in the Registry is comprehensive and includes various information such as
    demographics, medical history, treatments received, time logistics (e.g., admission, treatment,
    imaging, discharge), clinical observations, laboratory results, and details about medications and
    rehabilitation. We retain data only for as long as necessary and in compliance with relevant
    regulations. When disposing of data, we ensure it is securely deleted to prevent unauthorized access,
    and therefore, anonymized as no personal information is entered.
  • User Data Handling
    All users of the Registry, including healthcare professionals and researchers, provide consent during
    the application process for SITS and third parties to process their data. This user data typically
  • Name
  • Email address
  • Post address (work)
  • Phone number (work)
  • Mobile number (for login purposes only)
  • Information about the hospital with which the user is associated
    These user data elements are necessary for user authentication and management within the registry.
    They enable SITS to ensure proper access controls and permissions, as well as to facilitate
    communication with registered users regarding registry activities, updates, and other relevant
    information. Users’ consent allows SITS to process and store this information securely, ensuring
    compliance with data protection regulations. It also enables SITS to maintain a user database for
    efficient management of registry access and usage. By managing patient and user data responsibly,
    SITS aims to maintain the integrity, security, and privacy of information while facilitating valuable
    research and improvements in stroke care.
  • Data Retention and Disposal
    SITS complies with various obligations regarding data retention and destruction, including local laws, EU
    regulations (GDPR), and contractual commitments to stakeholders.
    SITS Retention Policy involves maintaining documents in a production environment accessible by
    authorized users. Personal data is kept only as long as necessary for its intended purpose. Individuals
    can request deletion if data is no longer needed, consent is withdrawn, or other specific circumstances
  • SITS Disposal Policy involves rendering information irretrievable by ordinary means.
    SITS maintains a list of approved destruction methods for different types of information. Paper
    documents are securely disposed of using designated containers picked up by authorized personnel.
    Personnel of SITS Coordination Office are responsible for implementing and ensuring compliance with
    the data management policy, and users must understand and adhere to it according to the terms and
    conditions of Registry