Data Security: an interview with SurgicalPerformance’s Software Developer Mikael Wedemeyer

The New York Times published an article on the 13th of December 2016 about how a team of Russian cyber-spies hacked into Hillary Clinton’s campaign email accounts, falsified information and influenced the recent US election results.

SurgicalPerformance, as an auditing tool, relies on the quality and accuracy of data entered by users to produce true and insightful reports. To encourage users to be honest in their record keeping, we go to great lengths to ensure data entered to our software is kept de-identified and confidential.

However, if even Hillary Clinton’s email accounts can be hacked, what assures SurgicalPerformance users that their information is safe?

To answer this question, we talked to Mikael Wedemeyer, SurgicalPerformance’s Chief Software Developer, who has provided SurgicalPerformance users some tips on how to safely communicate confidential information online.

Q: Hi Mimikaelkael – yesterday we read in the New York Times how a team of spies hacked email accounts, falsified emails and influenced the recent US election. Could this happen with SurgicalPerformance, too?

In the case of the Hillary Clinton’s campaign the email accounts were hacked and in principle email accounts are very easy to intrude into. SurgicalPerformance is a database that lives in the cloud and we have very advanced technology wrapped around our databases that would make a hack very difficult.

By design we also ensure that sensitive data is minimised to mitigate the risks and exposure from an attack.


Q: Is there a lesson to learn from the Hillary Clinton incident?

There sure is. All this was possible because email accounts were hacked and then user login details were exchanged by email.

To SurgicalPerformance users I would recommend that you never share your login details via email. Consider everything you share via email with someone as public information. Sharing information though encrypted text is much safer.


Q: If a SurgicalPerformance user loses their password, can’t you email it to them?

No, we don’t email passwords. We actually don’t have access to our users’ passwords. Our users can reset their password directly on the site itself. If you need to communicate passwords amongst users and their representatives, I recommend you send it by encrypted text.


Q: How does SurgicalPerformance protect users’ data?

We utilise a range of procedural and physical methods to ensure security of our users’ data. It is our objective to conduct ourselves with the highest ethical standards and comply with HIPAA, Australian Privacy laws and regulations and any other appropriate international and industry standards. You can read full details on our data protection page – here. One of the things the US Pentagon had to learn the hard way was that educating their staff – in our case our users – is critical to data security.


Q: What can SurgicalPerformance users do to protect themselves?

The most important thing is to use secure unique passwords. They also should be something that is easy to remember and not be written down. One good technique is to use a unique long phrase that you can easily remember, for example: “To be or not to be, that is the question” – Use the first letter from each word – “Tbontbtitq” – Then where possible substitute numbers and punctuation while still keep it easy to remember – “Tbon2btitq??” – You now have a password that is unique and easy to remember. Also never use your all or part of you name, email address, company or the year in a password.

You should also use two factor authentication wherever possible, this gives you a one-time code in addition to your username and password. It can be enabled on many types of services including on your Apple or Google accounts on your phones.

A password manager like LastPass is also a good solution if you use two-factor authentication and strong passwords with it.

Aside from this, do not share login details by email. Ensure you have up to date antivirus and anti-malware software and be careful not to open or click links in phishing emails.

Last but not least, in SurgicalPeformance we recommend that you don’t enter identifiable patient information. We actually built a warning sign that says “Do not reveal identifiable information”, such as the full name or the patients residential address.


Q: Is there a mechanism I can use to protect the data from my data entry staff?

Yes, for Premium users we created a two level security system within each user’s account. Each Premium user can set up a 4-digit PIN in his or her user profile and specify what areas the PIN shall protect. You can for example share a username and password with a registrar and protect the reports section with a PIN. The registrar would be able to enter data but not see your results.


Q: However, what would happen in case of a data breach?

You can read our full Data Security Incident & Breach Reporting Policy on our website, here.

On receiving a report of a data breach, SurgicalPerformance will immediately notify the Security Official and Development Team to review and form a Response Team. There are four key steps to consider when responding to a breach or suspected breach.

1.Contain the breach and do a preliminary assessment

2.Evaluate the risks associated with the breach


4.Prevent future breaches

The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.

If a breach of sensitive information, including but not limited to PHI, user, reporting or outcomes has occurred, SurgicalPerformance will give timely notices to affected individuals and government authorities, including the OAIC as appropriate and/or required. The notice will be given as soon as practicable.


We hope this information is useful and that it serves as reassurance to our users that we take data security seriously. Should you have any questions or would like to make suggestions or give us feedback, please go on to our contact page.