Security & compliance
Patients trust your hospital with their lives. Your hospital can trust ACOS with that trust.
Patient data is sacred. We treat it that way.
What follows is what we actually do today and what's on the roadmap — for the IT lead, the compliance officer, and the hospital owner who needs to know. We're upfront about what's operational versus what's coming, and we don't claim certifications or capabilities that aren't real yet.
Data isolation
Your hospital's data is yours alone.
One ACOS system can serve many hospitals, but each hospital is completely walled off from the others. No one at another hospital can see, search, or open your patients' records
One hospital can't see another
Built so the lines never cross
Every record belongs to one hospital, and the system checks that on every single action. A user at another hospital has no path to your data — it can't be searched, exported, or stumbled into by accident.
More than one safeguard
Protection that doesn't rely on a single check
The separation between hospitals is enforced in more than one place, so a single mistake can't expose another hospital's data.
We don't train AI on your patients
Your patient data is never used to train AI
ACOS uses AI to help with notes and clinical decisions — but your patients' information is never used to train any AI model, ours or anyone else's. The outside AI services we use are set to keep nothing once they've answered.
We can't freely look at your data
Only a few named staff, only when you ask
Only a small, named team at ACOS can reach live data, and only to fix a problem or help when you've asked us to. Every time they do, it's recorded — and you can ask to see that record.
Access control
Each person sees what they need. Nothing more.
Doctors see clinical data. Cashiers see billing. Pharmacists see prescriptions. Roles defined per hospital, granular to individual permissions.
Multi-site hospitals can scope access to a specific unit or branch — staff at one location don't see records from another unless explicitly granted.
Industry-standard session controls: secure HTTP-only cookies, automatic timeout after idle, rotating session tokens. No session data exposed to client storage.
Configurable per hospital. Minimum length and complexity rules enforced at sign-in. Failed attempts are rate-limited and logged.
Administrative actions — role changes, permission grants, user creation, data exports — are logged separately and reviewable by hospital administrators.
Disable a staff account from a single screen; active sessions terminate within minutes. The audit trail preserves their historical actions.
Unusual access patterns — a clinician viewing hundreds of records they don't normally see — surface for administrator review.
Encryption & data handling
In transit. At rest. By default.
In transit
Encrypted on every connection
All traffic to and from ACOS runs over TLS — clinician laptops, lab integrations, payment processors, partner systems. No plain-HTTP fallback, anywhere.
At rest
Encrypted at the storage layer
Database, file storage, and backups are encrypted at rest using cloud-managed encryption. Encryption keys are managed by AWS KMS and never accessible in plaintext to ACOS staff.
Hosting
AWS, with regional options
ACOS runs on AWS. Hospitals with data residency requirements can request a specific region. Hosting inherits AWS's security certifications, including HIPAA-eligible services.
Backups
Automated, encrypted, geographically separated
Database backups run automatically with point-in-time recovery for recent activity and longer-retention snapshots for compliance. Backups are encrypted and stored in a separate region.
Audit and accountability
Every change logged. Every record reviewable.
Healthcare runs on accountability. Who changed what charge. Who logged in from where. Who modified which clinical record. ACOS records this for your administrators, your compliance team, and any regulator who asks.
Every create, update, and delete is logged with user, timestamp, and the change captured. Logging is built in across modules so a workaround in one corner of the app doesn't bypass it.
Sign-ins, sign-outs, session timeouts, failed attempts, and password resets — recorded with user, timestamp, and source IP.
Audit data is exportable in standard formats for inspection by the Ministry of Health, Ghana Health Service, or contracted compliance bodies.
Hospital administrators can review recent privileged actions, sign-in patterns, and data exports from a built-in dashboard.
Patients (or their authorised representatives) can request a list of every staff member who accessed their record, with timestamps.
Compliance
Where we are. Where we're going.
We're transparent about what's in place today and what's on the roadmap. We don't list certifications we don't have.
Ghana Data Protection Act (Act 843)
ACOS operates in alignment with Ghana's Data Protection Act. Patient data rights — access, correction, deletion — are supported through hospital administrators. Breach notification follows the 72-hour disclosure requirement.
HIPAA-style controls
Underlying AWS services are HIPAA-eligible. We follow HIPAA-style administrative, physical, and technical safeguards as a security baseline, even though HIPAA itself is U.S. regulation.
ICD-10 coding
ICD-10 diagnosis and procedure codes are supported across clinical documentation, including IPD discharge summaries.
HL7 v2, FHIR R4, LOINC, SNOMED CT
Deeper interoperability standards are sequenced into the integration roadmap. Available today through targeted integrations on a per-hospital basis.
Incident response
When something goes wrong, you'll be the first to know.
The honest answer to 'what happens during a security incident' is the difference between a vendor and a partner.
Detection
24/7 monitoring across infrastructure
Automated alerting on infrastructure anomalies, failed authentication patterns, and unusual data access. On-call engineer paged for incidents that meet defined severity thresholds.
Notification
72-hour direct disclosure
If an incident affects your hospital's data, you hear from us directly — by phone and in writing — within 72 hours of confirmation, in line with the Ghana Data Protection Act.
Response
Coordinated remediation with your team
We work alongside your IT lead through containment and remediation. Affected systems are taken offline if needed; restoration is logged and verified before service resumes.
Review
Post-incident review shared with you
After resolution, we share a written review of what happened, what we changed, and what we'd do differently. Sent to affected hospitals — not buried.
For procurement teams
Documentation we provide on request.
If you're working through a vendor security review, the following are available on request — typically within five business days, faster for active sales conversations.
- Architecture overview and data flow diagram
- Custom security questionnaire response (we fill yours in)
- Penetration test summary (annual third-party test)
- Sub-processor list
- Tenant data processing agreement (DPA)
- Encryption and key management summary
- Access control and audit overview
We're a maturing company on a clear path: formal disaster recovery and business continuity plans and ISO 27001 certification are sequenced into our roadmap as we scale. We'd rather tell you what we have than promise what we don't. Request the security documentation pack
The ask
Have a security review to run? We'll fill it in.
Send us your questionnaire — SIG, CAIQ, custom, doesn't matter. We respond within five business days. Or book a call to walk through the specifics for your facility.