法律、风险与合规

信息关于 our compliance standards, certifications, controls, and 数据 protection practices

Certification Overview

Elderwise is committed to achieving and maintaining compliance with key industry certifications. Our strategic roadmap outlines our journey toward full certification, with timelines tailored to the complexity and requirements of each standard.

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to compliance certifications with timelines tailored to each standard's complexity. We prioritize certifications based on market requirements and technical complexity, with our most comprehensive certifications (HITRUST) targeted for Q3 2026, while more focused certifications like ISO 27001 are targeted for completion by Q1 2026.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

While formal certifications are in progress, Elderwise has already implemented key security and privacy controls aligned with healthcare standards. Our approach follows industry-standard continuous compliance methodology, emphasizing automated evidence collection, regular assessments, and security by design.

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.

Continuous Compliance Monitoring

Following compliance best practices, Elderwise employs continuous monitoring tools to automatically detect and remediate compliance drift, ensuring our systems maintain compliance between formal assessment periods.

医疗标准与 Elderwise 合规

最后更新: 2025-09-27

HIPAA

目标: 已运营

美国医疗保险携带与责任法案 (HIPAA)

规范 PHI 隐私与安全的美国医疗法案。

医疗相关性:

规范美国医疗机构与业务伙伴对受保护健康信息 (PHI) 的隐私与安全处理。

关键要求:

签署业务伙伴协议 (BAA)
基于角色的访问控制与多因素认证
审计日志与持续监控
最小必要使用原则
传输与静态数据加密
数据泄露通报流程
定期风险评估与员工培训

Elderwise 的合规做法:

与处理方签署 BAA，落实 RBAC/MFA/SSO，集中式审计日志，最小权限原则，AES‑256/TLS 1.3 加密，事件响应手册与周期性 HIPAA 培训。

GDPR

目标: 已运营

欧盟通用数据保护条例 (GDPR)

规定合法处理与数据主体权利的欧盟数据保护法规。

医疗相关性:

EU/EEA 区域的数据保护框架，涵盖合法处理与数据主体权利。

关键要求:

合法处理基础与同意管理
数据主体权利（访问、删除、可携带）
数据处理协议 (DPA)
内建与默认的隐私保护
处理活动记录 (ROPA)
跨境传输保障

Elderwise 的合规做法:

同意采集与审计跟踪、与供应商签署 DPA、隐私内建评审、DSR 流程、必要时进行跨境传输影响评估。

PDPA

目标: 已运营

新加坡个人数据保护法 (PDPA)

强调同意与目的限制的新加坡数据保护法。

医疗相关性:

关于同意、目的限制、通知、访问/更正等义务的本地法律。

关键要求:

同意与通知
目的限制
访问与更正权
保护措施与保留期限
数据泄露通报

Elderwise 的合规做法:

本地化同意声明、保留策略、访问/更正渠道，并依据 PDPC 指南执行泄露通报程序。

ISO27001

目标: 2025 年 Q4

ISO/IEC 27001 信息安全管理体系

用于信息安全风险管理的国际 ISMS 标准。

医疗相关性:

关于建立、实施、维护与持续改进 ISMS 的国际标准。

关键要求:

风险管理计划
ISMS 治理与文档化
附录 A 安全控制
持续改进（PDCA）

Elderwise 的合规做法:

界定 ISMS 范围，建立风险台账与策略/控制映射，开展内部审计并做好认证准备。

SOC2

目标: 2026 年 Q2

SOC 2 Type II（安全、可用性、保密性）

对安全控制在一段时间内有效性的鉴证。

医疗相关性:

基于 AICPA 信任服务准则，对控制有效性进行周期性鉴证。

关键要求:

政策与流程文档
安全监控与告警
变更与事件管理
供应商风险管理

Elderwise 的合规做法:

与 TSC 对标控制，自动化收集证据，持续监控，按季度测试控制并做好外部审计准备。

HITRUST

目标: 2026 年

HITRUST CSF

面向医疗的综合性可认证安全框架。

医疗相关性:

面向医疗的可认证框架，融合 HIPAA、ISO、NIST 等要求。

关键要求:

基于风险的控制选取
政策/流程落实
验证与评分
外部评估

Elderwise 的合规做法:

定义 PHI 系统范围，适用时继承控制，分阶段推进以获得验证性评估。

HSA

目标: 2026 年 Q2

新加坡 HSA 指南（医疗科技）

新加坡 HSA 的医疗科技/软件监管指引。

医疗相关性:

针对医疗软件与健康科技解决方案的监管指引。

关键要求:

风险分级与文档化
质量管理体系衔接
临床与网络安全考量

Elderwise 的合规做法:

遵循 HSA 意见，对预期用途与风险控制进行文档化；参考 ISO 14971/IEC 62304。

HITECH

目标: 2026 年 Q1

HITECH 法案（泄露通报）

针对 HIPAA 的泄露通报与执法强化规定。

医疗相关性:

针对 HIPAA 的泄露通报与执法强化。

关键要求:

泄露风险评估
及时通报
媒体与 HHS 报告阈值

Elderwise 的合规做法:

事件响应手册、证据保全，以及关于重大性与通报时机的决策树。

FHIR

目标: 已运营

HL7 FHIR（互操作性）

现代化的结构化临床数据交换标准。

医疗相关性:

现代临床数据交换标准。

关键要求:

FHIR 资源与配置文件
RESTful API 与一致性
安全与授权（SMART on FHIR）

Elderwise 的合规做法:

核心实体采用 FHIR 优先建模，版本化配置文件，OAuth2/OIDC 授权。

HL7

目标: 已运营

HL7 v2/v3 消息

医院与实验室广泛使用的医疗消息标准。

医疗相关性:

在医院与检验机构广泛使用的医疗消息标准。

关键要求:

消息格式与段
确认/错误处理
传输与安全

Elderwise 的合规做法:

按需提供 HL7 v2.x 适配、内部模型标准化与安全传输。

ISO13485

目标: 2026 年

ISO 13485 医疗器械质量管理体系

医疗器械质量管理体系 (QMS) 标准。

医疗相关性:

面向医疗器械全生命周期的质量管理标准。

关键要求:

文件化的 QMS
设计与开发控制
风险管理与可追溯性
上市后监管

Elderwise 的合规做法:

在相关软件模块逐步引入 QMS；如适用，配合器械分级及监管路径。

ISO42001

目标: 2026 年

ISO/IEC 42001 人工智能管理体系

面向负责任 AI 治理的 AI 管理体系标准。

医疗相关性:

覆盖 AI 全生命周期的责任治理框架。

关键要求:

AI 风险管理与控制
数据治理与透明度
监测与持续改进

Elderwise 的合规做法:

将既有控制映射至 AI 风险，建立透明度文档与指标，完善模型治理流程。

Data Protection & Compliance

Elderwise is committed to maintaining the highest standards of data protection and regulatory compliance in healthcare technology, with a progressive certification roadmap for completion between Q3 2025 and Q4 2026.

Legal Documents & Compliance Materials

Data Protection & Security Contacts

Data Protection Officer:dpo@elderwise.ai

EU Representative (Art. 27 GDPR):eu-rep@elderwise.ai

APAC Representative:apac-rep@elderwise.ai

Security Team:security@elderwise.ai

Vulnerability Reporting:security-alerts@elderwise.ai

Certification Roadmap

Elderwise's phased certification timeline:

Q3 2025: FHIR & HL7 interoperability certifications
Q4 2025: GDPR compliance validation
Q2 2026: ISO 27001 certification (audit in progress)
February 2026: ISO 42001 (AI Management System) certification
Q2 2026: HIPAA, HITECH & HSA certifications
Q3 2026: SOC 2 Type II & HITRUST CSF certifications
Q4 2026: ISO 13485 certification & continuous compliance monitoring

Healthcare-Specific Security Features

for all sensitive health information
for healthcare provider access
aligned with clinical workflows
for all actions on protected health information
Secure API design for healthcare system integrations
Context-aware access controls for different care settings
Session timeout controls for clinical environments
Secure offline caching for emergency care scenarios

Healthcare Infrastructure Security

Hosting in ISO 27001 certified data centers
Region-specific data residency options for regulatory compliance
Regular vulnerability scanning and penetration testing
Disaster recovery with 99.9% uptime commitment
Infrastructure as Code (IaC) for secure, consistent deployments
Network segmentation for clinical vs. administrative data
24/7 infrastructure monitoring with healthcare-specific alerts
Continuous security control validation using automated tools

Continuous Compliance Program

Automated compliance monitoring tools
Regular internal audits specific to healthcare requirements
Vendor security assessment program for all third parties
Compliance training for all staff, with healthcare-specific modules
Quarterly security steering committee with clinical stakeholders
Real-time compliance monitoring dashboard for leadership visibility
Automated evidence collection to streamline certification maintenance

Healthcare Data Governance Framework

Data Collection in Healthcare Context

Explicit consent mechanisms for patient data with healthcare-specific language
Transparent data collection purposes aligned with clinical needs
Minimized data collection following principles of medical necessity
Special handling procedures for sensitive medical categories
Patient-centric approach to data ownership and control

Healthcare Data Retention

Retention policies aligned with medical record requirements by jurisdiction
Secure, compliant data archiving for long-term medical records
Automated data deletion when retention periods expire
Special provisions for pediatric and geriatric record retention
Data lifecycle management specific to clinical documentation standards

Clinical Data Processing

Processing limited to intended healthcare purposes
Secure analytics for population health insights
De-identified data use for research and development
Validation processes for algorithm-assisted clinical reference tools
Secure federated learning techniques for model improvements

Patient Data Rights

Patient access to personal health information
Correction mechanisms for inaccurate health data
Data portability between healthcare providers
Special handling for vulnerable populations and proxy access
Transparent record of all third-party data sharing

Elderwise Healthcare Compliance Commitment:

Our compliance strategy follows Vanta's recommended "security by design" principles, embedding healthcare compliance requirements into our development process from inception to deployment. We recognize that healthcare data security directly impacts patient outcomes and provider efficiency, so our approach integrates technical safeguards with clinical workflow considerations to create a secure environment that enhances rather than impedes care delivery. Our compliance program emphasizes both regulatory adherence and the ethical responsibility we have to protect sensitive health information.

Certification Overview

Certification Strategy & Timeline

Compliance Roadmap

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.