Section 1: Security Overview

Introduction

Antigen Plus is designed with security as a foundational element to protect patient data, maintain data integrity for blood compatibility testing, and ensure the availability of critical blood banking functions. As an FDA-cleared Class II medical device, Antigen Plus meets regulatory requirements for medical device software security while supporting the secure operation of hospital blood banks and immunohematology reference laboratories (IRLs).

This chapter describes the security architecture, configuration requirements, and operational procedures necessary to deploy and maintain Antigen Plus securely. The specific security measures required depend on your deployment model: Microsoft Azure SQL Database or on-premise SQL Server.

Security Objectives

Antigen Plus implements security controls to achieve the following objectives:

  • Authenticity and Integrity: Ensure that data, including reagent information and patient test results, originates from trusted sources and has not been altered inappropriately during storage or transmission.

  • Authorization: Restrict access to functions and data based on user roles and privileges, preventing unauthorized users from accessing or modifying critical blood banking data.

  • Availability: Maintain access to essential blood compatibility testing functions, antibody identification capabilities, and patient test data even during security events or system disruptions.

  • Confidentiality: Protect sensitive patient information and proprietary reagent data from unauthorized disclosure.

  • Secure and Timely Updatability: Enable deployment of security patches and software updates to address emerging cybersecurity vulnerabilities throughout the product lifecycle.

Shared Responsibility Model

The security of Antigen Plus depends on shared responsibilities between Antigen Plus as the software manufacturer and your organization as the device operator. These responsibilities differ significantly based on your deployment model.

Azure SQL Database Deployment

When using Microsoft Azure SQL Database for data storage, security responsibilities are distributed across three parties:

Microsoft Azure Responsibilities:

  • Physical datacenter security
  • Hardware infrastructure maintenance
  • Hypervisor and host operating system security
  • Database platform security and patching
  • Network infrastructure within Azure
  • Compliance certifications (HIPAA, HITRUST, SOC 2)

Antigen Plus Responsibilities:

  • Antigen Plus application software security
  • Secure software development lifecycle
  • Security patches and updates to Antigen Plus
  • Default security configurations
  • Secure data processing logic
  • Documentation and security guidance
  • Coordinated vulnerability disclosure

Your Organization’s Responsibilities:

  • Azure subscription security and access control
  • Azure SQL Database firewall configuration
  • Network connectivity security (VPN, ExpressRoute, or public internet with TLS)
  • Antigen Plus user account management and role assignments
  • Database backup verification and testing
  • Workstation and endpoint security
  • Security monitoring and incident response
  • Compliance with organizational security policies
  • User training on secure system use

On-Premise SQL Server Deployment

When using an on-premise SQL Server database, your organization assumes full responsibility for the infrastructure and platform security:

Antigen Plus Responsibilities:

  • Antigen Plus application software security
  • Secure software development lifecycle
  • Security patches and updates to Antigen Plus
  • Default security configurations
  • Secure data processing logic
  • Documentation and security guidance
  • Coordinated vulnerability disclosure

Your Organization’s Responsibilities:

  • Physical server security
  • Windows Server operating system security and patching
  • SQL Server installation, configuration, and patching
  • SQL Server instance hardening
  • Database backup and recovery procedures
  • Network security (firewalls, network segmentation, intrusion detection)
  • Antigen Plus user account management and role assignments
  • Workstation and endpoint security
  • Active Directory or local authentication infrastructure
  • Security monitoring and incident response
  • Compliance with organizational security policies
  • User training on secure system use
  • Hardware maintenance and replacement
  • Disaster recovery planning and testing

Common Responsibilities (All Deployments)

Regardless of deployment model, the following security responsibilities are shared:

Antigen Plus:

  • Prompt notification of identified security vulnerabilities
  • Security patches delivered through established update mechanisms
  • Clear documentation of security configurations and best practices
  • Support for security-related questions during implementation

Your Organization:

  • Following documented security configuration guidelines
  • Maintaining current software versions with security updates applied
  • Implementing role-based access control aligned with job functions
  • Monitoring and responding to security events
  • Reporting suspected security incidents to Antigen Plus
  • Restricting access to authorized personnel only
  • Securing workstations and devices running Antigen Plus

Intended Use Environment Security Assumptions

Antigen Plus is designed for operation within hospital blood banks and immunohematology reference laboratories under the following security assumptions:

  1. Network Environment: Antigen Plus assumes operation on a managed hospital or laboratory network with appropriate perimeter security, network segmentation, and monitoring. Direct exposure to the public internet without protective controls is not supported.

  2. Physical Security: The servers, workstations, and infrastructure running Antigen Plus are located in physically secured areas with restricted access to authorized personnel.

  3. User Population: Users are trained healthcare and laboratory professionals who have undergone organizational credentialing and background checks appropriate for access to patient health information.

  4. Organizational Security Program: Your organization maintains an information security program that includes, at minimum:
    • Regular security updates and patch management
    • Anti-malware protection on endpoints
    • Access control and user account lifecycle management
    • Security incident response capabilities
    • Regular backup and disaster recovery testing

  5. Regulatory Compliance: Your organization maintains compliance with applicable healthcare regulations including HIPAA (if in the United States), GDPR (if in the European Union), or equivalent data protection requirements in your jurisdiction.

  6. Windows Environment: For on-premise deployments, Windows Server and SQL Server are configured according to security hardening guidelines.

These assumptions establish the baseline security context in which Antigen Plus operates. If your environment differs significantly from these assumptions, please contact Antigen Plus technical support to discuss appropriate compensating controls.

Table of contents