Security in a journal system: what Validi defends you against

One of the questions we get, more often than most, from clinic managers considering a new journal system is this: "What happens if you get hacked?"

It is a fair question. And it is rarely a question that gets answered concretely — most vendors mention "ISO certification" and GDPR, and that's where the conversation tends to die.

In this post we go a different way. We take a few concrete situations we have either seen or prepared for, and explain what stands between your service user's data and a disaster. It isn't a certifications list, it's what actually happens when something goes wrong.

(If you're looking for the legal side — GDPR, data responsibility, paragraphs — we have a separate article on GDPR in a journal system for addiction treatment. This one is about the practical defences.)

If a staff member clicks a phishing link

This is the most likely security incident at a clinic. Not a sophisticated hacker — just a busy support worker who gets an email that looks like an invoice, clicks, and enters her Validi login on a fake page.

Then what?

Validi has two-factor login (MFA) as standard on administrator accounts and as an option for regular staff. If someone gets hold of a password, they still don't have the second factor — typically a code from an app on the phone.

We also check login patterns. If an account suddenly logs in from Romania at three in the morning, we require email confirmation before the login is approved. It isn't something the staff member sees in everyday use, but it means a stolen password alone isn't enough.

If a former staff member keeps access after leaving

This is the other classic. A staff member leaves, and nobody remembers to disable the access.

In Validi, the clinic administrator has a single button that closes an account completely. The person can no longer log in, and any active sessions in their browser are also invalidated.

We recommend you build a checkpoint into your exit procedure: when the key and the access card are handed back, the administrator also closes the Validi account. It takes 15 seconds.

Afterwards you can see in the audit log exactly what that staff member had opened in their last week of work — including which service users they had looked at. It isn't because we expect the worst, but it's the sort of thing that becomes relevant if a conflict or a suspicion arises.

If our server is hit by ransomware

This is the nightmare scenario that keeps me up at night — and something we have spent quite a bit of time preparing for.

Validi runs on a dedicated server in Europe with three layers of backup:

• a daily snapshot, stored on the same server (fast to restore from)
• a daily copy, stored with a separate European provider (can restore even if the primary server is gone entirely)
• a weekly encrypted copy, stored offline (can restore even if an attack had access for weeks without us noticing)

If we were hit, we would restore from the most recent clean backup. Realistically we're talking hours, not days, to get clinics back online. That isn't an SLA promise — it is what we've practised in our disaster recovery tests.

We test restore once a quarter. Backups you haven't tested aren't backups, they're optimism.

If someone tries to guess their way in

Brute-force attacks — automated attempts to guess passwords — are constant background noise for any system on the internet. Validi blocks an IP address after a small number of failed login attempts, and the block lengthens for each new attempt from the same source.

We have also removed the most obvious error messages. If someone tries to log in with an email that doesn't exist, they get the same message as if the password was simply wrong. It sounds pedantic, but it means an attacker can't use the system to figure out which email addresses have accounts.

Civil Registration Numbers are masked in all logs. If a security researcher, or an internal staff member with access to the logs, happens to see an error log, they never see complete CPR numbers.

If you want to verify the system is secure yourself

We have no problem with clinics (or their IT advisors) reviewing our security. On the contrary.

You can get:

• a security description with technical details (encryption, hosting, backup frequency, MFA, audit log)
• our data-processor agreement with concrete security measures
• a DPIA template if you need to do a risk assessment
• access to your own clinic's audit log whenever you want

If you have an internal IT lead or use an external advisor, we can talk to them directly. It is usually a shorter conversation than people expect.

What you are responsible for yourselves

A journal system is only part of the chain. The rest of the security sits with you, and we'd rather be honest about that than promise things we can't deliver:

• Passwords must be long and unique. We enforce a minimum length, but staff still have to choose them sensibly.
• Phones and computers must have screen locks. If a staff member leaves a computer unlocked with Validi open, encryption doesn't help much.
• Home networks during remote work should be protected, and public Wi-Fi networks are not a good place to open a service user's record.
• Phishing training is worth investing in. It is the most common entry point.

We have made a short onboarding document, GDPR and security in daily work, that you may share with your staff.

What we don't do (yet)

A few things we get asked about but haven't put in place:

• ISO 27001 certification. We follow the principles but don't have the formal certification. It is a process we're looking into, but most clinics haven't required it so far.
• On-premise installation. We run all clinics on the same infrastructure in Europe. We don't offer a separate installed system on your own server, because it gives us far better control of security updates.
• 24/7 security incident response. We respond quickly but don't have a formal night shift. Urgent incidents outside working hours are handled via our emergency number.

Want to see it with your own data and your own IT advisor in the room? Book a demo and we'll do a proper walkthrough together.

FAQ

Does Validi ever get hacked?

We haven't had a breach so far. But the defences aren't built on "if" — they're built on "when", and what happens then. We assume something will get in at some point, and design things so the consequences of that are as limited as possible.

Can you recover data if we accidentally delete something ourselves?

Yes. Backups are kept for 30 days, and we can recover a specific service user's data or the whole clinic's data from a specific point in time. It is a paid service if it's an internal mistake, but it is possible.

Where are our backups stored?

Daily backups sit on the same infrastructure as the primary server (separate disk), the external backups sit with another European provider, and the weekly offline copies are physically separated. All three are encrypted.

Can you see our service users' data?

The short version: yes, if you ask us to and give us access. We don't have access to the encrypted sensitive fields in normal day-to-day work. If you ask for help with a specific support case, we can get access temporarily, and it is logged like any other action.

How long does a restore take?

From detection to the clinic being online again: typically hours, rarely over a day. It depends on the scope and how far back we need to go. We've tested it.

Do you use subcontractors for hosting?

Yes, but only European ones and only under a full data-processor agreement. The list is in the standard DPA we send with the contract.

Can we get a penetration test of the system?

Yes, but coordinated. We have no problem with your IT advisor testing things, but we'd like to know first so we don't block them as an attack. Write to us and we'll set up a frame for it.