Security practices for healthcare application
Pankaj Agarwal
April 24, 2018

For any software application, security is an integral part of the package that the customers must receive. It is one of the vitals of an application instead of being an afterthought. Security risks such as data loss, data theft, malicious activities or coming under an automated attack are a reality as most of the applications in the current time are connected to the internet. The greatest threat a vulnerable application can pose is to put a business out of operation with legal proceedings and other losses apart from affecting the businesses that depend on that software.

 

 

While building a practice management system(PMS) for therapists in the US, one of the starting points to ensure security was to address the guidelines enforced by laws such as HIPAA. There are many aspects of healthcare data related security practices that need to be translated technologically into the application. Here’s a set of Technical safeguards we applied to ensure that the application is HIPAA compliant,

  1. The users were assigned a unique identity(username) and password for identification and tracking their activities. They need to successfully authenticate themselves with the identity assigned to them, to access the system.

  2. Implemented automatic logoff that terminates the user session after a defined period of inactivity. Terminating sessions are important from two aspects:

    • Application security – If inactivity is due to users not working on their machines, session timeout prevents someone else using the user’s logged in session to access restricted data.

    • Application optimization – the data that’s not needed is not stored and thus frees up the resources for a better performance for other users.

  3. The PMS had different roles for users, each role performs specific set of functions eg. one user could be admin, another could be therapist, and hence it required access to those functions or features of PMS only. We implemented procedures that verify a person or entity seeking access to the health data is authorized to access that information. This prevents accidental or deliberate access to the restricted areas.

  4. Adequate auditing to record the user activities, so that it can be examined in case a conflict arises as to who’s accessing the data.

  5. For securely transferring the data, two channels were used:

    • To send data during regular application use, we enabled TLS(Transport Layer Security) 1.2, so that the data is encrypted during transmission.

    • To send PHI(Protected Health Information) over emails, we used 3rd party tools – MDOffice.

 

And yet, it was not sufficient to cover the aspects of HIPAA. Security was a part of the technology strategy while building the applications for healthcare.

Here are the implementations that go beyond HIPAA for a better security check:

  1. Unauthorized access is not permitted by the application. Besides regular user authentication, we also implemented

    • Blocking the user after a defined number of failed login attempt.

    • Blocking the IP address altogether if suspicious login attempts were identified. An example of suspicious attempt can be if login attempts are failing for multiple users and all the requests are coming from same IP address.

    • Blocking the IP address if an SQL injection attempt is identified.

    • Applied access controls so that anyone without having privilege can’t access a functionality. If such attempt is made user activity is captured in the audit logs.

  2. In addition to audit logs, additional logs are maintained to track all type of events and activities happening in the system.

  3. The files uploaded into the application are protected by two ways:

    • Files are not directly (URL based) accessible to the end user. So, accidental or deliberate attempt to see other files is prevented.

    • Files are stored in a separate CDN server, access to which is controlled.

  4. Sensitive data are stored encrypted in the database.

  5. There are various functionalities, like appointment scheduling, in the system that need interaction with 3rd party systems. While sharing the information with these 3rd party, we take extra care on the nature of data we are sharing. If there is a need to share PHI then the 3rd party we choose needs to assure that secure channel is used for data transfer and the information shared with them is protected.

 

As the software application and the users using it grows, or various kind of data gets stored, or if the technology used itself changes, the security implementation and requirements change.

With time new vulnerabilities are identified in the system. These vulnerability can be in the programming language used to build the application, or with the application server on which the application is deployed or can be with the database version. People with malicious intent can gain access to the system and data. It is important to keep the system up to date so that the vulnerabilities are minimized. To prevent new vulnerabilities in the system, periodic vulnerability scans of the application and technology upgrade are planned and performed as a part of the strategy.