Security of patients’ data is a big concern in healthcare, mostly when the information is used for purposes of research or medical pilot programs. The ability to share medical and health data from patients with HealthCare Providers, Pharma, Payers or other Scientific Institutions have shown tremendous benefits in improving patient treatments, because it provides better insights for those involved in HealthCare about the management of several factors including medication. However, at the same time has increased security risks.
The option that patients have right now about participating in research or a pilot program sending health information remotely anytime, anywhere (through mobile phones, wireless medical devices, wearables, sensors and others), may enchance the relationship between those patients and HealthCare Institutions, Providers, Payers and Pharma. But the more remotely devices usability to send health or medical data, the more vulnerabilities in the management, visualization and storage of that data.
Those Health Entities have to be very careful when choosing and working with digital companies which provide the technical aspect. Because of digital companies are managing Health Information, they have to be in compliance with HIPAA law and have to adopt best practices handling Protected Health Information and Personal Health Information.
Here are some guidelines provided by Wilson Jaramillo, VP of engineering and technology at esvyda Inc.:
Several challenges have to be faced while adoption of security strategies:
- Maintenance of software performance
- Management of data registries
- Management of security vs. latency of processes
- Security of data vs. execution time, while ensuring systems do no collapse
- Multithread administration to optimize hardware usage and provide traceability of every transaction done that involves data synchronization with mobile applications or third party systems.
- Disaster recovery policies that allow to keep a secure backup of the data in different locations along with standby instances of the databases that increase the availability of the data if something happens or any maintenance is being done
- Monitoring of user activities inside the application system, follow architectures like actor, action done, data modified, source of modification done, geolocation.
Combining strategies
Combined strategies may improve security. Those may include but are not limited to: Encryption, Hardware Security Modules (HSM), Decrypted keys during a limited user session (validation without compromising security). Strategies to detect weird behaviors of user accesing data from other devices different from those usually used by him.
Among other strategies, the use of standards and security policies with internal control of the company may allow the correct adoption of the tools that maintain secure data, including systems that monitor the user activities,
performance of the Operating System, and correct performance of data base, integrity of cache, load balancers, data base cluster sync and Firewall with real-time feedback of application software usage. In this aspect it is important to detect how many sessions are open by a specific user, understand their behaviors and monitor the lifetime of the sessions, thus that session that is not being used can be closed on time or a user accout can be blocked if something strange is happening. For that reason, second authentication factor allows to end use unblock their accounts securely.
Management of roles
Another key security strategy is the correct administration of users’ roles. The correct administration of users’ roles allows the management of permissions and protects the unauthorized access to data.
Encryption
The encryption of data is also a good strategy. The implementation of AES 256 to encrypt data at rest with initilization vectores, store the decryption keys encrypted, usage of a master decryption key inside an HMS system which is independent of application software, generate a different encryption key for every patient and for every kind of data, avoiding dictionary attacks that facilitate the easy decryption beyond a database register, because the computational effort would be high. It is very important the communication of data transmitted between networks, using secure protocols and implementing strategies to avoid atatcks like the man in the middle.
Protecting software deployment and data base to isolate the enviroment to only be accesible to authorized people and by the authorized applications using HTTPS implementations. To encrypt data at rest, access to the end user application always over HTTPS are a useful option combined with user accounts using strong password policies.
Although all these technologies increase overload over the hardware resources when any search includes any encrypted data, the usage of Keyed-hashing for Message Authentication along with encrypted storage of hashing keys allows to index data without compromising the security of the data.
Remotely Fault Report
The remotely fault report allows to log the “issues” that require special attention to offer a quick and effective support to users. Implement a supervisor system that keep the traceability of those issues and a project management system provides a reliable product that is able to respond quickly to new challenges like modern attacks that are looking for exploiting vulnerabilities. So, it is important to implement policies that keep the development and deployment tools updated to mitigate the effect of those vulnerabilities.
Smart Devices Communicated With Several Mobile Phones and Operating Systems
The use of several smart devices (classic or BLE Bluetooth) connected to different mobile phones and operating systems represent a security challenge. Although Bluetooth is a standard protocol, the different hardware device brands represent a challenge of integration to software developers to offer a stable product for the user. Medical devices with GPRS/2G/3G/4G technology have to use encrypted strategies too. In this area it is not only important to pay attention to the generated data by smart medical devices, but also to the context which includes the unique identification of every device and the integrity of the data transmitted, in order to avoid duplicated data and usage of devices that are compatible or they are not authorized by the application software.
Security of patients’ data is a big concern for esvyda Telehealth and Telemonitoring Solution, which has released a product that integrates medical and non-medical data to be shared by HealthCare Providers, Institutions, Pharmas, Payers and non-medical people involved in the care of patients. The solution helps to see, treat and follow-up patients in a holistic way and empowers patients to be proactive participants in their treatments, decreasing non-adherence to medication, hospital reamdissions and ER visits and saving costs to the health care system. We address security challenges with the implementation all of the aforementioned security strategies.
Want to know more?
Call us at (408) 905 0341 or (408) 660 8666
Email us: info@esvyda.com