The security of patients’ data is a significant concern in healthcare, especially when the information is used for research or medical pilot programs. Sharing medical and health data with healthcare providers, pharma companies, payers, or other scientific institutions can tremendously benefit patient treatments. It provides better insights for managing various factors, including medication. However, it also increases security risks.
Patients now have the option to participate in research or pilot programs by sending health information remotely through mobile phones, wireless medical devices, wearables, sensors, and more. This capability can enhance the relationship between patients and healthcare institutions. Nevertheless, the increased use of remote devices for sending health data introduces more vulnerabilities in data management, visualization, and storage.
Here are some guidelines provided by Wilson Jaramillo, VP of Engineering and Technology at Esvyda Inc.:
Some guidelines
- Maintenance of software performance
- Management of data registries
- Management of security vs. latency of processes
- Security of data vs. execution time, while ensuring systems do no collapse
- Multithread administration to optimize hardware usage and provide traceability of every transaction done that involves data synchronization with mobile applications or third party systems.
- Disaster recovery policies that allow to keep a secure backup of the data in different locations along with standby instances of the databases that increase the availability of the data if something happens or any maintenance is being done
- Monitoring of user activities inside the application system, follow architectures like actor, action done, data modified, source of modification done, geolocation.
Choosing Security Digital Companies
Healthcare entities must be cautious when selecting and collaborating with digital companies that provide technical services. These digital companies manage health information and must comply with HIPAA laws and adopt best practices for handling Protected Health Information (PHI) and Personal Health Information (PHI). Moreover, combining strategies can improve security. These strategies may include encryption, hardware security modules (HSM), and decrypted keys during limited user sessions. It is also essential to detect unusual behaviors, such as accessing data from unfamiliar devices.
Using Standards and Security Policies
Using standards and security policies with internal company control can ensure the correct adoption of secure tools. Systems that monitor user activities, operating system performance, database integrity, and application software usage are vital. For instance, detecting how many sessions a user has open, understanding their behaviors, and monitoring session lifetimes helps close inactive sessions on time and block accounts if suspicious activity occurs. Furthermore, implementing second-factor authentication can securely unblock user accounts.
Management of roles
Correct administration of user roles is crucial. Managing permissions properly protects against unauthorized access to data.
Encryption
Encrypting data is also an effective strategy. Implementing AES 256 encryption for data at rest with initialization vectors, storing decryption keys encrypted, and using a master decryption key inside an HSM system are vital steps. Additionally, generating different encryption keys for every patient and type of data helps prevent dictionary attacks. Ensuring secure data transmission between networks with secure protocols and avoiding man-in-the-middle attacks is equally important.
Protecting Software Deployment- security
Isolating the environment to be accessible only to authorized people and applications using HTTPS implementations is essential. Encrypting data at rest and accessing end-user applications over HTTPS, combined with strong password policies, enhances security. Though these technologies increase hardware resource load, using keyed-hashing for message authentication along with encrypted storage of hashing keys allows data indexing without compromising security.
Remotely Fault Report
Implementing a remote fault report system logs issues requiring attention, providing quick and effective support to users. A supervisor system maintains traceability of issues, and a project management system responds quickly to modern attack challenges. Additionally, keeping development and deployment tools updated mitigates vulnerabilities.
Smart Devices Communicated With Several Mobile Phones and Operating Systems-security
The use of several smart devices (classic or BLE Bluetooth) connected to different mobile phones and operating systems represents a security challenge. Although Bluetooth is a standard protocol, the different hardware device brands represent a challenge of integration to software developers to offer a stable product for the user. Furthermore, medical devices with GPRS/2G/3G/4G technology have to use encrypted strategies too. In this area, it is not only important to pay attention to the generated data by smart medical devices, but also to the context which includes the unique identification of every device and the integrity of the data transmitted. This is essential in order to avoid duplicated data and usage of devices that are compatible or not authorized by the application software.
