Healthcare Data Security Checklist

Health information is now available online in just a few taps for the convenience of users and practitioners. There are multiple healthcare information systems available, on which one can find the relevant information. These information systems contain huge amounts of data, which can be sometimes difficult to manage. Storing and managing the data is key for healthcare data security and if not done properly can eventually lead to misuse of the information.

With the ever-increasing number of digital health initiatives and their interoperability, healthcare data security is becoming more important than ever before. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records, and the healthcare data of 44,369,781 individuals have been exposed or compromised.

Here are some statistics showing the rise in healthcare data breaches.

 

healthcare-data-breaches-statistics

 

Healthcare data breaches are expected to rise and any enterprise or organization should take steps towards healthcare data security. Now there is no rocket science behind securing your healthcare data, but one can follow some steps and actions to improve their data security and create a secure healthcare solution.

In this article, we share a checklist to tackle data security issues in healthcare and create secure healthcare software.

 


Cloud Strategy

  • Strictly use Multi-Factor Authentication for all user login. Multi-factor authentication is when a user must provide two or more pieces of evidence to verify their identity to gain access to an app or digital resource.
  • Use different sub-account for each environment. Sub-accounts are used to give different permissions to different users on the platform. For example, a sub-account can be created for an early-stage user and that sub-account can only have read access to a certain subset of data on the platform.
  • Least Privilege principle access for each user. Create the right IAM policies. IAM policies are used to set security permissions required by a user in order to access AWS resources. It consists of Identity and Access Management policies and other types of IAM policies like resource permissions, managed policy versions, managed policy namespaces, etc.
  • Separate database instances for each environment in the private subnet. This allows you to have different environments without interfering with each other.
  • Enable CloudTrail for logging account activity. CloudTrail captures API calls for your account and delivers log files to you. You can monitor, audit, and review all API calls made to Amazon Web Services (AWS) resources associated with your account using CloudTrail.
  • Use Key Management Service to store and manage keys. KMS helps you protect your data by using encryption throughout your stack. It offers the ability to encrypt and decrypt data in transit and at rest, as well as a way to rotate keys securely without disrupting services. KMS enables you to create new keys, destroy keys that are no longer needed, rotate keys, and retrieve key versions.
  • Use encryption for database and S3 buckets for compliance. Amazon is a secure, scalable, and powerful infrastructure for managing your data. The first step is encrypting the data that resides on S3 buckets. Fortunately, AWS provides tools to make it easy to do this.
  • End-to-end data encryption in transition state using SSL certificates. SSL certificates are an essential part of e-commerce and other online business. SSL certificate is one of the most popular ways to secure Internet communications and protect websites, emails, instant messages, and other data from unauthorized access.

Storage Strategy 

  • Use provided native encryption capabilities(KMS keys) for encryption data at rest. KMS provides a standard interface to all customers to encrypt data using keys managed by AWS. Use KMS API and tools to manage the encryption of data at rest in your application.
  • Role-based access control to storage.  Role-based access control framework use for cloud storage. The authorization logic is implemented by a set of rules based on the Roles that are defined in advance.
  • Enable logging and auditing to monitor storage activity. Allow logging and auditing of your cloud or on-premises storage for security, compliance, and troubleshooting.
  • Periodically storage backups. It is a cloud-based service that automatically stores your data in the cloud and also has a local copy in case of network failure or internet outage.

Download Security Process Checklist for a Healthcare platform that you can use right away

Manage Operating System Strategy 

  • Automated Hardening / secure configuration, self-healing. Manage OS Strategy is an automated system that provides hardening and secure configuration of operating systems, ensuring they are kept up-to-date, patched and hardened to their optimum level.
  • Patch management of applications and libraries of the operating system. Patch Management is a program for updating the software distribution on your computer. The patch can fix problems or improve performance.
  • Creating secure accounts. Create secure accounts with required privileges only (i.e., user management) to access the resources and perform respective duties.

Logging and Monitoring

  • Resource monitoring. Resource monitoring is the process of monitoring the use of resources. It involves measuring and storing data about resource usage and further opens up opportunities for performance optimization.
  • System and Application logs monitoring. Logs monitoring enables you to monitor, visualize and alert on any log data. It has a powerful search function and supports JSON-formatted logs, making it simple to monitor application logs for security breaches like SQL injection attacks or unusual activities.
  • Automated security information. It is a platform that connects you to security experts who are able to detect vulnerabilities in your app and help secure your application.
  • Role-based access control in Monitoring tools is a concept of configuring a system so that user roles determine the permissions that a user has to perform certain operations. Implementing role-based access control in monitoring tools increases the security of the monitoring system.

CI/CD Toolkit

  • Authorized login. Authorized login allows users to log in with security. Role-Based Access Control for a user to give only project-specific access to the user.
  • Developers have limited access. Developers do not have access to real data but only logs to understand the system.
  • Only Admin can create a user. New users are only added by the admin and access is defined for each user.
  • Prevent home directory access. No build runs on the master node to prevent programs from accessing the Jenkins Home directory and other server files.
  • Use Docker containers as Linux agents(nodes). By using Docker containers as Linux agents, you can easily monitor the performance of your applications and keep them up-to-date. For example, an application could be monitored by running a specific command in its Docker container.
  • Use Credentials to store and mask sensitive data such as tokens or API keys. Credentials are a portable and secure way to store sensitive data such as tokens or API keys. It works even when the entire system is compromised, keeping your data safe from intruders.
  • Managed Jenkins pipeline. Each environment has IAM users (with required access only) for accessing the AWS resources during the execution.
  • Additional security measures were implemented in Jenkins. Only whitelisted IP addresses can connect to the Jenkins server using ssh.
  • Clean workspace directory(source code) as soon as build finishes. It is a very simple bash script that runs every time after an ant build finishes. It checks for all the directories starting with “workspace” and deletes them.
  • Update Jenkins and plugins regularly. Jenkins is an open-source automation server. It is a continuous integration tool that can be used to build, test, and deploy any software project continuously.

SCM Platforms

These are some of the Security configurations for GitHub. GitHub is a web-based Git repository hosting service. It offers all of the distributed version control and source code management (SCM) functionality of Git and adds its own features.

  • Only the account owner can create and delete the Repository. All the new repositories shall have an owner. The owner is responsible for adding members to the repository, modifying their permissions and setting up or deleting the permissions for other actions (e.g., pushing to a repository). 
  • Only the project manager has admin permission for repositories. A repository is the main unit of information stored in your Github account. It holds all your project-related information, and you can create an unlimited number of repositories.
  • Only the Project manager/lead should have written access to main branches. The product should be clean, understandable and simple. Merging new code should only happen after the approval of the project manager.
  • The Master branch has only the production code. The master branch is the main branch of a git repository, from where all future changes will be deployed. It is also known as the production branch in the software industry.
  • Delete protection for main branches. Delete protection for *main branches* prevents deletion of the branch by non-admin users. When enabled, the branch will require a confirmation from an administrator to be deleted. This is especially useful in organizations that want to enforce some control over the release management process.
  • No secrets or environment files will be pushed to the repository. We never store any secrets or environment files in the repository. All credentials and other sensitive information are stored in secure config vaults.
  • Only Developers working on the project will have access to the repository. Even though you are the owner of the project, you will not be able to access your repository. This is because the repository is owned by the organization that owns the project and not you.
  • Require two-step authentication for every bitbucket/GitHub user account. It is a security feature that will prevent unauthorized access to your account in case the password has been compromised.
  • Use ssh keys to access remote git repositories. Git is a free and open-source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.
  • “Static analysis tools detect Code-smells, Bugs, and Vulnerabilities. Use CodeGrip or similar tool to scan repository code, generate reports, and notify over slack.”
  • Update git periodically to keep safe from vulnerabilities. To keep your git repository safe from vulnerabilities, you need to update your project on a regular basis.

Source Code

To keep source code flawless and void of any errors, the following guidelines may help

  • Follow OWASP Secure Coding Practices(Automated scan tool like Codegrip can scan this)
  • Treat each activity as an event and log each event that happens.
  • Strictly avoid the use of credentials in source code. AWS access key and secret key etc should be used.  There are tools that automate the process of reversing source code to extract credentials and other sensitive information from the application. A good example is a tool called AWS-CLI Enumerator. Hence by avoiding to put credentials, one can proactively safeguard against such happening.
  • Use secure and updated IDEs and plugins. An IDE or integrated development environment is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a source code editor, build automation tools and a debugger. Using up to date versions makes sure that any known flaw is already fixed by the IDE team
  • Use static analysis security testing tools(SAST) like CodeGrip. An Automated Code review tool gives detailed code quality reports. This way you can fix bugs, errors, coding standards etc before code goes into production
  • Code Review for each Pull Request so that any code that is added to the main branch is already tested
  • Dependency-Check to identify any known vulnerable components
coma

Conclusion

Ensuring the above steps can not only prevent data breaches but can help in healthcare data security. Hope you like this article where we discussed the checklist on how to secure healthcare solutions. The checklist mentioned can be a go-to source to build secure healthcare software. The practices mentioned have been a great help for us to develop better healthcare solutions and services for our customers. Hope it does the same for you as well.

Ayush Jain

CEO and Co-founder, Mindbowser Group

Ayush is primarily responsible for the group’s marketing, branding and strategy. He works closely with customers guiding them on their idea and execution. Ayush is an avid business book reader and a proud owner of a large library of books. He is also a marathoner and marksman.
Reach out to Ayush at ayush@mindbowser.com

Get in touch for a detailed discussion.

Hear From Our 100+ Customers
coma

Mindbowser helped us build an awesome iOS app to bring balance to people’s lives.

author
ADDIE WOOTTEN
CEO, SMILINGMIND
coma

We had very close go live timeline and MindBowser team got us live a month before.

author
Shaz Khan
CEO, BuyNow WorldWide
coma

They were a very responsive team! Extremely easy to communicate and work with!

author
Kristen M.
Founder & CEO, TotTech
coma

We’ve had very little-to-no hiccups at all—it’s been a really pleasurable experience.

author
Chacko Thomas
Co-Founder, TEAM8s
coma

Mindbowser is one of the reasons that our app is successful. These guys have been a great team.

author
Dave Dubier
Founder & CEO, MangoMirror
coma

Mindbowser was very helpful with explaining the development process and started quickly on the project.

author
Hieu Le
Executive Director of Product Development, Innovation Lab
coma

The greatest benefit we got from Mindbowser is the expertise. Their team has developed apps in all different industries with all types of social proofs.

author
Alex Gobel
Co-Founder, Vesica
coma

Mindbowser is professional, efficient and thorough. 

author
MacKenzie R
Consultant at XPRIZE
coma

Very committed, they create beautiful apps and are very benevolent. They have brilliant Ideas.

author
Laurie Mastrogiani
Founder, S.T.A.R.S of Wellness
coma

MindBowser was great; they listened to us a lot and helped us hone in on the actual idea of the app.” “They had put together fantastic wireframes for us.

author
Bennet Gillogly
Co-Founder, Flat Earth
coma

They're very tech-savvy, yet humble.

author
Uma Nidmarty
CEO, GS Advisorate, Inc.
coma

Ayush was responsive and paired me with the best team member possible, to complete my complex vision and project. Could not be happier.

author
Katie Taylor
Founder, Child Life On Call
coma

As a founder of a budding start-up, it has been a great experience working with Mindbower Inc under Ayush's leadership for our online digital platform design and development activity.

author
Radhika Kotwal
Founder of Courtyardly
coma

The team from Mindbowser stayed on task, asked the right questions, and completed the required tasks in a timely fashion! Strong work team!

author
Michael Wright
Chief Executive Officer, SDOH2Health LLC
coma

They are focused, patient and; they are innovative. Please give them a shot if you are looking for someone to partner with, you can go along with Mindbowser.

author
David Cain
CEO, thirty2give
coma

We are a small non-profit on a budget and they were able to deliver their work at our prescribed budgets. Their team always met their objectives and I'm very happy with the end result. Thank you, Mindbowser team!!

author
Bart Mendel
Founder, Mindworks