Skip to main content

Risk Mitigations for Custom Applications

 In many healthcare applications, often due to the cloistered nature of the use cases – e.g. it will only be accessed by users authorized in a particular facility, such as an operating room suite – the needs for Authentication and Authorization are minimized when the system is designed and implemented. This presents a risk as soon as you allow for the possibility of users with ill-intent or that otherwise want to operate outside their given roles.

Custom applications need to consider these possibilities and implement the following measure to ensure the integrity of the system.

1.  Authentication and Authorization Controls:

Multi-Factor Authentication (MFA): Implement MFA for all user logins. This adds an extra layer of security beyond just a username and password.

Role-Based Access Control (RBAC): Grant users access only to the data and functionalities they need for their specific role. This minimizes the potential for unauthorized access.

Strong Password Policies: Enforce strong password creation policies with minimum length, complexity requirements, and regular password changes.

Regular User Reviews: Periodically review user access privileges to ensure they remain appropriate and prevent unauthorized access due to role changes or employee departures.

2. Secure Data Storage Practices:

Data Encryption at Rest: Encrypt all sensitive healthcare data (PHI) stored on databases and servers. This renders the data unreadable in case of a breach. And be sure to do sensible things with keys – make them complex and use a key management or identity management system to aid in the process.

Data Encryption in Transit: Encrypt data transmission between the application and users' devices or other systems. This protects sensitive information from interception during network traffic.

Data Minimization: Only collect and store the minimum amount of data necessary for the application's functionality. This reduces the attack surface and potential impact of a breach.

3. Patched Software:

Use every means at your disposal to ensure you use patched software, updating quickly and regularly.

Patch Management System: Implement a system for timely identification, acquisition, and deployment of patches for all software components used in the application.

Vulnerability Scanning: Regularly conduct automated vulnerability scans to identify potential weaknesses in the software and prioritize patching accordingly.

Software Update Policy: Establish a clear policy for software updates, outlining the process, approval procedures, and timelines for implementing updates.

4. Encryption:

Implement Transport Layer Security (TLS) to encrypt communication between the applications and users' devices. This ensures a secure connection and protects data from eavesdropping.

Data Encryption at Rest and in Transit (as mentioned above): Encrypting data at rest and in transit are crucial security measures to safeguard sensitive healthcare information.

5. Additional Considerations:

Secure Coding Practices: Developers – internal and external - follow secure coding practices to minimize vulnerabilities introduced during the development process. Be sure to understand and enforce the strongest security practices of 3rd party developers. Static code analysis tools can help identify potential security flaws.

Penetration Testing: Regularly conducting penetration testing simulates real-world attacks to identify and address exploitable weaknesses in the application's security posture.

Security Awareness Training: Train staff involved in developing, maintaining, and using the application on cybersecurity best practices and potential threats.

Labels:

Comments

Post a Comment

Popular posts from this blog

Unit Testing - What to Test

This I wrote to answer a question that came up when we were discussing our software process and I was training developers on how to unit test. It seems a simple enough question, but I kept pondering it and delving deeper until I realized I needed to write this monograph. What unit tests should we write? How do we know what to test? Ideally, unit tests should cover every path through the code. It should be your chance to see every path through your code works as expected and as needed. If you are practicing Test Driven Development then it's implied everything gets a test. In the real world, you might not be allowed to test everything - for instance, if the testing suite ends up taking a week to run, then the world will have changed by the time it finishes and the test results will be obsolete. Unit testing at it's basic is testing an object, a method - the smallest unit of your code that it can test independently. It should test the inputs "goes into" an...
Post a Comment
Read more

Healthcare and Health Informatics Glossary

Here is a glossary of terms useful in Healthcare and Health Informatics ACO (Accountable Care Organization) MEDICARE’s outcomes-based contracting approach Arden Syntax an approach to specifying medical knowledge and clinical decision support rules in a form that is independent of any EHR and thus sharable across hospitals ARRA (American Recovery and Reconstruction Act) the Obama administration’s 2009 economic stimulus bill Blue Button an ASCII text based standard for heath information sharing first introduced by the Veteran’s Administration to facilitate access to records stored in VistA by their patients. The newer Blue Button + format provides both human and machine readable formats. CCD (Continuity of Care Document) an XML-based patient summary based on the CDA architecture CCOW (Clinical Context Object Workshop) an HL7 standard for synchronizing and coordinating applications to automatically follow the patient, user (and other) contexts to allow the clinical u...
2 comments
Read more

It's all broken...

So, Scott Hanselman struck a chord again:  Everything's broken and nobody's upset . The worst part is I can see that I'm part of the problem on both sides . I've excused many problems with software - shrugging as I restart the software or reboot. I save my anger for those occasions where I fell I've lost serious work and substantial time. Other than that I accept problems, glitches, crashes as "the cost of doing business". I believe it's actually because I've amused myself and earned a living creating software, that I am able to accept what's often pitiable quality. I've spent time working on systems that are not much more than breadboards with wires cascading from it, where getting something, anything to work was a huge accomplishment. But that was then and this is now. No way would I put up with a car that suffers from numerous small problems as today's software can. And putting these two thoughts together, it's now frightening ...
2 comments
Read more