Skip to main content

Risk Mitigations for Custom Applications

 In many healthcare applications, often due to the cloistered nature of the use cases – e.g. it will only be accessed by users authorized in a particular facility, such as an operating room suite – the needs for Authentication and Authorization are minimized when the system is designed and implemented. This presents a risk as soon as you allow for the possibility of users with ill-intent or that otherwise want to operate outside their given roles.

Custom applications need to consider these possibilities and implement the following measure to ensure the integrity of the system.

1.  Authentication and Authorization Controls:

Multi-Factor Authentication (MFA): Implement MFA for all user logins. This adds an extra layer of security beyond just a username and password.

Role-Based Access Control (RBAC): Grant users access only to the data and functionalities they need for their specific role. This minimizes the potential for unauthorized access.

Strong Password Policies: Enforce strong password creation policies with minimum length, complexity requirements, and regular password changes.

Regular User Reviews: Periodically review user access privileges to ensure they remain appropriate and prevent unauthorized access due to role changes or employee departures.

2. Secure Data Storage Practices:

Data Encryption at Rest: Encrypt all sensitive healthcare data (PHI) stored on databases and servers. This renders the data unreadable in case of a breach. And be sure to do sensible things with keys – make them complex and use a key management or identity management system to aid in the process.

Data Encryption in Transit: Encrypt data transmission between the application and users' devices or other systems. This protects sensitive information from interception during network traffic.

Data Minimization: Only collect and store the minimum amount of data necessary for the application's functionality. This reduces the attack surface and potential impact of a breach.

3. Patched Software:

Use every means at your disposal to ensure you use patched software, updating quickly and regularly.

Patch Management System: Implement a system for timely identification, acquisition, and deployment of patches for all software components used in the application.

Vulnerability Scanning: Regularly conduct automated vulnerability scans to identify potential weaknesses in the software and prioritize patching accordingly.

Software Update Policy: Establish a clear policy for software updates, outlining the process, approval procedures, and timelines for implementing updates.

4. Encryption:

Implement Transport Layer Security (TLS) to encrypt communication between the applications and users' devices. This ensures a secure connection and protects data from eavesdropping.

Data Encryption at Rest and in Transit (as mentioned above): Encrypting data at rest and in transit are crucial security measures to safeguard sensitive healthcare information.

5. Additional Considerations:

Secure Coding Practices: Developers – internal and external - follow secure coding practices to minimize vulnerabilities introduced during the development process. Be sure to understand and enforce the strongest security practices of 3rd party developers. Static code analysis tools can help identify potential security flaws.

Penetration Testing: Regularly conducting penetration testing simulates real-world attacks to identify and address exploitable weaknesses in the application's security posture.

Security Awareness Training: Train staff involved in developing, maintaining, and using the application on cybersecurity best practices and potential threats.

Labels:

Comments

Post a Comment

Popular posts from this blog

Let's Not Mess Around with Security on our Personal Systems Either!

Essential Security Practices for Your Personal Systems Ensuring a minimal level of cybersecurity, privacy, and availability on your personal systems means you need to manage the following essential practices. This is a brief overview of recommendations from sources like CISA, NSA, etc., focused on personal laptop, phone, and other systems' security. Anti-virus  I've found you'll get the best anti-virus protection and usability from a paid product - I've always had good luck with Norton labeled products. If you are looking for current vendor offerings see:  https://www.pcmag.com/picks/the-best-antivirus-protection Regardless of whether you choose to use a commercial product or open-source anti-virus tool, it is absolutely something you need to use. This is the minimally needed level of system security. Once installed, ideally, it should be invisible until there's a security problem it can't prevent or solve.   Backups You need to have at least a minimal level of ...
Post a Comment
Read more

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view The NICE framework ( NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation.  Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs. A  RACI chart  is   a project management tool used to define and clarify roles and responsibilities within a project team.   It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be c...
Post a Comment
Read more

Typescript - It might not be easier, but but it's surely different

Typescript is a statically typed language, that is a superset of JavaScript. I've had the discussions and debates about that aspect of the language. I am all for static typing. Any way my tools can help me be better is alright by me. So I avoid the ' any ' type designation and make sure I have guards on ' unknown ' types, as much as I can.  Any  does not carry any useful type information, while unknown does, and allows it to enforce type checking.  Anything can be assigned to a variable of type unknown , but an unknown value cannot be assigned to variables of other types without explicit type assertion or narrowing. Similarly, no operations are permitted on an unknown value until its type is refined. This behavior ensures type safety and prevents runtime errors. (Refined with help from google). I bring this up because I was arguing with the compiler recently because I'd assumed both made no use on any type information in any circumstance - because I haven't ...
Post a Comment
Read more