Guest post by Pawan Sharma, director of operations for healthcare at Chetu.
Healthcare is quickly adapting to the digital environment by leveraging web-based technologies, electronic health records (EHR) and mobile devices to facilitate the movement of information. With innovative software technology comes great responsibility. One of the unfortunate downsides to increasing the use of technology for data sharing in the healthcare world is the risk of data falling into the wrong hands. Full measures need to be put in place to protect patient’s Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) mandates that all PHIs be secured. Any breach, if not handled appropriately under established procedures, can lead to grave consequences including heavy penalties, jail time, or both. Needless to say that proper mechanisms need to be implemented to secure data while it is stored, transmitted and consumed.
Understanding Regulatory Standards
Knowledge is power. It is paramount that software providers look for back-end development partners that have Healthcare IT experience. This includes extensive knowledge and proficiencies with federal regulations like American Recovery and Reinvestment Act (ARRA), meaningful use stage 1 and 2, Accountable Care Act, etc. Also, regulatory health information exchange (HIE) standards such as Health Level 7 (HL7), Health Information Exchange Open Source (HIEOS), Fast Healthcare Interoperability Resources (FHIR), Consolidated-Clinical Document Architecture (C-CDA), Continuity of Care (CCD/CCR) as well as clinical and financial work flows.
With information traveling over a network it may be subject to interference. Hence, it is important that data be encrypted in transit. Vendors must include encryption technology to prevent disclosure of patient health information while data is communicated between the application and the server. Web traffic must be transmitted through a secure connection using only strong security protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL/TLS certificates are light weight data files that are purchased and installed directly onto the server. Once implemented, a user will be able to connect to the web-based application server via a secure tether with an internet browser.
Organizations have been keen on securing networks and internal infrastructure from external threats. With this in mind, malicious entities are looking to breach data at the application level. Healthcare software proprietors must protect their application from security threats by employing hardening tactics, which shields bugs and vulnerabilities in the coding. This technique primarily includes code obfuscation. Code obfuscation is the act of intentionally creating obscure source code to make it difficult for entities to decipher. Properly employing this tactic hinders a threats ability to reverse engineer and tamper with an application to facilitate a breach.
With so many healthcare applications using the cloud infrastructure for a basis of data sharing it is pertinent that software providers include additional authentication measures. This includes securing access to web-based applications using a two-step authentication process with dynamic passwords, by means of a Time-based One-Time Password (TOTP) algorithm. This process adds an additional factor to just a username and password by requiring a supplementary code or key that is sent to another device, application, or email. As healthcare providers leverage the use of a myriad of devices adding this additional layer of security can protect users from credential seizure.
Software proprietors must include modules that help healthcare providers automate account management by seamlessly being able to ID individuals within a network or platform. A robust ID management module should at its core be able to mimic operational policies of a healthcare organization by defining which devices and users are allowed to access a platform. They should limit what the user is able to accomplish by setting conditions in relation to job responsibility, time, location and other relevant factors. A robust system should include a centralized user directory with easily defined parameters surrounding their access to a platform that automatically manages, records, and timestamps an employee’s interaction with a particular application. Lacking a robust access management system poses a paramount concern for security and noncompliance.
With increasing use of mobile devices for accessing secure information, mobile information security is of paramount concern. Many mobile applications cache data for offline operation. Unfortunately, this increases the risk of a breach. This is especially true for browser based caching or hybrid mobile applications. Product managers and vendors must be aware of this and look to move from mobile based caching to programming local databases for offline data storage. Local databases are provided by all mobile platforms and are intrinsically secured by the platform itself in case of an attempt to access data without authorization.
With hybrid data retrieval applications being natively stored on mobile devices, it is of concern that mobile devices can fall into the wrong hands by means of being lost or stolen. When providing healthcare applications with the ability for users to access the platform from anywhere, it is important to incorporate provisioning tools to control on and off premise access. Geo-fencing modules integrated with a healthcare mobile application allow for added security to mobile devices whereby completely locking out access to an application, clearing passcodes, wiping, and/or erasing the device if it falls outside of a certain perimeter. Location-based services can be easily integrated with any application. When developing a location aware application it is paramount that the users’ location be accurately identified through specific programing of geo-coordinates.
Using time constraints or time management modules in conjunction with other security features will greatly improve the level of security for healthcare applications. Using a time management tool can restrict the capacity of a threat by enabling time based conditions. This time control is an efficient way to manage unauthorized access to an application by limiting access only to approved times. Integrating scheduling software allows a user’s access to an application or platform by syncing the availability of the platform to that specific user’s working hours. Cleansing the data from local storage, timing out the session after a set interval of inactivity, and dimming of screens are some other measures for enhancing data security.
Even after all the aforementioned safeguards, data breaches can still occur. In such cases, proper audit logs need to be put in place to prevent future breaches. Auditing involves an objective evaluation of different entities’ procedures and practices and how they relate to a specific technology being used. Here the roles of software developers, IT staff, and healthcare providers are defined to establish clear boundaries on how a system is accessed and used to identify business risk and internal controls. Identifying the underlying cause provides entities with the necessary information to mitigate potential threats moving forward.