June 4, 2020
Security Considerations for Virtual Care Applications
This is the second segment of our four-part blog series discussing considerations for building a virtual care application. In our first post we outlined the importance of knowing your users and providing an exceptional user experience. Below we will discuss the primary security considerations for a virtual care application.
The questions we’ll be answering are:
- Why was adoption of digital health stalling in 2020?
- How can we mitigate consumer fears in digital health?
- What are the top 6 security practices for digital health solutions?
Why was the adoption of digital health stalling in 2020?
We learned about the 2020 US digital health consumer survey published by Accenture during the research for this post, and we were quite surprised by some of the trends in the rapidly changing space of Digital Health.
Prior to COVID-19, the usage of digital health mobile devices and applications declined from 48% in 2018 to 35% in 2020. When consumers were asked what is stopping them from using digital health solutions – 41% mentioned “concerns about privacy and data security” as the number one barrier.
However, COVID-19 has strongly encouraged healthcare consumers to adopt virtual care solutions. The Provincial Health Services Authority recently announced that there has been a 90% increase in virtual health visits in BC since March. With numbers to prove that virtual health is the way forward – it is critical that we work to mitigate fear surrounding security considerations for virtual care applications.
How can we mitigate consumer fears in digital health?
According to the 2019 Healthcare Data Breach Report, 510 healthcare data breaches, with 500 or more sensitive patient records, were publicly reported, which represents a 198% increase from the year 2018 – accounting for over 41 million patient healthcare records being compromised. With these figures in mind, it’s easy to see where consumer fears are coming from.
In order to inspire consumers’ trust in technology with their health information, it is critical for private and public organizations to take responsibility for releasing an extremely secure application that does everything possible to keep personal health information in, and hackers out.
What are the top 6 security practices for digital health applications?
Security in digital health is an expansive topic that closely overlaps with privacy. For the purpose of keeping this article concise, we have summarized 6 security considerations for a virtual care application that ensure sensitive health information remains private. These should be considered an absolute minimum.
Data should be encrypted (at minimum) during TRANSIT and at REST. The encryption of data at rest should include strong encryption methods such as AES or RSA. Data in transit should use a protocol such as TLS or SSL.
We recommend RSA encryption for virtual care applications as it is ideal for encrypting data with two physically or geographically different end-points. AES encryption works best within the same platform and context (encrypting data when accessing a database) and should use at least 192 bits (preferably 256) to encode any Personal Health Information.
What’s SSL and TLS?
Both SSL (Secure Socket Layer) and TLS (Transport Security Layer) are cryptographic protocols that ensure privacy and data integrity between a server and an application. SSL/TLS technology encrypts information transmitted between an app and a server, and should be a minimum of 128 bits.
2. Use Multi-Factor Authentication
Multi-factor authentication (MFA) is becoming the protocol of choice to ensure that only authorized users can login to an account. Microsoft has shown MFA use blocks 99.9 percent of all automated cyberattacks.
With MFA, when users enter the correct password, they are prompted to confirm their identity by completing an action on a secondary device. For health specific applications, biometric login can be implemented so that the user has to provide a fingerprint, voice identification or an iris scanning. Time sensitive One-time Passwords (OTP) are another common form of MFA that uses unique passwords that are generated with an algorithm that uses the current time as an input. The time-based passwords expire and therefore offer increased security for MFA.
3. Secure Data Storage
A number of abstracted layers will ensure that if there is a breach, all of the data is not in one place.
Implement Data Wiping
Data wiping is a non destructive process of removing data so that it can no longer be read. The wipe can be set up to occur automatically after a malicious attack is detected and can be triggered remotely in case of physical theft.
4. Test Early, Test Often
Security in applications begins with a well functioning, well tested application. Regular quality assurance efforts should occur and include acceptance testing, performance testing, usability testing, stress testing and regression testing at the minimum. In addition, penetration testing should occur before launch. At FreshWorks, we often outsource our security testing to a specialized company that has experts experienced in exposing application flaws.
5. Network Security
Firewalls are digital walls that protect data from some of the most common vulnerabilities and dangerous malware such as those detailed in the Open Web Application Security Project’s (OWASP) top ten.
Network Access Controls (NAC)
Network Access Controls (NAC) can identify, track and monitor each device (tablets, wearables, smartphones) the second it connects to the network. Then, automated warnings can be triggered when a device exhibits unusual or malicious behavior.
Virtual Private Networks (VPN)
The spread of COVID-19 has increased the amount of employees working remotely – outside of their companies network perimeter security. Thus, VPN’s are becoming increasingly important to ensure data is encrypted and sent or received only on trusted networks.
6. Terminate Sessions
Session tokens should be created, maintained and terminated through OAuth. The session should terminate at a maximum of 15 minutes (if the user is not active on that application after 15 mins they are automatically logged out).
- Make security updates regularly;
- Control access to information (e.g. contacts, camera);
- Avoid allowing the app to store Cookies;
- Allow deactivation of running the application in the background;
- Use vetted, secure third-party API’s and microservice providers. After all, your application is only as secure as the components it connects to!
In the next article in this series, we will be exploring compliance as the 3rd major area of focus for creating a virtual care application.