It is often a discussion between what is required and what is essential for your application designs. For Healthcare Applications, it is extremely important to balance the act of decision making when you know your application will host PHI.
PHI stands for Patient Health Information is the most important and crucial data, that needs to be protected. PHI can be anything that contains Patient Health Information, be it medical reports, specific application screens or PHI available for research use on public domain. There are guidelines when it comes to de-identification of such datasets that are used in public domain.
However, I will try to keep my post specific to functional and non-functional needs. Here are some of the important aspects that we pick up, while meeting security aspects of system –
- Provisioning for Authorized Access only using appropriate access control mechanisms
- A configurable permission system with a consumer centric design
- Data Protection mechanism by encryption and decryption of data
- All server client communication over secured layer only
- Sufficient Audit Trails to know
- Who, when, from where and why accessed the application and the PHI
- In some cases what in the data got changed and a possible comparison
- No delete or soft delete only
- All PHI Downloads to notify alerts to users
- Protection of integrity of data
- Development of additional security provisioning like Captcha support, screen based keyboard entry
- Manage audit logs, access reports, and security incident tracking reports
At hosting server level, there are different provisions that are done to ensure the application hosting environment is sufficiently secured against malware attacks, vulnerabilities and physically secured.
Apart from these we have been also using ethical hackers to perform an independent security testing that takes care of all the risks and vulnerabilities.
In my next blogs, I will try to elaborate a specific scenario with some more examples!!! Stay tuned…