Cloud Security and Compliance for Health Start-Ups
We look at the pitfalls, challenges and responsibilities for Health Start-ups to consider when developing new applications in the cloud.
Rule number one for Health start-ups developing in the public cloud: don’t leave security to your cloud provider and developers. You have security responsibilities and obligations that cannot be managed by your cloud provider, alone, and you need to ensure your developer is well across your compliance requirements from the start.
Before a piece of code is written, you must have a security plan in place, and it doesn’t stop there. When developing applications for the public Cloud, you must ensure your developer(s) address security throughout the software development lifecycle.
While standards organisations like ISO and PSPF are helping to establish best practices, it is still the responsibility of you, the start up, to properly safeguard your customers’ personal data.
The Key Regulatory Bodies
Certain laws and regulations must be complied with in order to store and access content such as personal health data. In Australia there are two major health and medical research regulatory bodies. They are the NHMRC (National Health and Medical Research Council) and the Privacy Act 1988. You should familiarise yourself with the Healthcare Identifiers Act and Privacy Act 1988, both of which provide valuable information about your obligations.
It is also important to mention the AHPRA (Australian Health Practitioners Regulation Agency) as it is the main regulatory body that enforces data privacy provisions. Its main function is to protect the public in accordance with Privacy Act 1988 and to collect comprehensive data on registered health practitioners.
Hosting and Security Considerations are Shared Responsibilities
Whether your cloud development partner is AWS, Microsoft Azure or Google Cloud Platform, you and your cloud provider have a shared responsibility to protect customer data. You are responsible for security “in” the cloud while your infrastructure provider (IaaS) is responsible for security “of” the cloud.
You are obligated to protect:
- Customer data
- Application, identity and access management
- Network and firewall configuration
- Client-side data encryption
- Server-side encryption
- Network traffic protection
This may seem like a lot but there is a standard series of best practices and guidelines to help you set up your secure environment from day one. And remember – we’re not saying it’s all up to you. Your provider plays an important security role.
IaaS and PaaS (Platform as a Service) providers are obligated to protect:
- Computing environment
Security Trumps Agility
At a recent conference, our CTO Damien Pedersen found that most attendees with whom he interacted had concerns about how their apps were being developed. These days, start-ups generally use agile methodologies to quickly get things implemented and to have the ability change on the fly. Take heed: you must place security considerations on equal terms with agility. If application coders are not fully aware of compliance requirements and relevant regulations from the start – and if you do not manage your developers to ensure that security is addressed throughout the development lifecycle – the application may require a costly retrofit at some stage. Or worse still, it may inadvertently leak customer and patient data.
Mandatory Data Breach Notification passed in Australia
The recent passage of the Privacy Amendment Bill 2016 means that at some future date (still to be determined, but either 12 months from the date of Assent or on an earlier date if agreed on by parliament) regulated Australian organisations will be required to notify affected individuals and the OAIC of data breaches that are designated eligible under the legislation. iTNews has provided a pretty good run down on what data breach notification means for Australian organisations, and here is an overview with an e-Health focus, but make sure you do your own research on this too.
And just in case you don’t quite believe that even simple development issues like navigation glitches can result in data leakage, you need to be reminded of previous My HR (PCEHR) data leaks. Two navigation issues temporarily allowed users to have access to other users’ health records and notes without authorisation. They were quickly fixed, but these kinds of things don’t need to last for long to have a huge impact on your clients and your reputation.
Bottom Line: Implement Security and Data Protection From Day 1
General security considerations for Start-ups:
- Ensure security is locked down immediately
- Before allowing Internet access to a VPC, lock unnecessary ports
- Encrypt data to protect user privacy
- Build applications in a “loosely-coupled” fashion
When it comes to security of application development in the Health industry, the bottom line is make sure you consider and plan for security measures up front. This means implementing the highest level of security and patient data protection tools from Day 1. It will mean less re-work, less risk and less costs down the track. A gram of prevention is worth a kilo of cure.
Damien Pedersen, CTO/Principal Consultant at Envisian