For some, 2016 has been the year of data hacks and security breaches, and therefore, it seems like a perfect time to write about Cloud security for Health Care Tech (HealthTech) Platforms and what we are doing at RXTransparent to ensure the integrity of our customer’s data. Many times, the discussion with our current and prospective customers about security is a very short conversation. Most of our customers (Clinical Providers) are comfortable with the statements that we make assuring them that RXTransparent for DSCSA Compliance uses the same security technology and processes as their own online banking systems. In this blog post, we are going a step deeper and, without being too technical, describe what modern day security means for HealthTech. The following examples are some of our best practices that never get any PR or press. Simply put, when it is working, no one notices. Where possible, we have included Wikipedia links for many of the topics below so any reader can drill further into each topic.
Encryption The simplest security countermeasure that HealthTech systems should implement is encryption. The signs and symptoms you are looking for are as follows: does the link to your app begin with HTTPS, or does the app have a certification logo from a trusted certificate authority? Without encryption, any entity looking at the data being transmitted between two computers (Man in the Middle Attack) could read and intercept the traffic in plain text.
Identity Management The second practice that we implement is Privileged Identity Management which does not allow any shared user IDs and passwords. Historically, shared identities and passwords lead to unfavorable outcomes of healthcare data. Each ID within RXTransparent will be authorized to access certain system functions and seamlessly deny access once the individual moves on to a different role or exits the organization. RXTransparent utilizes Microsoft’s Active Directory for identity management which is often the same platform used by our customers.
Multi-factor Authentication Many times, when you talk to information security professionals (InfoSec), the conversation boils down to three “Somethings “. Something you know (a password), something you have (a device), and finally something you are (biometrics). Any one of these things can be compromised – some harder than others. If a platform combines multiple factors for authentication, then the probability of unauthorized access decreases dramatically. The RXTransparent platform uses complex passwords (something you know), and can only be accessed via a device on either our customer’s network, or our network (something you have). We have not implemented biometric authentication because it is cost prohibitive and complex, and not necessarily worth the inconvenience to our customers. As an enterprise-enabled application, RXTransparent has the luxury of not having to be publicly facing and therefore access to RXTransparent is never made available to the general public as compared with platforms like salesforce.com or Office365.
Data As a Service During the initial advent of data driven internet applications, data sources were directly connected to the web sites. This practice, in many cases, is the fatal flaw of many of the large data breaches that we see in the news. When the database is connected to the cloud/app, then the database can be manipulated by the app. The tech team at RXTransparent abstracts the underlying database with cloud services that can only be accessed by authenticated and authorized users who have been given specific privileges to data and specific functions. Therefore, hacks that try to manipulate the database directly are impossible and this level of abstraction removes the risk of inappropriate access. Within RXTransparent DSCSA Compliance Platform, a key system function is retrieving and displaying a product pedigree from manufacturing source to dispensing location. The microservice that handles this function can do only that. It can retrieve a single pedigree and pass that to the front-end App based on certain parameters. It does nothing else and therefore can’t be exploited or even accessed except by the RXTransparent Platform.
This article is Part 1 (Technology) of our year end overview of HealthTech security within the RXTransparent platform. It is by no means, a complete list of all of the security programs and countermeasures that we have in place, but a good starting point to set the stage for next week’s blog where we will review the processes that support our apps Security Technology. We believe that these technology practices are reasonable minimum standards for any HealthTech platform. We are both proactive and responsible for our customers, by protecting their data which is one of their most important assets.
We welcome your questions and feedback below, or feel free to contact us directly at firstname.lastname@example.org