The most important part of security in any healthcare-related application is protecting patient data. In each piece of your application architecture, think about where patient data are stored, how will you protect that data, and how to restrict access to the data. This post explores what you must consider when building and hosting your secure telehealth application.
The video chats between the patient and medical provider are pretty secure already because of the encrypted nature of WebRTC. However, if your application servers are not secure, then a hacker may be able to get into the signaling logic on your application server. That signaling logic is used to a setup the call between the patient and medical provider, and so it could be hacked to allow someone else to listen in. You should also make sure that patient identifying information is not used in the signaling logic, since the network calls necessary to setup the WebRTC conversation are not encrypted.
In addition, any notes that the medical professional is taking need to be stored in an encrypted database. Medical practitioners may need to look up patient data and run reports in the telehealth application database. However, note that care should be taken, so that the medical professional can only see data relevant to their own patients and their job function.
For any data that you store encrypted, you also need to take care with how you store the keys used to decrypt that data. These keys must be protected, or the encryption will not be secure. Amazon provides a Key Management Service (AWS KMS) specifically for this purpose.
Patients probably need a dashboard allowing them to see upcoming appointments, make payments, and schedule new appointments. Securing this dashboard is crucial, so that a patient cannot hack it to see other patient’s data.
If your system has any external dependencies, like a billing/payment solution or an electronic medical record database, then you should ensure that connections to those systems are secure, and all patient data exchanged is encrypted in transit.
Many systems use an external file storage on cloud servers, such as Amazon’s S3 service. This is a fine solution, but ensure that the files are stored with security policies that restrict access to the files and don’t allow anyone to guess URL’s and see them. S3 allows you to configure different “buckets” with security policies, such that each bucket contains only the files related to a particular app or even subfolders for specific patients; this can restrict access to those folders.
Although using an external medical records system can increase complexity and development costs in your telehealth application, one major advantage is that you may need to store less patient data in the telehealth application itself, thus reducing data breach risk if the telehealth app is hacked.
Take the time to draw out your system architecture and all the data that is exchanged between each piece. Consider how to protect that data, while it’s traveling between parts of the application, and wherever it is stored permanently.
Be sure to question any extra data being stored or sent around, the less data you can expose, the less damage if a breach occurs. Setting up all of the infrastructure is the job of your development team or the company that you hire to build your telehealth application.
You don’t have to be able to set it up yourself, but you should be prepared to ask the right questions to ensure they have your data security interests in mind.
Think a telehealth solution may be right for your healthcare business? Need help determining which option best meets your needs?
The healthcare industry has its own unique set of needs for communications applications, and we are experts in building secure and video applications for medical providers.
We can help you decide whether you want to build a custom telehealth application or want to enable a telehealth starter kit that already includes the most common features our clients need, and which can be licensed, customized, and rebranded for your unique medical or mental health practice. Contact us today.