Table of Contents
- Security checklist for Users
- Security measures for Developers
- Digital Contact Tracing Protocols
- Google / Apple privacy-preserving tracing
- Decentralized Privacy-Preserving Proximity Tracing (DP-3T)
- BlueTrace / OpenTrace
- TCN Coalition / TCN Protocol
- Whisper Tracing Protocol (Coalition App)
- Privacy Automated Contact Tracing (East Coast PACT)
- Privacy-Sensitive Protocols And Mechanisms for Mobile Contact Tracing (West Coast PACT)
- NHS contact tracing protocol
- Conclusions
With the wake of COVID-19 lockdown, a sudden surge is seen in the usage of Telemedicine apps. The availability of the easier healthcare option where irrespective of the distance, a patient can get himself treated virtually through an app using video call and other advanced tech features has acted as blessings for the citizens of many countries who are locked in their homes due to "stay at home" orders by the government.
As the numbers in the reports state, the usage of these apps has been doubled among Americans while Canadians are also accepting it with their hands wide open. The predictions are made on the Telemedicine market to elevate its consumption to reach $130.5 billion by 2025.
But as we all know, more the usage of the app, more are the chances of a data breach and cybersecurity threats. So as the competition for the best Telemedicine app increases in the market, ensuring a precise check on its security measures needs to be a center point for an app to survive in the market.
In-order to assure yourself that your Telemedicine apps are safe for your customers, below are some factors that need attention in terms of safety followed by some security measures for Telemedicine apps.
Security checklist for Users
Here's a list of the most important security areas to watch out for when installing a Telemedicine and/or Contact Tracing App on your mobile device:
- Audio or video call information: Telemedicine uses video and audio call facilities where the patient shares his concerns. Verification of whether there is no glitch in the connection where a third party could listen to the conversation during the call or once the call gets over is indeed needed.
- Process of data transfer: Medical reports, chats, and patients' personal information are being exchanged between the Telehealth workers while giving the treatment. Ensuring this data is transferred through a secured network under strong encryption is an important aspect to be taken care of in a Telemedicine app.
- App Database: The next in the list is the Telemedicine database, where a huge amount of patient health records are stored. This data should be stored in a secure structured format and not in a way that reveals the patient's identity and must only be accessible by authorized admins.
- Payment gateways: As Telemedicine apps treat the patients online, the payments to the doctors are also transferred using different payment methods. Securing your app payment gateways by double-layer verification or biometric authentication is essential for your user's safe money transfer.
Moving further, let's look into some must-have security checks for a Telemedicine app.
Security measures for Developers
Some important security aspects should be kept in mind even during the development phase from those who work at those app: let's take a look to the most important of them.
Endpoint security
Telemedicine apps can be installed and used on different devices like laptops, tablets, and mobile phones. During the online diagnosis process through video calls and chat messages, each of these devices is connected in different networks leaving a chance of data breaching through any of the endpoint devices.
Controlling the amount of data that is being accessed from a device thus becomes important. Introducing and implementing an advanced EDR system in your app development process helps to detect any malicious activities on the devices connected at the endpoints by employing 24/7 monitoring on the nodes. These advanced EDR's are capable of ensuring security in the remotely connected devices by enabling immediate action towards preventing any malware from entering and spreading in the system.
Another important way to to increase the endpoint security is to implement some encryption in-transit method, such as end-to-end encryption: to know more about this topic, we strongly suggest to take a look to our encryption in-transit and encryption at-rest: definitions and best practices article.
HIPAA/PIPEDA Compliance
HIPAA/PIPEDA Compliance is the mandatory and the most basic security check for a Healthcare application to become eligible for public use.
With these compliance ensuring the right use of personal health information of the users, matching the standards defined by the industry experts becomes a must.
Some of these must-know rules of HIPAA compliance are:
- Data security: Only authorized and registered users can access the ePHI, proper security terms have to be defined to safeguard unauthorized parties.
- Strict ePHI communication monitoring devices: In order to avoid any data breaching, HIIPHA asks the app owner to implement such mechanisms to monitor the ePHI communication to prevent an accidental malicious attack.
- Secure channel for communication: Use of Skype, SMS, and emails are highly prohibited to be used as a medium for Telehealth checkup. In order to maintain the integrity of ePHI, implementing a secure communication system becomes important.
Policies, security terms, and procedures like these are the benchmark for a full-fledged app to ensure safe launch in the market.
Opt for App insurance for Cybersecurity
As we take an insurance policy for our lives and business, why not for our app security? Well with the options like Cybersecurity insurance for applications that come along with business insurances there is a full money coverage of any mishaps with the digital services.
Opting for a right cybersecurity policy can help stop any possible data breaching attack by providing a protective software, and also includes employee training and other IT support.
This policy includes the costs of legal security work, forensics, public relations as well as data monitoring costs of the application. Such insurances are a great step to ensure safety in terms of the app as well as money in times of any cyber attack.
Data Encryption and Network Access Control
As there is a huge amount of patients' sensitive data being transferred through the Telemedicine apps, confirming the safety during data transfer and data storage thus acts as an important aspect.
As we've already said before, we strongly suggest to use of the technology platforms that use high data encryption models that prevents the unauthorized user to even have an accidental look at your data or a smart hacker to get access to your transferring communication to tweak it: data transfer through email, Skype, Facetime or other known systems and/or protocols is not advisable for use in Telehealth apps. Be sure to only use secured channel and to implement some strong data encryption in-transit techniques (such as end-to-end encryption).
Well talking about the data transfer, using a virtual private network (VPN) is said to be the most protected communication channel to transfer any sensitive data as here the data is well encrypted and transferred through a secured and appropriate channel. VPN's mitigate the chances of any potential system vulnerabilities.
Apart from that, NAC's are also a great security form that works on micro-segmentation techniques and tracks and monitors devices and its access limit.
Self-hosting your app
Your app is said to be 100% safe if it doesn't have any dependency on the third party. Relying on the other systems needs delegation of your app data which could one or the other way be the reason for the glitches in data security.
Hosting your app on your own server or storing your data on your purchased cloud space is the easiest way to ensure safety as you are the only one authorized to access the data.
Allowing your users to access telemedicine apps through Google or Facebook increases the external risk of security and privacy hindrance. Moreover opting for a white label solution you will get your own app ready with your branding and suitable customization.
Digital Contact Tracing Protocols
When it comes to Digital Contact Tracing app, it's very important to determine what tracing protocol has been implemented by the app itself. As you might already know if you've read the huge debate that dominated the home page of most newspapers all around the world during the recent COVID-19 emergency, one of the largest privacy concerns raised about the usage of centralised report processing by protocol such as PEPPT-PT, as opposed to the decentralised report processing protocols such as TCN and DP-3T.
Centralized vs Decentralized approach
In a centralized report processing protocol a user must upload their entire contact log to a health authority administered server, where the health authority is then responsible for matching the log entries to contact details, ascertaining potential contact, and ultimately warning users of potential contact. Conversely, decentralised report processing protocols, while still having a central reporting server, delegate the responsibility to process logs to clients on the network. Tokens exchanged by clients contain no intrinsic information or static identifiers. Protocols using this approach have the client upload a number from which encounter tokens can be derived by individual devices. Clients then check these tokens against their local contact logs to determine if they have come in contact with an infected patient.
The major benefit of decentralized protocols - which makes them great in terms of privacy compliance - is that the government does not process nor have access to contact logs, this approach has major privacy benefits. However, such approach also presents some issues, primarily the lack of human in the loop reporting, leading to a higher occurrence of false positives; and potential scale issues, as some devices might become overwhelmed with a large number of reports. Decentralised reporting protocols are also less mature than their centralised counterparts.
Here's a useful list of the available centralized and decentralized protocols nowadays.
Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT)
- Architecture: Central log processing, Ephemeral IDs Fraunhofer Institute for Telecommunications
- Author/Promoter: Robert Koch Institute, Technical University of Berlin, TU Dresden, University of Erfurt, Vodafone Germany, French Institute for Research in Computer Science and Automation (Inria)
- License: multiple protocols, closed source, private specifications
- URL: https://www.pepp-pt.org/
Google / Apple privacy-preserving tracing
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: Google, Apple Inc.
- License: public specifications
- URL: https://www.apple.com/covid19/contacttracing
Decentralized Privacy-Preserving Proximity Tracing (DP-3T)
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: EPFL, ETHZ, KU Leuven, TU Delft, University College London, CISPA, University of Oxford, University of Torino / ISI Foundation
- License: publicly-developed Apache 2.0 reference implementation, MPL 2.0 iOS/Android code
- URL: https://github.com/DP-3T
BlueTrace / OpenTrace
- Architecture: Central log processing, Ephemeral IDs
- Author/Promoter: Singapore Government Digital Services
- License: public specification, GPL 3 code
- URL: bluetrace.io
TCN Coalition / TCN Protocol
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: CovidWatch, CoEpi, ITO, Commons Project, Zcash Foundation, Openmined
- License: public developed specification, MIT License code tcn-coalition.org
- URL: https://github.com/TCNCoalition/TCN
Whisper Tracing Protocol (Coalition App)
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: Nodle, Berkeley, California, TCN Coalition, French Institute for Research in Computer Science and Automation (Inria)
- License: GPL 3
- URL: https://www.coalitionnetwork.org/
Privacy Automated Contact Tracing (East Coast PACT)
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: Massachusetts Institute of Technology, ACLU, Brown University, Weizmann Institute, Thinking Cybersecurity, Boston University
- License: MIT
- URL: https://pact.mit.edu
Privacy-Sensitive Protocols And Mechanisms for Mobile Contact Tracing (West Coast PACT)
- Architecture: Client log processing, Ephemeral IDs
- Author/Promoter: University of Washington, University of Pennsylvania, Microsoft
- License: MIT
- URL: https://arxiv.org/abs/2004.03544
NHS contact tracing protocol
- Architecture: Central log processing, Ephemeral IDs
- Author/Promoter: NHS Digital
- License: private specification
- URL: https://www.nhsx.nhs.uk/covid-19-response/nhs-covid-19-app/
Conclusions
Telemedicine apps are here to stay. The facility to get the treatment sitting in the home has made it more popular with the lockdown announcement.
As the use of these apps is increasing its pace, ensuring the safety of the patient's data is a concern to be taken care of. Implementing the above-mentioned hacks before developing a telemedicine app can be a great way to launch a secure and safe app for your users.