The most important step to ensuring our privacy and protecting our data starts long before you purchase a device or a new connected devices is added to a hospital or doctors office network.
Security starts in the design of the device and is based on software best practice, many that are not known or enforced in to coder community today. The practice is called Secure Software Development Life Cycle (S-SDLC) an is taught in the first semester of most Computer Science college curriculum. This is where I normally lose the Agile designers, but wait, this will work for Agile as well We just need to consider the sprints as smaller circles/life cycles, more about this later.
There is one large caveat to designing medical software, if it fall under the FDA definition of a medical device it must follow IEC 62304, which is waterfall design, at least for the documentation. Not all software for medical use need FDA approved, e.g., EHR Electronic Health Records do not fall under FDA jurisdiction, why? Good question, however we will leave this for another discussion.
One issue software faces today is the lack of Computer Scientists, there are many great coders doing good work, however the oversight seems to be lax. Oversight is the responsibility of the vendor that owns the software and the customer who purchases the software, e.g., a hospital purchase a solution to store PHI, something goes wrong and the data is compromised. It is the hospital responsibility to report and most likely compensate the patient's that have been damaged by the breach.
S-SDLC
Secure SDLC is based on SDLC, a best practice for designing and delivering robust software.
A series of steps starting at the top of the circle describing the life cycle of the development.
S-SDLC takes into account security at every step of the cycle, e.g., Requirements phase, add Security requirements.
One of the most important parts of the cycle is testing, it is the last chance to catch a problem before it gets to the customer. Because of the emphasis placed on iterations and quick to deliver, many coder today do not agree.
There is a V-Model for SDLC that stresses the testing phase, by including 5 levels of testing. Many in the Agile community feel that this model is to close to Waterfall design, I do not wish to debate, however I did want to show the testing phases that must be implemented in-order to protect data.
- Unit testing
- Integration testing
- System testing
- User acceptance testing
User Acceptance Testing is one of the most important phases because it test in a way that the customer will use the system. I suggest that organization perform this testing themselves to make sure they are getting the protection and operation that was sold to them.
As IoT solutions become more available in healthcare, we will need to be more diligent in protecting our privacy and the privacy of our patients. We can no longer except that notion that a product, service or vendor is secure, we must follow through and be sure.
Security isn't something that you can buy as much as it is a way of thinking, designing testing and implementing. Organization must train their people to think about security first, in everything they do. We also must implement system that allow employees to report suspected security problem without repercussions, i.e., shooting the messaging . Security is a team effort, both strategic and tactical.
