Month: May 2020

Overview of security incidents in telemedicine

There is no doubt that telemedicine is positioning itself as an alternative for medical consulting, especially in the pandemic times we live. Nevertheless, as telemedicine grows, so does the motivation to infringe these types of systems and perpetrate fraud.

In Chile, healthcare codes are increasingly being approved for telemedicine care [1]. This is a significant advance for patients, but at the same time, it is a great challenge in terms of the confidentiality and privacy of patient data.

In order to have an overview of the current situation of reported security incidents in telemedicine, I have reviewed 46 public sources (press releases, blogs, web portals, forums, among others) to describe, in general, the factors surrounding security incidents in telemedicine. It is important to note that each information regarding security incidents can be investigated in detail. But, more specific data on these incidents is very restricted to the public (for obvious reasons, right?)

Screen Shot 2020-05-22 at 2.51.25 PM

This overview aims to have a “starting point” for defining practices, guidelines, and policies to safeguard the confidentiality and privacy of telemedicine in Chile. Additionally, all efforts should be focused on reducing the most common security risks that exist in telemedicine, which are: (i)┬ádata integrity, (ii)confidentiality, (iii) availability, (iv) authentication, (v) traceability of transactions and (vi) attribution of acts [2].

References

[1] Teleconsulting codes in Chile

[2] Why telemedicine represents a cybersecurity risk?

Security quality model for Electronic Health Records

Electronic Health Records (EHRs) are real-time, patient-centered records that instantly and securely make information available to authorized users. The information contained in EHRs is sensitive since, in general, it consists of the patient’s medical history (hospitalizations, treatments, illnesses, among others).

One of the most relevant aspects of EHRs is security. More specifically, Confidentiality and Privacy are critical attributes for security in EHRs. In this regard, assessing the security of EHRs (and systems, in general) is too complex. Security can be characterized from institutional policies to sophisticated attacks on software and critical infrastructure. Therefore, to help reduce this complexity, we are working on a quality model to evaluate the current state of EHR security to support security decision-making in software vendors and clinical facilities. The first version of this quality model was evaluated with 20 professionals from the Chilean healthcare industry.

Screen Shot 2020-05-21 at 10.49.29 PM

We are improving the model and, at the same time, developing a platform that will allow us to automate this evaluation.

Frameworks, platforms, and microservices

In the development of microservices-based systems, one of the typical questions that software developers ask is: Which technologies (such as frameworks and platforms) do I have to select to develop the microservices project? The market for frameworks and platforms to develop not only microservices-based systems but also all kinds of systems is too broad. So, What criteria should be used to select technologies? One “obvious” criterion is “the technology that is cheaper and takes less time”. But, this criterion is one of many that an architect should consider when developing a microservices-based system.

To help with this complex task, we have created a technique that allows evaluating sets of frameworks and platforms based on quality attributes.

Screen Shot 2020-05-21 at 10.07.54 PM

This tool helps the software architect reduce the space of technological solutions in the market into a more specific set that allows her or him to satisfy the main non-functional requirements of a microservices project. To evaluate the technique, we used it in an industrial project, obtaining promising results.