The recommendations of the e-Health Center published in May this year in the field of building cybersecurity systems in entities performing medical activities caused quite a stir on the market. The recommendations presented to hospitals are designed to increase their security in the digital world and secure not only their infrastructure, but above all sensitive data about the patient processed in hospital systems.
How do we secure medical data?
Comarch systems dedicated to medicine such as Optimed NXT, e-Care, or medNote have been designed to ensure a high level of security at every stage. The processed data is decrypted not only as records in the database or the database as a whole, but already at the stage of transferring them from the web panel view to the database. In the event of a data leak or theft, there is a low probability that in a business-acceptable time, the thief will gain access to the data in an explicit form (at a business-acceptable time).
Data security and failures
Data security is not only encryption but also the possibility of authorized access in crisis situations. In the event of a failure, each of our systems may be subject to internal backup mechanisms. We have implemented an automatic backup not only for visit cards but also for medication cards or therapy plans for each patient. In addition to our mechanisms, hospitals can implement their own backup rules, e.g. by sending backup files to the so-called private cloud – resistant to power failures, Internet connection, or the infrastructure itself.
Security of cloud systems
Comarch is not only a proven software provider, but also a provider of hardware and cloud services. Each of Comarch’s medical applications has been designed to be able to run in the cloud and give users access via a web portal. We recommend this solution for mobile medical teams, as well as hospitals and clinics with several locations. Portal is secured with an SSL certificate and built-in security mechanisms, and data is sent in accordance with TLS ver. 1.2 and 1.3 protocols. It is worth emphasizing the fact that the administration panel is better secured in the cloud than the virtualizor on the host or cluster. The cloud forces administrators to use personal access accounts, which in combination with the Comarch Identity Access Management solution significantly limits the possibility of revealing administrative passwords.
Our services include, among others, a data processing center with high availability, located in Krakow. The location of such a center in Poland is important, if only because of delays during data transfer and GDPR regulations.
Verification and view of the history of changes
Administrators of our systems for medicine have the opportunity to review the actions of users on a given patient record. In disputed cases, they can find out when and from which account changes were made within the patient, such as: adding / editing / downloading documents about the patient, merging patient data, canceling/changing the date of the visit, or removing the patient.
Two-factor authentication – more than a password
For over 20 years, Comarch has been developing its own encryption and access management systems that secure access to electronic banking, sensitive data, or critical systems. Using many years of experience, last year we decided to include this functionality in our medical applications. The user, in addition to the standard method of authentication, must additionally provide a code confirming his identity. The two-factor authentication method significantly increases the security of processed data, because a simple, 8-character password can be quickly cracked. An additional verification step from an external device allows us to control every login attempt – even unauthorized!
IT Security at Comarch
In order to properly respond to emerging vulnerabilities and apply appropriate safeguards, Comarch has in its structures many specialists in the field of cybersecurity, who track not only the announced vulnerabilities but also the research of international organizations dealing with cybersecurity (e.g. OWASP, ISACA, or NASK). The confirmation of our care for information security is the PN-EN ISO/IEC 27001:2017-06 certificate of an independent certification body – the Polish Centre for Testing and Certification.
If you are interested in receiving more information about our products dedicated to the medical industry – please contact our sales department.
Author: Patryk Kozłowski - a graduate of Computer Science in Medicine, Faculty of Cybernetics, Military University of Technology. Passionate about computer science, micro-robotics, IT security, and spreading IT knowledge. Auditor of the Information Security Management System by PN-EN ISO / IEC 27001 and Personal Data Protection Inspector. Member of the ISACA Warsaw Chapter association.