• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Secure hosting requirements, patient data

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Secure hosting requirements, patient data

    I'm hoping I can pick some of your brains regarding a current client project I'm involved with.

    Without going into too much details, client has asked me to produce a system to track a particular type of NHS patient record. An iPad app will be used to scan this document into the system, where it will be securely transmitted via an API to a backend system that can only be accessed from the various premises belonging to the client.

    Now I'm not a security expert, neither am I completely ignorant on how to build secure systems. Client has sent me lots of NHS literature regarding IT/security policies for storage of patient data.

    My main concern is that no matter what I do I'm potentially leaving myself exposed to a world of pain here and I'm wondering what the best way of approaching this is. I'm covered by professional indemnity insurance and there's a limit to my liability in my terms and conditions but the way I see it, the less I can get involved in the final production deployment the better - I'm not a systems administrator.

    Client needs recommendations on where to host the backend application. The client application is less of a concern as it will not store any patient identifiable data. Backend is written in Ruby on Rails and it needs to be hosted on a UK-based provider.

    Backend admin and access to API will be restricted to known IPs at the firewall level. Site will be served with SSL and all API traffic will be encrypted with SSL + public key pinning on the client. Client devices need to be registered by admins using their own login credentials, which will be exchanged for a secure authentication token which can be revoked at any time. Uploaded documents will be stored on an encrypted cloud document provider at rest and in transit. I'm also investigating encryption at the database level. Obviously strict controls need to be in place regarding who can access production servers and how. I intend to recommend my client has the application audited before deployment into production.

    I was considering recommending using Brightbox Cloud and their Orbit cloud object storage service:

    https://www.brightbox.com
    https://www.brightbox.com/cloud/storage/

    Any general advice? What regulatory issues do I need to be aware of here? How would you approach this? Developing the software itself is not a complicated task, but I aware I'm a bit out of my depth on the deployment side of this.

    #2
    When I was on NHS Spine (I dunno if this is Spine related) for anyone to have access to patient records they needed to be entered on EPR system (End Point Registration) and there was something to with the Caldicot Guardian, can't remember what that was now - quite a while ago.

    Basically the end point has be be trusted and approved.

    Comment


      #3
      Originally posted by TheCyclingProgrammer View Post
      Any general advice?
      Sub it. It's pointless trying to learn on-the-fly with something like this, given the importance of being right first time. I know feck all about secure systems, just making a general observation. Always best to sub work if you're not well placed to do it yourself. Finding the right subcontractor may be more difficult, but you may be able to team with someone if this is an area you expect to move into.

      Comment


        #4
        Originally posted by jamesbrown View Post
        Sub it. It's pointless trying to learn on-the-fly with something like this, given the importance of being right first time. I know feck all about secure systems, just making a general observation. Always best to sub work if you're not well placed to do it yourself. Finding the right subcontractor may be more difficult, but you may be able to team with someone if this is an area you expect to move into.
        I'm certainly trying to find somebody who can assist with this - a good dev-ops guy with experience in this area. Also, if anybody knows of anyone who can carry out a security audit of both the code and pen testing of the production deployment environment that would be useful.

        I think the most important thing is no matter what I do, the security of this system is an ongoing process, so my client is going to need somebody to manage this system once I've finished developing it for them anyway. Servers don't look after themselves...

        stek - this isn't spine related but something that is being developed purely for my client's own business benefit and potentially for them to sell as a service to others in the future (if it makes it past proof of concept stage).

        Comment


          #5
          Originally posted by TheCyclingProgrammer View Post
          I'm certainly trying to find somebody who can assist with this - a good dev-ops guy with experience in this area. Also, if anybody knows of anyone who can carry out a security audit of both the code and pen testing of the production deployment environment that would be useful.

          I think the most important thing is no matter what I do, the security of this system is an ongoing process, so my client is going to need somebody to manage this system once I've finished developing it for them anyway. Servers don't look after themselves...

          stek - this isn't spine related but something that is being developed purely for my client's own business benefit and potentially for them to sell as a service to others in the future (if it makes it past proof of concept stage).
          Not sure but you might need to be careful, there is a system for secondary use of NHS data, was SUS and now it's SUS2 - Second User S-something. System or Service...

          Make a lot money from it.....

          Comment


            #6
            I haven't worked for the NHS but for central Government Assured cloud services for the UK public sector from Skyscape cloud services - Skyscape Cloud Services is the default cloud, which does appear to claim to have access to the N3 network, whether or not that's important to your app, I don't know.

            It's crap hosting provider though and if the only requirements are that it's hosted in the UK following and some ITSO guidlines I'd be trying for rackspace public cloud. Whether or not that will fly will depend on the inertia of the deparments you're dealing with.

            I'm a devops guy, happy to comment, but never worked specifically with the NHS, so couldn't comment what guidelines they usually follow. Central gov seems to follow CSEG guidelines, thus you can read: https://www.gov.uk/government/public...ity-principles
            Last edited by fool; 25 May 2016, 19:59.

            Comment


              #7
              Something to be aware of is that if the patient data is from English patients the data has to be stored in England. If it is stored anywhere else you need to complete data export paperwork.

              If you are getting involved in this I would recommend reading anything you can on the IGSoC (Information Governance Statement of Compliance).

              I have completed quite a few projects for private companies working onto the NHS. I happy to take a quick look at your requirements.
              SUFTUM

              May life give you what you need, rather than what you want....

              Comment


                #8
                It's not enough to choose a UK hosting company, the physical servers must be located in the UK.
                You are opening yourself up to a lot of risk (and a lot of pain), so the daily rate needs to be excellent and you'd better have good insurance.


                I'd flag the iPad app bit, since the iPad is a portable storage device, proof would need to be given that the scan was never stored on the iPad, but transmitted directly and if there was no connection or the transmission failed then the scan would need to be done again.


                It's a minefield, but a very lucrative one!
                …Maybe we ain’t that young anymore

                Comment


                  #9
                  Thanks for the extra comments.

                  Yes, by UK-based hosts I do mean UK located servers.

                  The data in this case relates to patients in Wales.

                  I've been continuing to read through various documents relating to government and NHS IT security. To be fair, most of it is reasonably straightforward.

                  I've been continuing to make notes so I can make my recommendations to the client.

                  Regarding the iPad clients, there isn't currently any intention to store any patient-identifiable data on them and the images will not be stored on disk. However, the option to store limited data is there as on-disk encryption on iOS is fairly trivial to implement and happens automatically so long as the device has a passcode. I've already advised my client looks into an MDM solution for managing and locking down their iOS devices and enforcing policies like this. iOS encryption meets the FIPS 140-2 standard which is on the list of approved government standards.

                  Comment


                    #10
                    Some Gov depts will accept European located kit as per the Azure model. The Skyscape offering was so bad they've had to look further afield. A ton of hoops to jump through for non UK based though I'd expect.
                    'CUK forum personality of 2011 - Winner - Yes really!!!!

                    Comment

                    Working...
                    X