Industry
Healthcare
EHR exchange
Technology stack
Google Cloud Platform (KMS, GKE, Redis, VerneMQ)
iOS
server-side Swift
Regulations
GDPR
ISO 27001, ISO 27002
Dutch Act on the Medical Treatment Agreement (WGBO)
Technology requirements
Challenges
Solution
We've performed a security architecture evaluation and cryptographic protocol assessment, verified and improved overall application and infrastructure security, advised on improving security roadmap for GoClinic solution.
Security advisory, security architecture assessment and risk modelling:
- We've defined a general security roadmap after assessing business risks (via FAIR), compliance demands, industry standard maturity / systems lifecycle planning approaches (NIST 800-160, OWASP SAMM) and potential threats. The roadmap includes security team decision scope, application security baseline, data/risk classification, security goals, internal security standards.
- Based on security roadmap and current architecture, we've established a detailed risk model, security model and plan of improving security measures to create well-rounded data security.
- We've performed review of the security controls across architecture, application, infrastructure levels and provided a list of advice on their improvements.
Cryptographic audit:
- GoClinic already featured solid cryptographic design and clever usage of Themis cryptographic library. This allowed us to focus on maintainability and execution security aspects of the encryption layer.
- We've assessed the cryptographic protocol and key management procedures, modelled attacks and corner-cases and suggested mitigations for found caveats.
- We've verified that Themis is integrated and used correctly, with respect to data flow and platforms' limitations.
- We've provided a set of recommendations on data minimisation and clean-up, key management and memory management, crypto coding guidelines and usage of platform-specific security controls (Google Cloud KMS, integration with Keychain/SecureEnclave, biometric protection).
Products and services involved
Themis, a cross-platform crypto library
We used cryptographic library Themis as a building block for transport layer encryption on application level, relying on its interoperability among required platforms and OSs.
Read moreThemis, a cross-platform crypto library
Security architecture assessment
We've built risk, threat and trust models, analysed and prioritised attack vectors, assessed the fitness of selected security controls and their correspondence to ISMS.
Read moreSecurity architecture assessmentSecurity advisory
We work closely on establishing the ISMS: objectives, processes and procedures related to risk management and internal security standards.
Read moreSecurity advisoryCryptographic audit
We've assessed the cryptographic protocol design, reviewed and tested the code implementation, found design caveats and advised on fixing them.
Read moreCryptographic audit
Results and outcomes
GoClinic team acquired a basis for company-wide and product-specific security policy, solid security foundation and development plan for improving their system.
Sustainability of security architecture, deep integration of security controls and defined security roadmap allowed GoClinic team to target not only private hospitals, but also governmental healthcare companies, and provided a clear advantage over their competitors.
Improve your system security using our solutions
We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.
