Software Engineer’s Guide to Healthcare Projects

Photo by National Cancer Institute on Unsplash

Introduction

Throughout my career as a software engineer, I have had the opportunity to work on a number of projects in a few different industries — including education, media, civic tech, and healthcare.

Important aspects

We will discuss a couple of areas that we need to pay special attention to in projects in the medical space. Our main points of discussion will be:

  • Data security considerations,
  • Reliability of systems, and
  • Healthcare projects’ impact and potential.

Regulations and compliance

Healthcare is one of the most heavily regulated industries, and it is so for a reason. It lives on the intersection of:

  • huge risks (both for individuals and the society), and
  • massive amounts of money.

HIPAA

When it comes to software projects in this space in the U.S., almost everything is heavily influenced by the Health Insurance Portability and Accountability Act. You will probably hear the term HIPAA thrown around a lot.

  1. The Security Rule — sets security standards for technology that needs to be implemented to protect that data, and
  2. The Breach Notification Rule — specifies rules for notifying individuals and other parties about potential health data disclosures.

PHI

Another term that is widely used by healthcare professionals is PHI, which stands for Protected Health Information. In its Privacy Rule, HIPAA regulates what constitutes PHI, and the requirements that must be met when handling that data of sensitive nature.

  • make it possible to identify that individual.
  • email addresses,
  • geographic locations (more “specific” than a state),
  • dates of birth,
  • telephone numbers,
  • social security numbers,
  • … and more.

HIPAA BAA

One more regulation introduced by HIPAA is related to cooperation between institutions working with medical information, and their business partners.

Security

Most of the regulations described above are put in place to make sure that medical data, which might include some of the most intimate details of our lives, is protected and handled with utmost caution.

Data storage

If we need to store medical data, especially including PHI, we need to make sure that it is protected from threats like data loss (caused by e.g. software bugs, hardware failures, power outages), data breaches (caused by careless staff, external malicious actors, etc.), and others.

  • Data backups,
  • Encryption at rest,
  • Data retention policies,
  • Data immutability techniques (avoiding altering data).

Data transfer

The software systems we build often need to integrate with external entities and applications. Even if we don’t integrate with external systems, chances are that our systems comprise of multiple, interrelated components. Some of these integrations might be used to send sensitive data — over various communication protocols. To ensure that data is not intercepted or tampered with in transit, you should consider employing the following practices:

  • End-to-end encryption,
  • Firewalls, Private Networks, VPNs,
  • IP whitelisting,
  • Auditing and end-to-end communication monitoring,
  • Automated data transfer workflows.

Data processing — server and application security

If we are confident that data is stored using all the best practices, and is always transferred securely, we need to make sure there is nothing within our system’s environment that could increase the risk of data breaches. There are a few techniques we can, or should use here:

  • Regular patches and updates for frameworks and external libraries,
  • Access control mechanisms for infrastructure,
  • Application vulnerability scanning.

Data access

Now that we know that we have a safe environment to run our software and store data, we need to make sure that our software itself is secure. One of the most important requirement is to only give authorized users access to the data in our system. To do that, we need to implement:

  • Multi-factor authentication mechanism,
  • Robust access control system — defaulting to the “least privilege” rule,
  • Audit trail — to make sure we know exactly what happened in case of suspicious activities,

Reliability

Software systems (especially in the healthcare industry) need to collect, store, and process data in a safe manner. This is not the only thing to keep in mind, though. As application developers, we need to be aware that systems we work with can affect people’s health and life — especially if they don’t work.

  • Data loss prevention: data immutability, regular backups, data fingerprinting, etc.
  • Infrastructure and deployment automation,
  • Logging: extensive, but omitting sensitive data,
  • Infrastructure monitoring,
  • Reliable error reporting,
  • Chaos engineering.

Impact

As we have seen, bringing a new software system to market is a process that requires a lot of consideration, effort, and caution. With all the challenges, however, comes a number of unique opportunities.

  • Improving patient experience in (typically stressful) life situations related to their health, or
  • Making the complex world of healthcare more effective in general.

There is something in it for you, too!

Working on healthcare projects might not only be rewarding, but it can also be a great experience for your professional career.

Summary

Hopefully by now, you have a better understanding of some of the aspects of software projects that are unique to the healthcare industry.

Tech Lead, Full Stack Developer, Consultant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store