Online Consultation between a Doctor and a Patient
Key Words: health, patient, doctor, online, consultation, chat, sensitive data, security, cloud, app, web, human2human, SDK
MyPrivacy Core Components: SDK
Length to read: 2 minutes
MyPrivacy's technology can be applied almost anywhere information is transferred – whether between people, machines or in a hybrid setting. With this new series we will highlight each time one of the many potential use cases which can benefit from our innovations.
We start off with a highly sensitive and personal topic: healthcare – online doctor visits as well as online medical consultations. The challenge we will tackle here is to provide end-to-end security to an existing web-based and mobile application.
There is a plethora of chats and video conferencing tools available both for desktop and mobile devices – but how secure are they? How much expertise on data safety must a physician or patient bring before deciding on one? And finally: who shall take responsibility when data gets leaked – be it from the device, the application or the intermediate connection provider?
A problematic solution often employed is to use a patchwork of different products. On the one hand it is often hard, if not impossible, to determine who is responsible for the security of the entire system. On the other hand any interface between the components of such assembly might be the "weakest link", possibly jeopardizing the security of the entire system.
We are fairly certain that even just today many or most of our readers have visited a website and clicked away a banner about cookies and third-party access to their data, without ever bothering to read the actual privacy policy or terms of service of the site – entrusting the company behind the website with all their personal data. What are the legal obligations of the site-owner? What can they do with the user's data? How do they respond to a data breach? In most cases all these questions remain unanswered. While this might be sufficient for innocuous pictures from the last holiday trip, it most certainly is not enough for highly sensitive information such as health data – deserving the highest possible protection.
With those arguments in mind, we have observed a shift in strategy of the companies we have contact with: more and more of them prefer an integrated, monolithic service with end-to-end encryption. (When correctly implemented, this security layer protects the data from the moment it was created to the moment it is read.) Whereas in the past providing a service running on multiple services and simply tying them together with scripts might have been acceptable, nowadays there are laws and regulations, according to which such behaviour may be considered negligent and which impose potentially substantial fines in cases of data breaches. As a result, relevant stakeholders tend to either shun the public cloud infrastructure altogether, or they prefer highly-specialised (and thus highly-priced and inflexible), bespoke infrastructure fine-tuned to their needs in the hopes to evade the daily onslaught of evermore ingenious attacks.
In this use case we consider an SaaS (software as a service) provider offering physicians an end-to-end encrypted tool to perform online doctor visits as well as online medical consultations – aiming for increased flexibility, efficiency and capacity for everyone. Implemented directly, however, end-to-end encryption is still incapable of protecting data in the event that one of the devices is compromised.
During a workshop with the client we have determined (amongst others) the following parameters:
- type, lifecycle and scope of the data generated
- people, who require access
- the scope of their access and
- procedures to share, disseminate and revoke access to selected files and / or groups thereof
The underlying data structure of MyPrivacy allows us to propose an architecture, where the service provider supplies the necessary infrastructure as of-the-shelf appliances from any public cloud (such as AWS, Azure or Google Cloud) as well as the data scaffold, while the ultimate data ownership and guaranteed privacy remains with the patient. At the same time our flexible SDK (software development kit) allows the application development team to simply apply our solution and focus on their core competences.
The application also supports billing the patient for the provided services directly – thus not only medical data is handled, but also personal data (e.g. address), calendar entries as well as invoices. This kind of data is stored in a regulatory compliant way, so that the resulting invoices can be accepted by both the tax authorities and the insurance companies.
MyPrivacy was designed and built from the beginning with the core tenet of providing added value to every party involved. In this use case both the doctor and the patient can give their full attention to the medical topic at hand having the peace of mind that the confidentiality of all the data they share with each other is guaranteed.
Book your personal meeting with our experts now, so that we can understand and address your specific needs.