Bulletin, Member News

Security Of Patient Data During Research and Pilots Programs

December 1, 2017

By Paola Bonilla

The option that patients have right now about participating in research or a pilot program sending health Information remotely to HealthCare Institutions, Providers, Payers and Pharma has shown tremendous benefits in improving patient treatments, including medication. But the more remotely devices usability to send health or medical data, the more vulnerabilities in the management, visualization and storage of that data.

Digital companies working on behalf of those Health Institutions have to be in compliance with HIPAA law and have to adopt best practices handling Protected Health Information and Personal Health Information.

Here are some guidelines provided by Wilson Jaramillo, VP of engineering and technology at esvyda Inc.:

Several challenges have to be faced while adoption of security strategies:

  • Maintenance of software performance
  • Management of data registries
  • Management of security vs. latency of processes
  • Security of data vs. execution time, while ensuring systems do not collapse
  • Multithread administration to optimize hardware usage and provide traceability of every transaction done that involves data synchronization with mobile applications or third party systems.
  • Disaster recovery policies that allow to keep a secure backup of the data in different locations along with standby instances of the databases that increase the availability of the data if something happens or any maintenance is being done
  • Monitoring of user activities inside the application system, follow architectures like actor, action done, data modified, source of modification done, geolocation.

Combining strategies

Combined strategies may improve security. Those may include but are not limited to: Encryption, Hardware Security Modules (HSM), Decrypted keys during a limited user session (validation without compromising security). Strategies to detect weird behaviors of user accesing data from other devices different from those usually used by him.

Among other strategies, the use of standards and security policies with internal control of the company may allow the correct adoption of the tools that maintain secure data, including systems that monitor the user activities, performance of the Operating System, and correct performance of data base, integrity of cache, load balancers, data base cluster sync and Firewall with real-time feedback of application software usage.


The encryption of data is also a good strategy. The implementation of AES 256 to encrypt data at rest with initilization vectores, store the decryption keys encrypted, usage of a master decryption key inside an HMS system which is independent of application software, generate a different encryption key for every patient and for every kind of data, avoiding dictionary attacks that facilitate the easy decryption beyond a database register, because the computational effort would be high. It is very important the communication of data transmitted between networks, using secure protocols and implementing strategies to avoid atatcks like the man in the middle. Protecting software deployment and data base to isolate the enviroment to only be accesible to authorized people and by the authorized applications using HTTPS implementations. To encrypt data at rest, access to the end user application always over HTTPS.

Read more here: