Secure and compliant provisioning of health data in Germany, US, France, Australia and solution certification with ISO 270001.
ABOUT THE COMPANY
The customer is a leading provider of products and solutions for ophthalmology, neurosurgery, ENT surgery, dentistry and oncology. The company offers a medical cloud platform for end-to-end management of patient data from diagnosis to OR report.
800,000 operations per year in Germany alone – cataract surgery is the most common operation worldwide. It becomes necessary when a patient’s eye lens becomes cloudy or its refractive power changes. The medical term in this case is cataract. During cataract surgery, the natural lens is removed and replaced by an artificial lens (intraocular lens, IOL).
With an existing solution, doctors can collect measurement data during the eye exam that will be used for the following surgery. Within a clinic or a larger practice, this data always remains in a closed network. However, it is becoming increasingly common for the biometric data concerning a diseased eye to be collected in the practice of a general practitioner who then performs the operation as an attending physician in an eye clinic or in an outpatient surgery center.
The project developed a cloud platform to ensure that patient data is always available where it is needed, securely and in compliance with legal regulations. direkt gruppe supported the certification of the solution according to ISO 27001 and carried out architectural consulting. The change from a medical system to a (cloud) service provider on a global scale brought additional complexity to the project.
OUR PROPOSED SOLUTION
To ensure lasting regulatory and ISO 27001 conformity, an information security management system was set up and certified with the support of the direkt gruppe and with the help of the company’s own standardized „Compliance as a Service“ procedure model.
The customer used the company’s own procedure to select the cloud provider, whereby the selection was also evaluated and recommended by the direkt gruppe.
For the solution, the client (with the support of a carefully selected software manufacturer) developed a mobile application based on its own strictly regulated development processes. The data transfer process was to be replaced by a serverless cloud solution from AWS. With our Compliance as a Service (CaaS) approach, we defined necessary technical and operational measures (TOM) and certified the solution with ISO27001.
The proposal provides a serverless solution for secure and compliant data exchange between a local customer application and an iPad app. The app is used to transfer data to the medical device in a hospital.
Architectural consulting took place with one of our AWS Professionals, so that requirements of the cloud provider for a „well architected“ infrastructure were also fulfilled.
AWS AS A CENTRAL PART OF THE SOLUTION
The company has developed a mobile application that the resident physician can install on his own mobile device in order to retrieve the previously collected measurement data for his OR planning and to transfer it to the OR device.
For the described procedure, the application uses various services of the cloud provider AWS. While the AWS Key Management Service is used for complete encryption of recorded data, Amazon DynamoDB and Amazon S3 Buckets ensure availability and compliant storage of all data. The authentication process for data transfer is ensured by AWS service Amazon Cognito.
Automation and code execution are realized with Lambda functions.
For permanent information security, an ISMS (Information Security Management System) was set up and integrated into existing corporate structures and processes. Changes to the application or the infrastructure are controlled via the integrated management system. New policies have been created and roles and processes defined and implemented for the organizational implementation of information security.
REALIZED RESULTS AND POTENTIALS
ISMS development could be accelerated with help of the direkt gruppe’s standardized framework, the partner TÜV Trust IT and existing expertise. During the audit at customer, it was stated: „It is rare to experience that an ISMS is up and running after just 12 months. Most organizations need about two years and even then, the system is still very patchy“.
A particularly good decision: To choose Amazon Web Services as a partner that acts globally and for its part knows and fulfills the security and compliance requirements worldwide. Thanks to serverless technology from AWS, the customer only uses and pays for capacity that is actually needed. Unused resources are automatically shut down and any data deleted. In this way, the solution not only works cost-efficiently, but also meets basic requirements for data economy and data protection.
An efficient and targeted selection and evaluation process has helped to select the right partner in the market. The existing partnership between direkt gruppe and AWS resulted in close cooperation with the provider, who has shown particular interest and support for the company’s solution in the highly regulated medical products sector.
With AWS and direkt gruppe, client achieved a validation of technical feasibility and a roll-out to pilot markets in Germany, France, the USA and Australia.
The jointly developed architecture is sustainable and also offers a long-term basis for implementations in other applications.