Return to site

Perfect Ward security

Some background to the high standards we hold on app encryption

I came across an interesting article on the failed effort for the NHS to produce a curated list of apps for wider use today:

(This is not a new article by the way - I saw the link to it whilst looking at the more recent news announcing "National Health Service to distribute free health apps & devices to millions of patients" - a separate but also really interesting development)

To quote from that article:

They found that none of the apps encrypted data on the device (including [Protected Health Information - PHI]). Of the 35 apps that sent identifying information via the Internet, two thirds did not use any encryption. And four apps sent PHI without any encryption.​

This came as a surprise to us, but perhaps highlights the poor standard of data security that most apps are working with and explains the cautious approach many healthcare professionals take to implementing an app approach.

Perfect Ward takes a different approach. Firstly, it's worth pointing out that Perfect Ward is not an app designed to deal with Protected Health Information (PHI) - and we are clear throughout the app that users should not capture any data or images that are confidential to patients. So overall, we shouldn't be so concerned about data security as these other apps. Despite this, we still feel that the security of our users' data is extremely important. Therefore we have designed Perfect Ward to meet the standards that those other apps (which do handle PHI) failed to.

Encrypting information transferred via the Internet

Perfect Ward sends all its information between the app and the cloud server fully encrypted, so any information that you send (submitting inspection reports) or receive (reviewing data in Perfect Ward) is securely transmitted. In fact we use a 256 byte key, and to quote from our security certification supplier:

Our SSLs use SHA-2 and 2048-bit encryption to stop hackers in their tracks. That’s the strongest encryption on the market today. It’s virtually uncrackable.​

Data transmission encryption strikes us as a basic requirement, and we purchased and implemented SSL certification even when Perfect Ward was at a very early stage of development - it's sad that two thirds of the apps tested didn't feel the same way, and an outrage that four that were transmitting PHI did not encrypt that data transmission.

Encrypting data on the device

It's worth noting that the risk of data being vulnerable here is lower - iOS and Android devices are generally "sandbox" environments, that is they are self-enclosed and do not give other applications (malicious or otherwise) access to external data. This is why iPhones and Android phones are far less susceptible to any sort of virus or malware. But they are not completely invincible under all circumstances - if an iPhone is "jailbroken" or an Android device is "rooted" for example, that has the potential for other applications to access data held in unencrypted apps. The way to prevent this is to internally encrypt the app data on the device. We have done this with Perfect Ward, although sadly the study mentioned above found that none of the apps they tested had done so.

For those of a technical bent, we achieve this by using Realm, and to quote from their encryption documentation:

Realm supports encrypting the database file on disk with AES-256+SHA2 by supplying a 64-byte encryption key when creating a Realm​

As an additional level of security, we don't even store the 64-byte encryption key on the device - it is kept securely on the server and can only be retrieved for use within the app once a user has authenticated their credentials by logging in.

It's worth pointing out that the original Imperial College London study (you can read it here) is now over a year old and so standards have hopefully improved. It's a shame that not all apps work to a high standard of data security, but we're proud that Perfect Ward does.

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly