Missing the Point of Data Security Daniel Young 5 September 2022

Missing the Point of Data Security

Unlocked padlock

Lock the front door, but leave the windows open… 🚪 🔐 😀 🪟🔓🤦

Sure is safe, with three locks on the door, but only a latch on the window.

Too many companies in a rush to get a product to market cut corners on security.

It’s really inexcusable for a health tech company to market a product that’s supposedly secure—keeping patient data safe—but leaves the “windows wide open” in their API allowing access to what should be secured data.

Last weekend, I read an article that Oliver Eidel posted about a Germany company that despite having ISO 27001 and ISO 9001 certifications, completely missed the point and designed an API that was basically unsecured. With ease, researchers were easily able to access private data by using the company’s websites’ URLs and endpoints. 😳

Even though this company got the important data security certifications, they failed to miss the point of having them.

Putting software out there with these kinds of security flaws is not just bad, it breaches the trust of an industry.

Testing security needs to be part of every stage of development. Using encryption and good key management, zero-trust, etc. should be expected.

Checking for bugs in software is part of it, but a venture must always be looking for security gaps at every level of their technical design. 🕵️♀️

Implementing ongoing security testing and reporting must also be part of the process. Having a QA team who knows this, and can do it, is also vital to ensure patient data is safe.

Every digital health venture should strive for the highest levels of security in design, development, and operation of their products. 👍

And this attitude needs to come from the top; don’t take shortcuts as in the end, you’ll risk your product, your good will, and your venture.


In the comments below, I posted some links that could be useful. The first to the research on the company I referenced, the others to FDA and EU MDCG documents outlining best practices for cybersecurity in medical software.