Data security has proven to be a recurring challenge for the healthcare industry, where legacy systems are being compromised with frustrating regularity. For digital health company Volpara Health Technologies, however, the criticality of data-driven artificial intelligence meant building security into the core of its development processes.
At just a bit over three years old, the New Zealand based company – whose core technology interfaces with breast-screening equipment to evaluate the accuracy and specificity of its imaging in real time – had the luxury of working from a clean slate, chief information officer Gareth Beaumont told CSO Australia.
“A lot of our product suite is relatively new,” he explained, “and being able to leverage them to supply services in a secure manner has really been a benefit.”
“Because it has been a greenfields start from a project perspective, we haven’t had that existing technical debt to battle with and work around.”
The company’s youth meant not only being able to build it around ISO 27001 security processes, but allowing it to extend these processes to its core cloud-based platforms, which run on top of the Microsoft Azure public-cloud platform.
With new containers being regularly spun up and down in the cloud as part of its continuous integration/continuous delivery (CI/CD) processes, building Volpara’s core technologies in the cloud could have required manual management of containers and the data they contain – an error-prone process that has already caused data breaches for other organisations.
To streamline this process, Volpara’s development team has integrated Tenable.io Container Security vulnerability-management tools that automatically review containers as they are being developed, and as they are deployed.
Tracking of deployed containers ensures that unused or outdated containers aren’t left to create potential security vulnerabilities – providing a smoother development cycle that also increases the efficiency of resource utilisation. Paired with Tenable’s Nessus Pro vulnerability scanner, the tools have given the company deep insight into the integrity and security of its development and deployment processes.
The approach “has helped us do, in a lot more automated manner, the internal vulnerability testing that you would expect from companies with many terabytes of [sensitive] data like we have,” Beaumont said.
“Security is very much at the forefront for us, and we are running weekly checks against our internal infrastructure, against PCs, and against our products to see whether there is anything new that has popped up that we weren’t aware of.”
Automation has helped the growing company reduce the number of people tasked with manual code reviews, allowing it to redirect their efforts into other product improvements.
While the security processes have dovetailed with the company’s agile development and deployment processes, they have also resonated within the ISO 27001 and ISO 13485 (for medical devices) frameworks with which executives and customers are deeply engaged.
That has helped keep the importance of information security at the forefront, Beaumont said, with the development teams able to work proactively and communicate with the business in the common language of risk.
“When it comes to development the system and particularly trying to protect the data, everything is risk-based,” he explained.
”As new vulnerabilities arrive, we are evaluating them from a risk perspective and evaluating the probability of those occurring in the worst-case scenario. It really does drive how we make our architectural decisions, and even how we are making some of our system-introduction process decisions.”
That decision-making process is supported by a security team that has promoted cybersecurity awareness training “to make sure everyone has a certain paranoia about how they’re clicking emails and links,” Beaumont said.
“There is only so much that our systems can detect or prevent, so the human factor is still very much a high risk factor for us. It’s an ongoing battle, and – as any good CISO will attest – it’s not a case of putting up a wall and expecting it to stop.”
Engagement around continuous security awareness has been helped by forming the company’s security team with stakeholders “from every team in the company”, Beaumont added.
“It’s not necessarily technical nous that we’re after. Being able to explain to a particular member that something they’re unsure about, and then having them champion how that is explained to the team, has been of quite high importance as well.”
“Everyone has a slightly different twist on how things should be dealt with, so it’s all about actively maintaining awareness of how things should be done.”