Security controls needed for a secure EHR application



Security controls needed for a secure EHR application

Deterrent controls

These controls are intended to reduce attacks. These should include warnings and signs informing potential attackers that there will be adverse consequences for them if they proceed - such as legal action etc. These controls reduce security threats.

Detective controls

These controls detect and react to security incidents. These controls include monitoring system wide events, detecting intrusions by matching events against attack patterns, etc.

Data Protection controls

Data, both in transit and at rest, needs to be protected. Critical patient information needs to be stored in encrypted form and transmitted in secure connections such as SSL/TLS. The secure connection needs be end-to-end. Data backups also need to be stored in encrypted form.

Corrective controls

Corrective controls correct the security breaches and aim at limiting the damage. These include restoring data from a backup in the event of data loss or corruption, blocking users from access to the system that are suspicious, changing encryption keys and passwords, etc.

Preventive controls

These controls prevent security breaches. These include authentication and authorization mechanisms and removing software and system vulnerabilities against known attacks.