Last year, several people tried to break into Minddistrict’s systems. Malicious hackers? No, they were security consultants. They turned our systems inside out, looking for security and design flaws.
“At our request, they tried to gain ‘unauthorised access’ to the Minddistrict platform, from the outside, but they were unsuccessful. In addition to these ‘black-box’ penetration tests, they performed ‘crystal box’ tests, with full access to the applications’ source code,” explains Sil Westerveld, security specialist at Minddistrict. “They analysed the platform’s vulnerabilities. In this way, they were able to detect as many security and design flaws as possible.”
“Web application good, firewall excellent”
So what did they find? Regarding security risks, things were not too bad. The score for the system components tested – mobile apps, web application plus API, and firewalls – was 5/7, which is officially classified as ‘good’. In the follow-up test (which must be performed within 90 days), the web application scored no less than 6/7 and the firewalls 7/7 (officially classified as ‘excellent’). NCC Group concluded that there was improvement in each individual component. The final report stated that “The security level is higher than what is generally seen in the market segment in which Minddistrict operates”.
Although most of the points reported were improved straight away, some improvement points required a little more time. These improvements will be rolled out shortly, to raise our web application and API to the 7/7 level as well. There will soon be an opportunity to check this, as Minddistrict performs security tests at regular intervals.
Sil, the security specialist, explains how the firewalls were able to achieve such high scores in the follow-up test. “We fine-tuned the settings even further. This means that, in addition to imposing restrictions on incoming traffic, we strictly regulate our platform’s outbound traffic.”
Strict requirements needed for optimal security
Why is that important? “There are some internet servers that you can’t access from our platform. This is strict, but it is essential for optimum security. If a hacker were to discover a vulnerability in our system, he could try to exploit that by downloading malicious code to our systems, or by sending our data to himself, for example.
In addition, the VPN connections to our customers (and various other services) have been fine-tuned to ensure that no obsolete security techniques are used for encrypting connections. During telephone debriefing interviews with NCC Group, we were told that our firewalls’ configuration was ‘military grade’, involving a degree of precision that is seldom seen, even by NCC Group.
Security by design
“From the very start, we designed our platform with security constantly at the back of our minds. We like to call this ‘security by design’”, Sil adds. While he is, of course, responsible for system security, he also feels responsible for the users’ security. After all, they must be able to blindly rely on us to operate our system as securely as possible.
And how did those users respond? Sil smiles. “With things like this, if you get it right then the users won’t notice anything at all. And that’s how it should be.”
NCC Group’s overall report, which is in English, is available on request.
Want to know what you can do to keep patient data safe? Read it here