dom & tom nyc healthcare cloud meetup case study (5/4)
TRANSCRIPT
DOM & TOM INC DOMANDTOM.COM NEW YORK: 646 741 5049 / CHICAGO: 773 377 5585
DOMANDTOM.COM NYC 646.741.5049 / CHI 773.377.5585
Do Good. Be Good. That’s what we do.
WHO AM I?
Dom Tancredi » Full-Stack Developer of 18+ years. » CTO School Member (since 2014). » Fun Fact: Theatre + Computer Science degrees. » Certified ScrumMaster + Product Owner.
3
Dom & Tom » Launched 90+ mobile // 300+ web products. » 60 team members. » New York, Chicago & Los Angeles. » Digital product development agency. » Enterprise + startup-friendly.
D&T BREAKDOWN
CASE STUDY: Dignity Health Hospital Group
OPPORTUNITY
6
Goals » Bring brand to the 21st Century on mobile and tablet. » Grow relationships with patients. » Stay within InfoSec and legal policies of hospital.
SOLUTION
7
The Product » St. Rose's NICU app reaches out to new parents on mobile and tablet. » Cross-platform marketing approach to communicate with parents. » Portfolio of products:
» iPhone, iPad, Android phone and tablet. » 2 hospital NICU centers.
SOLUTION
8
Mobile » iOS and Android phone and tablet applications for Dignity Health
Group’s neonatal intensive-care unit (NICU). » The hospital group was not granted access to retrieving cloud patient
data. » The applications track and graph measurements and feeding data.
Information is provided to doctors for tracking child progress after parents bring their infants home. All data is stored locally.
SOLUTION
9
Mobile » Strong collaboration with Dignity Health’s legal team to approve all
content. » Architecture for white labeling and sharing resources among
applications made building and deploying much more efficient. » 6 applications were built. » iOS: utilized multi-target codebase and had a core library for specific
packages and extended to custom visuals. » Android: utilized core library (package-first) philosophy to integrate into
custom product versions.
SOLUTION
10
Mobile » Encryption of data locally in key-value pairs. » Decrypted data when visualized and viewed by users. » iOS data stored in key-value pairs which, since iOS6, has encryption built
in. » Recommend RNCryptor (iOS) and AESCrypt (Android) for higher-order
encryption (AES-256) if customizing encryption with datastores methodologies.
» Datastore (iOS): CoreData, SQlite, Plist (iOS), Keychain as potential vectors for lifting datasets out of system.
» Datastore (Android): Database, Internal // External Storage, SQLite Shared Pref (similar to Keychain).
Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
SOLUTION
11
Server-Side » AWS utilization was planned for in the product roadmap.
» AWS technologies roadmapped.
SOLUTION // PROCESS
» Planning: Project planning added milestones and estimations for user experience, design and sprint feature-set per platform for legal review.
» Legal: Created early relationship in process with legal teams on feature-set, design and implementation changes.
» “MLR:” Medical Legal Review where legal can make adjustments and changes to any part of an application.
» Planning: Planned per release platform for MLR.
12
DEVSECOPS @ D&T
FIP-range restricted access to servers
Key-restricted servers to DevOps + Tech leads
Tech AWS + Digital Oceans; Ansible; Docker + Rancher for dev, staging, production instances.
13
Client-side encryption of data
Encryption via SSL communication to servers
MDM or testing Mobile device management or testing with Hockey or TestFlight.
Ask yourself: How might someone access the data, the business logic or spoof the experience?
DEVSECOPS @ D&T
» InfoSec Policy defined at D&T.
» InfoSec Training with technical leads.
» Working to shape and share DevSecOps policies with startup clients (being aware of OWASP Top 10, social engineerings, etc.).
14
Questions?
