As partners continue to use CHT in care coordination, they at times end up dealing with patient level data.The Health space is also becoming more stringent in terms of ensuring data security with more countries requiring that extra security measures be put in place to ensure CHW phones are not exposed if they fall unto wrong hands. Some of the recent questions are if it possible to enforce two factor authentication (2FA) on CHT.Some key reasons cited are to meet requirements of global cyber security requirements. I know MDMs have been explored as alternatives but wanted to hear if any member has experience on this including any lessons or experiences to share.
4 Likes
Thanks for reaching to get input on this Philip! Security is critical to the success of the CHT. We do have an open ticket on this, but it is not scheduled for development.
I’d love to hear what security requirements other partners have, but from an internal perspective, here’s some thoughts:
- The URL you cited for MDMs, also mentions Full Disk Encryption of devices and requiring PINs to unlock devices. Both are a critical first line of defense for protecting Protected Health Information (PHI) found in the CHT.
- CHT 3.10.0 added the ability to use Magic Links/Token Login. By sending an SMS directly to the phone, the CHW can login with one click. Their password is never written down or stored in a spreadsheet. This means it is not known to anyone and is also an un-guessable random string and incredibly secure.
- Many deployments find that when a CHW accidentally logs out of the CHT (and they’re not using Magic Links), it can be very hard to log them back in. Deployments then remove the “Logout” button from their apps to prevent this (see
can_log_out_on_androidin the docs). Given this, extreme care should be used when making it harder to login by adding 2FA.
3 Likes
@philip as @mrjones points out, a lot of thought has gone into security aspects of the CHT and digital health deployments, and we continue to evaluate and implement appropriate security measures, so it is great that you are relaying the requests you hear about.
The issue you raise about CHW phones being accessed by unauthorized people is an important one, and secure PIN and Full Disk Encryption are a key security measure. Using typical 2FA doesn’t typically provide additional security for Android apps if someone already has access to your phone, since the second code is sent to or shown on the same device. You could password protect the second factor app, but at that point you could just as well password protect the CHT app using a separate app lock app, like Norton App Lock. Keep in mind that adding a local password makes it harder to remotely support CHWs that get locked out. Mobile device management (MDM) software can sometimes provide similar functionality and be managed centrally. Some MDM software also offer the possibility of remotely deleting an app and its data if the device is lost or stolen.
So in summary, having a pin and full disk encryption on the phone is a first step. Unauthorized access can be further limited by using an app PIN managed by an app lock tool or MDM. Removing data from lost or stolen devices can be done by some MDM tools. All additional security measures require sufficient technical support staff to support users.
It would be great to hear more deployment perspectives on this… does anyone else in the community have suggestions, or experiences/recommendations to share on app lock or MDM tools?
2 Likes
Speaking of security - is there such a thing as a set of penetration testing for the CHT? How might a national/regional/global partner gain assurance by conducting their own set of pen tests?
1 Like
is there such a thing as a set of penetration testing for the CHT?
Some penetration testing has been done on cht-core and issues have been fixed. There are some known issues remaining to be worked on. In addition library dependencies are kept up to date to resolve known issues that are found upstream.
Eventually the plan is to have automated penetration testing done so we can be notified when new vulnerabilities are found, or if we’ve changed something that’s caused a regression.
Keeping up to date with CHT Core releases is the best way to benefit from these continual security patches.
How might a national/regional/global partner gain assurance by conducting their own set of pen tests?
The industry standard penetration test usually involves covering the OWASP Top 10. There are tools which will check for these or they can be tested manually to verify a specific project isn’t vulnerable.
Outside of the CHT Core the things to be aware of are device security (as @marc pointed out) and also how private information is stored, particularly user passwords and exported data.
3 Likes