When you work with personal data and a healthcare startup in 2022, you need highly secure infrastructure so the data will not be compromised by anyone, including your team or any third parties. To make sure it is safe and sound, the project infrastructure usually needs to be rebuilt using up-to-date technologies and approaches towards data protection. The project being discussed in this case study is a Healthcare App*, a healthcare IT startup, that allows users to track their well-being and generate reports so their physicians can see their symptoms over time. Customers for this Healthcare App include insurance companies that are interested in helping their members at early stages of medical issues to reduce costs which makes it also a B2B healthcare startup. The most important thing for these companies is the protection of their members’ data. The developer of the Healthcare App must complete a detailed IT Risk Assessment and ensure it is SOC2 Type 2 certified before an agreement is completed. Therefore, our task is to rebuild the project infrastructure so it could meet their requirements.

• The project is under NDA so we can’t mention the name of the application

The project was initially developed with a custom code written in Drupal 6. However, this solution is not that good or efficient in terms of data protection. The custom code had a lot of weak spots and could hardly incorporate any new functionality, meaning it would be difficult to meet the insurance companies’ requirements mentioned above. Our first step to make it secure was to redesign the infrastructure and make it based on micro services written in Symfony which is a PHP framework known as one of the most secure solutions around PHP out there. Micro services architecture itself brings an opportunity for developers to separate services, work on those pieces independently and keep them up-to-date which increases entire application availability. The second step was to arrange a compliance structure to make sure that all the processes and general workflow in the team matched the requirements. The structure was based on HIPAA (US) and PIPEDA (Canada) laws for private-sector companies working with personal data. An updated workflow included deployment process involving mutual code-reviews and several roles to accept recent changes before they went live which is important both for already operating or new healthcare startups. The last step of the action was to get certified in terms of security by a specialized third-party company in accordance with SOC2 after integrating all the changes listed above. For this, the third-party company hired an external consultant to perform an application penetration test - this involved a set of attempts to hack the application and a report of all weak spots that were identified in the application. The majority of them were discovered due to using elements of Drupal 6 in the project, however, it was not possible to get rid of it completely as some of the core elements required it. To undergo further certifications, we rewrote the majority of the project with Symfony as planned and left Drupal 6 only for our client’s purposes such as admin panel and a couple of other important features. Other parties did not have access to Drupal 6 features anymore.

After integrating all of the changes and marketing campaigns, the project came up with a range of new metrics listed below:

• The application used to have unplanned downtime at least once a month before integrating new infrastructure, but it has not been down since the change.
• API-calls are now processed 5 times faster than before.
• Code quality got optimized after bringing a new workflow based on Agile and including development, QA and review stages with different roles. Releases used to take several months to commit, now they take only 2-3 weeks.
• During the past year, the application got 15,000 more users.