When you work with personal data in a healthcare startup today, it's crucial to have a very secure system to keep the data safe from any potential breaches, whether they come from your team or outsiders. To make sure the data is as safe as can be, you usually have to update or even refactor the technology and methods used to protect it.
In this case study, we're talking about a Healthcare App, a startup in healthcare technology. This app lets users track their health and share information with their doctors via mobile application or website. The customers for this app also include insurance companies who want to help their members catch health problems early to save money. They are very concerned about keeping their members' data safe. So, the company has to do a detailed IT Risk Assessment and get a certification called SOC2 Type 2 before they can make any agreements. Our job was to update the project's technology to meet these requirements and even migrate it to a new one.
- Location: Canada
- Product: Website and mobile application
- Scope of our work: Back-end, Front-end, Architecture
- Technologies: Symfony, Drupal 6, Node.js, React Native, Redux, React.js, MobX
- Team: Project Manager, Back-end Developer, React Native Developer
- Timeline: 5+ years of ongoing development
Regrettably, we cannot disclose the application's name, any app screenshots and link to the product due to a non-disclosure agreement (NDA).
At first, the project used custom code in Drupal 6, but it wasn't very good at protecting data. The code had lots of weaknesses and couldn't easily handle new features, which we needed to meet the insurance companies' requirements.
So, the first thing we did to make it more secure was to redo the system using microservices in Symfony, a strong PHP framework known for its security. Microservices let developers work on different parts independently, keeping everything up-to-date, which makes the whole system more reliable.
The second step was to set up rules to make sure our team followed all the right steps. We followed rules based on HIPAA (in the US) and PIPEDA (in Canada) laws for companies that deal with personal data. We also improved our workflow, including code reviews and roles to approve changes before they went live, which is important for both existing and new healthcare startups.
The final step was to get a security certification from a specialized third-party company following SOC2 standards. To do this, they hired an expert to test the application and find any weak points. Most of the issues were because of Drupal 6, but we couldn't completely remove it because some core elements needed it. To get more certifications, we rewrote most of the project using Symfony, keeping Drupal 6 only for our client's needs like the admin panel and a few important features. Other people couldn't access Drupal 6 anymore.
Once we made all the changes and ran our marketing campaigns, the project showed some impressive improvements:
- The application used to go down unexpectedly at least once a month before we upgraded the infrastructure, but it hasn't had any downtime since the change.
- The API calls are now processed five times faster than they were before.
- We improved the quality of our code by using a new Agile-based workflow that includes development, quality assurance, and review stages with different roles. It used to take several months to make releases, but now we can do it in just 2-3 weeks.
- Over the past year, the application gained 15,000 new users.