Keeping Photos and Data Secure
Digital security and data management at SkinIO is an extremely important part of our business. Despite the fact that we are a small team, we want to make sure that all patient data is handled not only according to the letter of the law, but in a manner that maintains the utmost respect for the users of our software. Throughout this post I’d like to explain the processes we have in place to make sure that data is transmitted and consumed in a safe manner.
From the user perspective, there 4 main stages the data will exist in:
- During upload
- At rest on the SkinIO servers
- On the network from SkinIO servers to the client
- Within the client application (iOS or WebApp)
I’ll go into more depth of each below, but at a high level our processes can be described through two characteristic features:
- Always encrypt
- Don’t write to disk unless you have to
When the data is being uploaded, stored and retrieved (states 1-3) it is always encrypted. Sometimes we encrypt with one key, but generally there are multiple layers of security in place.
Once the data is retrieved (state 4) it is not written to disk. Within the iOS application and WebApp, the images and supporting data is kept in temporary memory only. Closing the iOS app or browser tab will remove the data from the device.
Throughout the development of SkinIO we’ve been very careful to make sure that all data is handled carefully and respectfully and we regularly circle back to discuss ways that we could further expand and strengthen this process.
Our engineering team is currently made up of 3 people, and every engineer must maintain a current knowledge of HIPAA as well as modern security protocols. All design decisions are made with security in mind, and as part of the review process I verify and confirm that our security standards are met.
That’s the 1000ft view of security at SkinIO. I’ll go into further detail about each stage of the process below.
· · ·
After all the photos have been taken they are ready for upload. Once submit is pressed the following process will occur:
- Pull public encryption key from SkinIO server (if needed)
- Generate new symmetric key for each photo
- Encrypt every image with a unique key
- Encrypt every key with the public key from the SkinIO Server
- Destroy original images
- Upload the key and encrypted image to SkinIO
The encryption key fetched from SkinIO is used in a process called private key encryption. Our server tells the iOS application a key to use to encrypt data, and the server holds onto the key needed to decrypt data.
The images are encrypted using a process called symmetric key encryption. The key that encrypts the images is also the key that decrypts the images.
The symmetric key used to encrypt the images is itself encrypted by the server’s public key.
This process produces the following results:
The server is the only entity that can decrypt image data. Once the photos are encrypted even a person holding the physical iOS device cannot see the images. Until the server steps receives and decrypts the images, it is impossible to view the images in their original form.
Fast encryption. Symmetric key encryption is much much faster than private key encryption. By using both, we maintain result #1, but do it much, much faster.
Unique keys. If something happened that allowed one encryption key to be recovered, only a single image could be decrypted. Encrypting every image with its own key makes it harder to brute force the data.
Error Recovery. If the server’s private encryption key was leaked, it would mean that an intruder could start intercepting and decrypting image data. That’s not good. However because the iOS application checks for a key every time, it would be easy to cycle the key and stop the attack even in a worst case situation.
· · ·
The photo taking and upload process can be extremely secure, but it doesn’t matter if the rest of the process isn’t secure as well. Any weak spot becomes the most likely point of failure/cause of a break.
Once the photos are uploaded to SkinIO they are stored encrypted in a HIPAA compliant S3 bucket.
This means that the data is always encrypted within our servers. If there was a breach of an Amazon datacenter it would not put patient data at risk. All the intruder would receive is access to encrypted and unidentified data.
· · ·
When requesting a photo within SkinIO, the image is manually looked up in the storage system, decrypted and then returned via an encrypted connection.
Every time an image is requested it has to be decrypted again.
We are not caching patient image data on our servers or doing anything to accelerate that process. Doing so would add complexity to the system and expose places that data could be compromised.
After the iOS app or WebApp requests an image it will be sent to your device and then becomes available for display. Instead of writing any of that data to disk, we are instead keeping it locally within the running SkinIO application.
This means that if the iOS application or browser tab is closed, the data no longer exists.