A Healthcare Corporation: Deploying Security From Scratch

Introduction

Our client with largest network of online pharmacy, appointment booking and online consultancy is one of the leaders of e-pharmacy in India.

Challenge

Our client being one of the leading e-pharmacy providers in India, provides services in five different sectors of online healthcare industry with nine extensive online assets including four separate websites serving with a dedicated web-application each, two cross-platform mobile applications, and three separate extensive APIs serving 3rd party businesses, altogether comprising of thousands of available endpoints. It was essential for the client to ensure safety of every individual service and security of every specific endpoint to ensure sensitive healthcare data and personally identifiable informations of millions of users and hundreds of business partners are not susceptible any risk.

It was a major challenge to ensure safety of our client's IT infrastructure as it had never undergone an intensive security audit before switching to public launch, which made it mandatory to understand the complete infrastructure and core endpoints from scratch within the audit timeline without any technical backend or endpoints detail from the client.

The Solution

Using SecurityEscape's expert-driven strategic manual auditing, powerful cloud scanner with integrated artificial intelligence technology, the complete online infrastructure was audited and hundreds of potentially harmful vulnerabilities were identified in first phase of audit cycle.

After conducting first manual security review, our powerful artificial intelligence based realtime scanner was used to closely monitor the application's security and to collect intensive data which was effectively used in later stages of manual security audit by the consultants to identify more security threats.

First Cycle of Engagement

During this period, an initial audit report was delivered consisting of 54 high- impact vulnerabilities, including issues capable of compromising complete website data and manipulating controls. The deliverable report with executive presentation was customised to match client's working environment.

  • Understanding & Mapping Complete Application Architecture
  • Identifying Every Potential Security Vulnerability Affecting Any Endpoint
  • Ensuring End-to-End Encryption of Sensitive Data Stored or Transmitted.
  • Hardening Access Controls Throughout The Application Infrastructure
  • Recommending & Implementing Best Security Practices.
  • Compliance Auditing & Reporting

Post Auditing Scenario

SecurityEscape's cloud-based security scanner supports web and mobile applications including iOS & Android. Taking advantage of its artificial intelligence and machine learning technology, it scans the latest threats and trending vulnerabilities by simulating human-like manual approach, by developing custom target-based vulnerability pattern during each scan.

On completion of manual audit engagement, our client opted to continue using this technology through our security management dashboard, for specific purposes like:

Testing Production Server: Eliminating security threats on production server for pushing code changes in pipeline before launching as a public service.

Active Security Monitoring: Ensuring the environment remains up-to-date and to track trending threats and zero-day vulnerabilities of application-technologies and libraries.

Regularly Scanning: Running complete scans on regular intervals for complete IT infrastructure including all the web and mobile applications and APIs.

Monitoring API Security: Monitoring API security to ensure integrations with 3rd party companies remain secure.

Conclusions

SecurityEscape was successful in greatly reducing the risks to client's IT infrastructure and eliminating every identified threat by working closely with the client's devops team. Some key highlights of this project are:

The Client processes massive sensitive data of 1 million plus active users, Eg: Patient / Doctor Informations, Prescription Data, Medicine History Data.

SecurityEscape has ensured security of each parameter where data is being exchanged. We also had teamed up with client's development team on redesigning the authentication schema and data management structure.

Our scanner is playing a significant role on actively scanning these assets, helping in production to actively monitor regular updates on applications.