project-proposal-2024

MediHub: A Better Patient Experience

Abstract

You’re waiting for the doctor. It’s an aspect of life that you’ve come to accept. But it doesn’t have to be like this.

MediHub wants to change that. Through MediHub, you’ll never have to sit in a clinic waiting room again. As an added bonus, you’ll gain ready access to your medical records.

MediHub, a highly secure, interoperable patient platform.

Image by macrovector on Freepik

Author

Name: Daniel Morgan

Student number: 45829181

Functionality

Communication channels: Patients can communicate with doctors through private messages, audio calls or linked video conferencing software. Messages support end-to-end encryption.

Location based matching: Patients are recommended to an available doctor at the nearest location.

Search based matching: A patient may search for a clinic to send a request message. It is up to the practice to decide if they would like to accept the request or not.

Secure share space: A secure, accessible data vault for patients and doctors to share medical documents. Files at rest are encrypted using the 256-bit Advanced Encryption Standard.

Profiles: Clinics can set up a profile in under 2 minutes. Practitioners working for a clinic may do the same. Patients must register by integrating their myGov ID. A practitioner is validated through the Australian Health Practitioner Regulation Agency (AHPRA) API. Patients manually grant doctors access to their profile.

Multi-factor authentication: All users that log in to the platform are to perform MFA.

Scope

• Messaging system
  • Patients communicate with doctors through private messages
• Secure share space
  • Files at rest use the Blowfish encryption
• Profiles
• Search based matching

Quality Attributes

Interoperability

The primary purpose of MediHub is to facilitate patient doctor communication. The messaging system and secure file sharing make this interaction possible. MediHub has two forms of interoperability.

Internal information sharing

• Search based matching queries a database consisting of medical practices
• Engagements are initiated on a practice’s profile using a request message
• Patients can permit sharing of medical information to practitioners

External data exchanges

• Practitioners upload documents for a patient from their in-house software
• Confirm a patient or practitioner identity through myGov or AHPRA
• User integrity is as important as in a traditional clinic

How is it measurable?

• Quantitatively - Record time elapsed for events to occur
• Qualitatively - Run short questionnaires for frequent feedback

Security

MediHub handles primarily sensitive information. Patients discuss confidential health matters with practitioners. Practitioners generally relay information from specialist clinics back to a patient. Centralising this information onto one platform comes with great risks.

Software under attack maintains normal operations

• Patients may rely on MediHub for time-sensitive health matters

Safeguarding resources

• Resources include consultation logs, test information and conditions (all highly sensitive!)

Detecting and minimising attacks

• Patients and practitioners depend on the platform
• An outage and data breach is likely to severely damage MediHub’s reputation

Why is security important?

• Data breaches result in penalties, damage to reputation and loss in customers

How it is measurable?

• Record results of security checkups
• Document results of simulated attacks
• Measure change overtime in dynamic analysis

Evaluation

An evaluation plan for each quality attribute and MVP functionality.

Interoperability

#1 Messaging system

• Record time elapsed for engagements before either party terminates it
  • Goal? Consultations average for less than 2-3 business days
• Short questionnaire after engagements
  • I found the consultation to be helpful (1-5)
  • Select any option to indicate why / why not? too long, too rushed, interaction felt disingenuous etc.

#2 Secure share space

• Short questionnaires (infrequently emailed)
  • What documents are you unable to upload?
  • Select any option to indicate why / why not? Legal reasons, share space doesn’t support it, concerned about platform privacy

#3 Profiles

• Track the average time it takes for each profile to be ready for use (depends on myGov, AHPRA validation APIs)
  • Goal? All profiles to take no more than 2 business day to set up

#4 Search based matching

• User testing
  • Have users attempt to find a specific clinic using MediHub and a similar site, like Hotdoc
  • Time the tests and ask for feedback
  • Goal? to have comparable results to Hotdoc

Security

#1 Messaging system

• Measure the mean time to detect security threats (use SIEMs)
  • Goal is to detect a threat within 5 business days

#2 Secure share space

• Regular internal security review (every 3 months)
  • When was the last backup?
  • How many vulnerabilities have been identified?
  • When was the last simulated attack? Rate the results (1-5)
  • A pass mark to the above: last month, one or more, once in last 3 months

#3 Profiles

• Spawn internal teams to force access to profiles without permission (every 3 months)
  • A pass mark if the teams failed to gain access for 9 months straight
  • Run dynamic analysis security testing tools fortnightly
  • Goal? number of vulnerabilities does not increase over a 12 month period

#4 Search based matching

• Perform testing using SonarQube security analysis
  • A pass mark is for the number of vulnerabilities detected to decline in a 6 month period

Image by storyset on Freepik