How to understand that the contractor will develop a secure product without data leaks?

I

Irina Bubley2017-02-08 19:29:15

Information Security

Irina Bubley, 2017-02-08 19:29:15

Hello! Dear experts and beginners. Tell.
We are a commercial medical institution. We are offered to develop an information system in the form of a website, where there will be a personal account of the patient, from where he will receive his medical data, but we, in fact, will enter. Let's leave aside aspects like "the patient gave someone the password, the employee gave the password to someone, and personal data was leaked."
We are concerned about another aspect of the safety of personal data. By law, ALL responsibility for the leakage of personal data lies with the medical institution.
Including, if all of a sudden we conscientiously observing personal data protection measures, we enter the data into the information system-website, and they will leak somewhere from there.
We are not programmers to evaluate the reliability of the final product-site.
When we ask potential developers (and more than one company), they answer us: "we develop with high quality, and your data will not go anywhere, everything will work fine, we have been on the market for many years and have done many projects, no one has complained yet." It turns out that we just have to take the word of any contractor?
Attention, question! Are there really no standards, specifications, requirements for the code of a software product (website, medical system), certificates, regulated checks, tests, a list of threats and resilience, etc., or requirements for a developer company ? In order to assess that the product that we order from them will not be "leaky" and will not "set us up" as a medical institution for the loss of personal data?
How to evaluate a contractor?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Stalker_RED, 2017-02-08
@IrinaBubley

Do you know the word "audit"? Notify the contractor that a safety audit will be conducted at the end of the work. Well, hire a good auditor.
At the expense of standards, I can only recall ISO 9001 , which, although not specifically tailored for medical purposes, is used by some pharmaceutical companies, for example.
Here is the content itself: guap.ru/guap/standart/kach/gost_r_iso_9001-2015.pdf

T

tema_sun, 2017-02-08
@tema_sun

Only one good programmer will not get off here. The team must know the specifics.
Americans have HIPAA for medical data.

M

Marseille, 2017-03-06
@marsel0009

There are tools (software) that are specifically designed to check source code for weaknesses (vulnerabilities and bugs). As part of the contract with the contractor, you can include checking the source code for vulnerabilities, the result of which will be a report received from the system. But in general, this will not solve the problem, since previously unknown vulnerabilities appear daily, that is, if they are not there now, this does not mean that they will not be tomorrow. For this, there is a separate class of solutions - WAF (Web Application Firewall), which, using the signature method (knowledge of existing threats) and machine learning, can increase the level of cyber stability of your resource.
A programmer is a person who writes the system code, a security specialist is a person who will try to build a secure system. No need to be confused.