Hi. Hello everyone. Myself, Hamdi. I'm a senior mobile developer slash like a mobile architect. Today's my topic is securing healthcare at scale dev DevOps for critical patient platforms. So as a mobile architect overeducated in health technology have navigated the complex intersections of security. Complaints and patient safety while building platforms that solves like millions of patients across cancer centers and different organizations, health organizations nationwide. This presentation says how we implemented DevSecOps for my story. So this application is a award-winning trademark mobile health and cancer. Cancer patients like a symptom tracking application. So this platform supporting active clinical trials at institutions. So the stakes of healthcare security. So generally in the health technology, the stakes are immensely high. The security failures aren't merely embarrassing incidents. So if you take any examples, there are lot of security failures. So they are direct threats to patient lives and public trust. So whenever there is something happened in the healthcare industry that might affect a lot of patients. So consider this critical chain a patient's. Chemotherapy remain relies impact fully implicitly precise data transmission. So the integrity of lifesaving clinical trials results in based on the data, what we data, what kind of data we selected, what kind of data we got, and deeply personal information there in the healthcare applications as we know. So in this landscape, very in the landscape, the very concept of margin for error is eradicated. So the small error like affect a lot of patients information the PA data leakage, those things. So we have to take care of all the security things considerable rely on that traditional security para paradigms. Where the safeguards are related to the final predeployment checkpoint. It's not just a it is not just in the intake industry. It's it is dangerously absolute for a security is not a future. It's like foundation upon which digital health solution must be built. Like when we like building the application we considered all these security concerns. What kind of PI data is there? What kind of information? We have to be secure while releasing the stores. DevSecOps represent a paradigm script. So basically it's it's not just a process. It's like a profound culture and operational transformation. So strategically integrating security into every facet of healthcare technology lifecycle. So this means proactively emit a robust security measures directly into the development phase for example modeling, securing design principles throughout the con continuous, static and dynamic code analysis. With automated CSD pipelines catching vulnerabilities, long before deployment. So basically when we like deploy the applications in the DevSecOps, we are like putting like a security scans using Soner, Google or some other tools. So we scan all the application we'll try to find like a, before releasing the application, we'll try to find where are the loopholes, where are the. Security security gaps are there. We identify by using these gaps, like operations are deeply infused in security places like involving cons, constant monitoring, automated compliance checks, proactive vulnerability management, and redefined incident response strategies. So ensure all unparalleled systems readability ultimately. District Cups cultivates a shared responsible across all teams. So generally, like when we develop, like we have a frontend team, backend team all the other teams are there so we have to consider like each place where all the teams are working what are the gaps what kind of security, what kind of like sensitive patient data we have to be. Critical care to be considerable, we have to take care of all those things. So this day, historical approach ensures resilience, trust, and is standards of patient safety in a constant evolving threat landscape generally. The scammers are there, lot of scammers. Everybody's trying to steal the data. With the data like whatever data, like for example, if we use any patient information those things like might affect in the industry. So we have to take care exactly what data we are collecting. We have to give security for the trust purpose for this. Patients also need to be like very confident on the application before using. So this is healthcare security landscape. So first one is like a regulatory complexity. So when we EPA establish the EPA establishes baseline requirements, but clinical trade introduce FDA oversight state level regulations, add another layer. So basically on top of hip, we are adding another layer for international institutions. Introduce, gDP are considerations also, like for the international use, we are using the other considerations also. So our attack surface also data is uniquely vulnerable to attackers. Medical records sell for far more than credit card numbers because they contain information that can't be changed. So because of this we have to be careful. So the third one is patient safety. Like when we build anything. So we have to take care of, security failures can directly harm patients incorrect medication diagnosis missed appointments or delayed treatment represent security failures with physical consequences. So these are the three things we have to be consider while we develop anything. So this is like a mobile health expands the attack service. So data moves between patient devices and cloud infrastructure. Generally like a patient enter the information by using like a TPS or anything. We just exchange the data between that whatever database cloud architecture we use those things we do generally does, right? So those things like a patient data should be like, very we have to like encrypt all the patient data, whatever we use, so they connect unru networks that may have another application with permissions that could access sensitive data. So we have to be careful whenever we access, like Unru networks, the offline requirements of healthcare applications add complexity. Patients need to access their health information even without connectivity. Hospitals with poor representation reception. During travel or rural areas. So the mobile offline is one of the other challenge. So basically we, for this we can come up with zero zero trust architecture t as a parameter. So first we choose like a multi-pack, multi-factor authentication. So in initial patient development requires MF aide with the verified health system credentials, patient don't reply simply create accounts. They have provision through secure enrollment process. For example when you create account we. We have all this authentication to some other things we develop. So device binding after authentication, we crypto ly bind patient's identity to their specific device, prevent credentials trip from immediate compromising access. So this is like device binding is one of the other security, we can build on top of multifactor authentication. And the third one is like a biometric authentication. So by using fingerprints or face id by these two things, we will add another authentication for the enrolled devices. Fourth one is like continuous verification. So generally by using tokens, every 15 minutes, 10 minutes, the token will refresh. So if the application aid is ideal, the lifetime of the application will automatically kill that particular session. If they want, again, they have to log in. So these four things we'll consider for the security. So this is end-to-end encryption architecture. So the data centric security. So first one is device encryption. So as I told device encryption before, leaving a patient device data encrypted, so that transit protection, encrypted transmission with certificate pending. So the certificate winning is another concept for the data data encryption. So storage, security encrypted address with the hierarchical key management. The fourth one is authorized access. So decryption only authorized devices can do. So this way, the before sending the data this way, this is the encryption decryption method we use to secure the patient information. So the key DevSecOps implementation, so first one is end-to-end encryption. So the zero trust architecture with Oracle Key management and device planning is the first thing. Second thing is automated security testing. So CIDC, CICD pipelines with static analysis, dependency scanning, and dynamic testing. So these are three things we can do and do automative security testing. So offline fast design. So secure local storage with the conflict resolution and data integrity controls. So this is the third step. The fourth step is compliance as a code. So automated validations of IPA MDA are other regulatory requirements that we have to be considered. So fourth one is real time monitoring. So continuous security monitoring with automated instance response we have to be considered. So these are the five key implementations we have d we consider. So the other one is automate. So the automating compliance infrastructure as a code. So healthcare regulations feel like immovable constraints, so they dev a cup inwards. This relationship treating complaints as a dynamic requirements that automation can continuously verify. So the IPA requirements as a IPA requires a encryption that rest in translate. Our infrastructure code enforces this by refusing. To proven storage of network without appropriate encryption configurations. So generally as a policy, as a core tools validate infrastructure, agonistic complaints, requirements before the application deployment, attempting to deploy database without encryption triggers immediate rejection with clear explanation of which complaints requirement would be violated. So these things we will do as part of the process. So this is the layers of the CICD. So first one is we'll do like a static analysis. The static analysis. We analyze the code the catches, like a hard coded credentials and also the skill injection. Any crypto insecure implementation we will find. Second one is dependency scanning. So in the dependency scanning, we will check like every third party. Library for known vulnerabilities. If there is any vulnerabilities, we will block the deployment. Third one is dynamic testing. So dynamic testing, stimulus attacks, organized running applications, so authentication, bypass, and authentication. Failures will test. Fourth one is container scanning. So we'll scan the containers based on the images. Verified security best practices. And fifth one is a p security. So part of the backend APIs, we will test the unauthorized access and rate limit. So we will check all those things. Offline first, architecture challenges. So these are the, some challenges for the offline first mobile development architecture. So secure local storage. So full device encryption as a base baseline production. So this is the one, first one. So application level encryption required for with the keys derived from patient credentials. So secure element integration and hard hardware protected keys. Also, we have to implement, so biometric authentication, the other one. So conflict resolution vector clocks track modification history, operational transplant, maintain eventual consistency. Complete audit trails for all offline changes. So these are the conflict resolution things we have to be take care. So continuous security monitoring. For the this application, so we have to be secure comp. These are the four steps. So application monitoring. And so we have to be always monitor the application. So the second one is infrastructure monitoring. So observe like a system behavior and is any potential attacks we have to be. And also all the authentication attempts any in the network. Unusual traffic generates any secural. These are the things we have to take care. The other one is audit log analysis. We have to be. Detailed records of all security relevant events, automate analysis, identifies suspicious pattern authentication, data access and configuration changes. So anything happen, we have to check this Also. The other one is behavior analytics submission, learning models learn typical patterns for individual patients and clinicals. So is any like those kind of things models or anything he's doing? So we have to be, take care and continuous monitoring all this process. So platform success metrics. So these are the platform success metrics. So first one is like enhance the patient engagement. Second one is a compliance. Third one is the data breaches. Fourth one is un uninterrupted availability. So the platform country consistently achieves significantly higher patient engagement. So this is one thing for the enhance the patient engagement. Second one is like we have to check like HIPAA validations, unwrapping ONM commitment. Un underwing. A commitment builds profound trust in both patients and healthcare providers. So these things, we have to be checked, zero data breaches. So we have to be, take care, like what kind of data and also every time we have to be careful with the patient information. Fourth one is power, the continuous monitoring and automated incident response. This is the one thing we have to care for. We have to be, do every 20, 24 hours and seven days a week. So response framework. So detection analysis is the first thing. So we have to be like, check any detections. So this thing we have to check. The containment is a second thing. So any limit impact, isolate by systems, revoking, compromise, credentials. So those things we have to check. So eradication, it's the third thing. Remote rates from systems by fixing vulnerabilities, improving security controls and updating configurations. So recovery, the fourth thing, validate rates are eliminated. The restore systems can secure state and gradually store service while monitoring recurrence. So the last one is post instant analysis. So security as a foundation. DevSecOps in healthcare represents more than implementing security tools for following complaints. At least It reflects a fundamental philosophy that the security, privacy and patient safety are the foundational requirements rather than futures to be added. So the My Story platform demonstrates that robust security flood practices and excellent user experience aren't opposing goals. Success requires cultural change. Alongside technical implementation, security becomes everyone's responsibility. So the patient trust depends on security. When patients here intimate health information, so when they rely on application during vulnerable moments, when they trust systems with data that could literally save their lives, robust security isn't optional. Thank you. Thank you for giving me this opportunity. Yeah. If you have any questions, please send an email.