Integrating Third-Party Services to your website

The considerations that often get forgotten and the potential risks to patient data.

Are you contemplating adding elements like chatbots, Meta Pixel (aka Facebook Pixel) or other embedded platforms to a website?

Then there are several information security considerations to keep in mind.

It is possible that these elements will collect not only Special Category Data but other identifiable data that could then put a Patient's Privacy at risk. i.e. IP Address, Geolocation etc.

Here is an example of what seemed to be an innocuous element to help monitor the success of patient communication turned into a data breach.

As we act as the Data Processors under and in accordance with UK GDPR Chapter 4, Article 28, Section 3 (h), Tree View Designs (Data Processor) are required to notify your organisation (Data Controller) in the event that any actions or instructions could infringe UK data protection law.


Recommendations 

Check the extent of 'GDPR Compliance'.

Often the interpretation of being 'GDPR Compliant' differs depending on the locality of the provider.

In the U.S. they have a separate standard for Special Category Data called HHPAA. Providers therefore maybe providing 'GDPR Compliance' (GDPR is a UK Standard) to levels below the requirement for HHPPA (UK Special Category Data). They so this because due to the lucrative profit opportunities in the U.S. Healthcare system. So HHPPA (UK Special Category Data) standards may come at a cost.

Vendor Assessment

Before integrating any third-party service like a chatbot, it's essential to assess the vendor's security practices.

This can be done by:

  • Reviewing their security documentation
  • Checking for any past security incidents or breaches.
  • Asking if they have undergone any third-party security audits or certifications.

Data Transmission

Ensure that data transmitted between the website and the third-party service is encrypted using protocols like HTTPS (SSL/TLS). This will prevent man-in-the-middle attacks and eavesdropping.

Data Storage

Understand where and how the third-party service stores data.

  • Is the data encrypted at rest? Is
  • Is it stored in a jurisdiction with strong data protection laws?
  • How long is the data retained?

Access Control

Ensure that only authorized individuals can access and manage the chatbot or embedded platform. Use strong authentication methods and regularly review access logs.

Data Minimisation

Only collect the minimum amount of data necessary. If the chatbot doesn't need to know a user's full name or address, don't ask for it.

Privacy Policy & Consent

Ensure that the website's privacy policy is updated to reflect the data collection and processing activities of the chatbot or embedded platform.

Users should be informed about:

  • What data is being collected.
  • Why it's being collected.
  • How it will be used.
  • How long it will be retained.
  • Their rights regarding their data.

Also, obtain explicit consent from users before collecting their data, especially if it's sensitive or personal.

Regular Monitoring & Updates

Regularly monitor the chatbot or embedded platform for any unusual activities. Also, ensure that any software or plugins related to it are regularly updated to patch any known vulnerabilities.

Incident Response

Have a plan in place for how to respond if there's a security incident involving the chatbot or embedded platform. This includes notifying affected users, investigating the cause, and taking steps to prevent future incidents.

Data Processing Agreements (DPAs)

If the third-party service processes personal data on behalf of the website, ensure that there's a DPA in place. This agreement should outline the responsibilities of both parties and ensure that the third-party service complies with relevant data protection regulations.

Integration Security

Ensure that the method of integrating the chatbot or platform doesn't introduce vulnerabilities. For instance, if using an API, ensure it is securely configured and doesn't expose sensitive data.

Training & Awareness

If the customer's team will be managing or interacting with the chatbot or platform, ensure they're aware about best practices and are aware of potential security risks.

In summary, while adding chatbots or embedded platforms can enhance a website's functionality, it's crucial to approach their integration with a security-first mindset.

Regularly reviewing and updating security practices as the digital landscape evolves will help in maintaining a robust security posture.