Harvard and Nextcloud fight against COVID-19, Nextcloud introducing HIPAA compliance features to support health care

Nextcloud Hub is used in a few dozen hospitals and medical institutes in various ways. The DICOM viewer app for Nextcloud in particular is used in Brazil in the fight against COVID-19. A press release with a quote from Harvard professor Gordon J. Harris was released today and in this blog we’ll give some more background details!

Nextcloud in use in Brazil against COVID-19

The Massachusetts General Hospital did a press release last week about the OHIF viewer and its use in the fight against COVID 19. MGH is the original and largest teaching affiliate of Harvard Medical School, Boston, MA, USA. They support the OHIF foundation, and OHIF and its members are developing and contributing to libraries and tools like Cornerstone which power many medical image viewers including the Nextcloud DICOM viewer.

The use of OHIF/Cornerstone imaging technology as a web viewer for the Nextcloud open-source file sharing platform is being made available for free to help save lives during this COVID-19 crisis. This type of integration is exactly the kind of use of open source software that we envision to benefit the medical sector and it is our main motivation behind building open, easy access technology and imaging platforms for medical data.

— Gordon J. Harris, Professor of Radiology at Harvard Medical School, Director of 3D Imaging at the Massachusetts General Hospital and President of the Open Health Imaging Foundation

The DICOM viewer was developed by Aysel Afsar and we wrote about this when the app was initially released and did again in an update some time later. The usage of the app is rather wide spread, as Aysel figured out when she received a thank-you email for her work from Dr. Nelson A. Gody, chief radiologist in a hospital in the city of São Paulo, southeastern Brazil.

I come to wish you my gratitude for the Nextcloud Dicom Viewer app. In such a delicate and difficult moment, DICOM Viewer contributes free, simple, fast and efficient as an early diagnosis tool and report of 122 viral pneumonia exams compatible with COVID-19 in several regions of BRAZIL, in the last 15 days. Thank you very much from the heart.

— Dr. Nelson A. Gody in his email from Aysel’s linked-in post.

It is absolutely great to see open source technology enabling doctors around the world to do their work safely, quickly and without having to hand over personal, medical data from patients to foreign and proprietary tools.

Upcoming in Nextcloud Hub: more advanced HIPAA compliance features

At Nextcloud we are of course supportive of the use of Nextcloud Hub in the medical sector! Several dozen Nextcloud customers in the medical sector have deployed Nextcloud over the last few years. This includes a Ministry of Health in the middle east, more than a dozen medical institutes and hospitals in European countries as well as many the US, UK and Australia. There is also a number of regional Red Cross organizations and several international research organizations active in disease modeling and cancer research.

To support the global fight against COVID, Nextcloud has accelerated the development of a number of security features important in medical settings. The Health Insurance Portability and Accountability Act (HIPAA) requires applications to implement a series of security features. Nextcloud Hub version 19 will support several new capabilities and introduce a compliance app providing an overview of the current compliance status. This will facilitate deployment of Nextcloud Hub in HIPAA compliant settings.

Achieving HIPAA compliance

The HIPAA compliance regulation sets out a range of guidelines around security. In many cases, organizations are allowed to use alternative solutions than what is recommended. Those alternatives have to provide equivalent protection and the organizations have to justify the change. Of course, as requirements and best practices change over time, so should the protections that are employed in real life situations.

As an example of those changes, think of passwords. Once upon a time, we thought the best passwords are inscrutable, hard to remember series of random characters that include lower and upper case characters, numbers and special characters. Passwords had to be changed regularly, often every 30 days. As a well known XKCD comic explains, the real security provided by these measures was limited!

Nextcloud Hub currently offers a wide range of protections for users. Let me highlight a few:

These features are of course part of a process focusing on security in our development processes and complemented with browser and encryption-related security features and more. All of this is backed by our USD 10.000 security bug bounty program!

This gives healthcare organizations a wide range of capabilities to rely on when protecting personal medical data. To enable Nextcloud Hub to fit in the various implementations and local regulatory environments, we are working on a number of additional measures that can allow Nextcloud Hub to fullfill the specific HIPAA requirements that a health care provider has identified and complies with.

The improvements under development include:

  • The introduction of automatic logout
  • Password reuse limitations
  • Automatic account locking in response to failed login attempts
  • Password expiration features
  • Passwordless login

Most of these will come with the upcoming Nextcloud Hub release next month. As compliance is such a specific thing, we have contemplated creating a compliance checking app but this will have to be put together separately for each health care customer if they wish. Often, specific changes have to be made for the internal compliance review, which we help with.

In the end, however, the result is that hospitals and other healthcare providers can benefit from the secure, efficient collaboration and communication Nextcloud offers!

It is exciting to see Nextcloud continuing to make progress in the area of security and privacy, becoming an even more versatile tool for use with private and medical data.

— Aysel Afsar, lead developer on the Nextcloud DICOM viewer