Services: Data Protection & Security

Expansion of the digital customer portal ” Meine Gesundheitswelt” (My Health World)

The HBSN group of companies supports the AOK Saxony-Anhalt in the conception, technical development and implementation of a form center – “Formularcenter” within the digital customer portal ” Meine Gesundheitswelt” (My Health World).

“Meine Gesundheitswelt” has been available to AOK customers since February 2020. Within this portal, customers can get additional services which they used reimbursed by the AOK via their individual “Gesundeskonto” (health account) and submit their receipts and invoices for any advance services digitally for billing purposes.

The web-based application “Formularcenter” is another building block in AOK Saxony-Anhalt’s digital customer service offering. With the “Formularcenter”, the AOK offers its customers a large selection of ready-made forms for applying for health insurance benefits, such as the request for care or for the reimbursement of travel costs in medical treatment situations. The corresponding forms are now made available to the insured via the customer portal “Meine Gesundheitswelt”.

woman sitting and holding white Acer laptop near brown wooden wall

With this digital customer service, complicated bureaucratic hurdles are removed for the insured and the application process is made simple, fast and customer-oriented. At the same time, AOK Saxony-Anhalt is fulfilling its legislative obligation to provide administrative services digitally to the citizens in accordance with the German Onlinezugangsgesetz – Online Access Act (OZG).

Insured persons can access the form centre (Formularcenter) directly online via their individual customer account and apply for benefits for themselves or for their family members. The forms are largely pre-filled with the insured person’s already known data. Integrated help functions, explanations in the form of text and sample images for necessary attachments per application and a dynamic behavior of the forms avoid contradictions when filling out the forms and make it easier to apply and check the completeness of the documents. An integrated upload function for necessary attachments to the application is also provided.

These help functions support not only the insured but also the employees of the AOK Saxony-Anhalt in the further processing of the forms. After digital dispatch by the applicants, the forms are automatically forwarded to the oscare® inventory system. For each form, the distribution is individually defined by the AOK and thus the forms are automatically sent to team mailboxes, to the e-file or to the oscare® APD for a direct case creation, depending on the configuration.

The requirements for the application in terms of process flow, data flows and technical implementation were developed and refined by HBSN Consulting together with AOK Saxony-Anhalt. The individual programming and technical implementation was carried out by the xitee team. For the operational monitoring of the system and customer support, the third member of the HBSN group of companies, Health-IT Services, now takes over the maintenance and support of the web application “Formularcenter” together with xitee.

Technologies: Angular 11, RxJS, Jasmine, JIRA, Confluence, Bitbucket, Apache httpd, Selenium, SonarQube

Quality assurance

There are six foundation blocks (Version control, Continuous integration, Issue tracking, Unit tests, Reviews, Code analysis) that ensure the quality of the software and therefore of the product itself. Various synergies between the specific parts enable transparency and maintainability. At the same time these components work as a toolkit for every single software developer.

Through the usage of a version control, each modification of the code is comprehensibly documented, and each version can be restored at any time. This grants flexibility to the development and allows a precise analysis of all arising errors of the software.  

The use of a continuous integration (CI) system allows a controlled compiling of new software versions as well as continuous reporting for the developers regarding any arising errors during the compilation. Additionally, automatically elicited key figures, which display the state of the product, can be generated and reported. Features and bugs, as well as milestones and project tasks, are managed through the Issue tracking system (JIRA and / or Confluence). This creates traceable and transparent development from requirement analysis to delivery and allows the creation of relationships between individual tasks or features. 

The Interaction between these three systems (Version Control, CI, Issue Tracker) as well as the interaction of the developers with them provides additional benefits, which increase the quality of the products even more. Any changes only need to be documented once, since the version control, issue tracking and CI systems automatically transfer the modifications. Because of this automatic transfer to the Issue Tracking System, every change is assigned uniquely to one requirement, which provides complete traceability to each action. The developer gains quick feedback through the CI System, since each change in code automatically generates a new software-version.

The usage of Unit-Tests and the integration of these tests into the CI System allows a quick identification and debugging of errors, even while the software is still in development.  

Additional to this, reviews ensure that at least two people view and test the code before a component is cleared for further testing.

Web application for ordering medicines online

MediService AG is a company active in the field of healthcare and well-being that was founded in Switzerland over 20 years ago. Main areas of business are the online pharmacy and treatment of chronically ill patients. The services provided include prescription maintenance (in cooperation with doctors and health insurance providers), online medication ordering and their delivery (including items only available outside Switzerland) and individual therapy for chronically ill patients in their own home.

xitee developed and still maintains the web application Kundenkonto, which allows patients or users to create and track orders for medicines online. It is also possible for them to maintain their contact details (e.g. delivery addresses) or available prescriptions. The application was primarily conceived and designed for mobile devices.

assorted-color medication pills

KundenKonto consists of 2 parts:

1, User part
a. Registration process
b. Login
c. Password management
d. E-shop operations
i. Selection of a medicine based on a doctor’s prescription
ii. Entering the quantity
iii. Filling in the delivery address
iv. Date of delivery
v. Summary of the order
vi. …..
e. Order management/history
f. Notification
g. User data management
i. E-mail
ii. Address management

2, Administration part (designed for tablet)
a. Registration (Login)
b. User account management
c. Administration and management of medical prescriptions

Technologies: Vaadin 10.0.4 (was later migrated from xitee to Vaadin 14.), Java 8, Tomcat 8.5, Maven 4.0.0, PostgreSQL 9.6., JIRA (Atlassian)

Web application for care consultancy

compass pflegeberatung GmbH is an independent subsidiary of the Association of Private Health Insurance (Verband der Privaten Krankenversicherung = PKV) which fulfills the advisory requirements of all privately insured persons and their relatives. The telephone care advice is open to everyone who needs advice on care. Free and independent. Our team was working on the development of a completely new modern solution (web-application) that allows compass to manage/provide care consultancy in the most effective and user-friendly way.

xitee, together with HBSN Consulting GmbH, supported and accompanied the client compass throughout the entire project, from brainstorming for a user-friendly and intuitive application to the design of application scenarios and the elaboration of technical requirements to the development of the new core application.

woman in black leather jacket using macbook air

The goal of the project was to replace the existing application with a new and modern web and mobile application that would improve the user experience and make it more intuitive. The result was a browser-based application based on Java, Spring Boot, MS SQL and Docker.

This was implemented in a hybrid project management with an interplay of classic and agile procedures. The core application was divided into individual functions that were specified together, taking into account the priority given by compass. This resulted in the content of the backlog for the work packages. Development took place in defined sprints with the aim of delivering an increment after each sprint.

The core application is a completely new development of an individual software, which was specially designed to meet the requirements and wishes of compass. It contains the complete documentation for the care counseling according to § 7a SGB XI and the counseling visits according to § 37 paragraph 3 SGB XI.

The intuitive structure of the system guides the care counselors as users through the entire processes from the creation of new clients in the basic data to making appointments and conducting the counseling on site or on the phone. The versatile functions include, among other things, comprehensive documentation, billing and the creation of invoices, sending of faxes from the system and an associated document management system. Also integrated is the technical solution of a calendar function including synchronization with Outlook. Furthermore, an assessment has been integrated.

For the users, a user-friendly environment and interface is provided in terms of layout and operability for work in the office (web application) and on the move (mobile). Access rights to the individual functionalities have been implemented with a detailed role and authorization concept.

The new development was conducted in 15 months and introduced “in time” in September 2020. Further development to integrate additional functionalities is planned for 2022.

Technologies: Spring Security, OAuth and JWT. Backend is in Java, Gradle, Spring Boot and Hibernate whereas Frontend is in JavaScript and Angular. As API we use Swagger and as servers Tomcat and Nginx. Database used is MS SQL DB Cluster. Realtime search via Elastic.

Data Protection & Information Security

Introduction 

Any information that can be classified as “identified or identifiable” represents personal data. It could be a name, an address, a card number, even an IP address or a cookie ID. The EU’s General Data Protection Regulation (GDPR) tries to strike a balance between being strong enough to give individuals clear and tangible protection while being flexible enough to allow the legitimate interests of businesses and the public. Compliance with the requirements of the GDPR is required when processing personal data.

Data protection is defined as a “legal control over access to and use of personal data”. More specifically, GDPR refers to “the protection of natural persons concerning the processing of personal data”. It is basically a set of laws, regulations and best practice regarding the collection and use of personal data about individuals. Information security is defined as the practice of defending information (both physical and digital data) from unauthorized access, use, modification or disruption.

In xitee we provide services to keep your data safe and secure.

Cyber-attacks on critical infrastructures, such as on hospitals, are becoming more aggressive and frequent. To eliminate any possible risks of your solution, we offer the service of penetration testing. The goal is to use the methods which are typically used by hackers to identify vulnerabilities that allow the system to be compromised, confidential information to leak or impair the availability of services.

Additionally, we recommend and provide the GAP analysis to evaluate your processes, activities, and procedures regarding the requirements of ISO/IEC 27001 and identify all necessary measures to achieve conformity to the legal requirements as well as optional certification.

Code review

Our source code review service aims to discover any hidden vulnerabilities, design flaws and verifies whether you have implemented the key security controls. We use a combination of automatic scanning tools and a manual review to check coding practices, performance problems, security vulnerabilities, such injection flaws & cross site scripting, security-configuration rules, integrated libraries, etc.

The first step of a code review process is to conduct an analysis of the application and creation of a threat profile.

This activity is followed by inspecting of the code layout to develop a specific code review plan for every application individually.

Subsequently, we usually use a hybrid approach to perform automated scans as well as a manual code review.

Once the code is reviewed, we provide you with a final report containing the found flaws and suggested resolutions / steps for improvement.

Gap analysis audit

Gap analysis reveals strategic and operative gaps in your company, which shall be improved. The audit determines the maturity of your information security based on the best-practice requirements of ISO/IEC 27001.

We are providing audits called GAP analysis to evaluate your processes, activities and procedures regarding the requirements of ISO/IEC 27001:2013 and identify all necessary measures to achieve conformity to the legal requirements as well as an optional certification. With our structured best practice model, we protect confidential data, ensure the integrity of your operational data and increase the availability of your IT. The final report includes then concrete recommendations. 

Selected key audit areas according to ISO/IEC 27001:2013:

  • Context and leadership of the organization (management responsibilities, governance, guidelines)
  • Planning (including risk management)
  • Support (including resources, competence, communication and documentation)
  • Operation (operational planning and control)
  • Performance Evaluation (monitoring, internal audits, management evaluations)
  • Access control, cryptography and physical and environmental security
  • Development and maintenance of information systems
  • Security incident management
  • Business continuity management
  • Compliance
  • Continuous improvement

Penetration testing

A penetration test is a simulated cyber attack against client‘s computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). The result of the test is a report on the outcome and recommendations for steps for improvement.

Complex IT systems collect and process data that could be potentially misused.  Since there is usually at least some part of the system exposed to the public e.g., a web server, it is necessary to assure that only authorized users can operate the system and that security precautions will not allow any unauthorized person to access any of the system elements.

System security is evaluated by performing a simulated attack on the computer system. This test can identify vulnerabilities and impact of potential security breach. Typical threats are for example system malfunction or overload caused by excessive usage of components available from the public network (API, web forms…), sensitive and personal data leakage or unauthorized access to restricted application functionality. The main types of penetration testing include external, internal, and physical penetration tests.

Our approach to testing methodology:

  • PLANNING – Defining the subject and scope of the security audit
  • SCANNING – Conducting a kick-off workshop with the persons responsible for IT, information security and the operation of the affected IT systems
  • GAINING ACCESS – Execution of the penetration testing according to proven and established standards, such as OWASP Testing Guide. Use of proven, up-to-date tools and performance of supplementary manual analyses/rechecks (false positives).
  • ANALYSING AND REPORTING – Results report and presentation with prioritized recommended measures
  • OPTIONAL – Carrying out a follow-up inspection

Benefits of penetration testing:

  • Testing and consulting by industry-experienced experts
  • Better assessment of current protection level of used IT systems
  • Assessment of established protection measures
  • Reduction of the liability risks which arise from inadequate security of your systems
  • Proof of compliance with regulatory requirements of established standards such as ISO/IEC 27001, industry-specific security standards and GDPR

Data Protection & Information Security

Any information that can be classified as “identified or identifiable” represents personal data. It could be a name, an address, a card number, even an IP address or a cookie ID. The EU’s General Data Protection Regulation (GDPR) tries to strike a balance between being strong enough to give individuals clear and tangible protection while being flexible enough to allow the legitimate interests of businesses and the public. Compliance with the requirements of the GDPR is required when processing personal data.

Data protection is defined as a “legal control over access to and use of personal data”. More specifically, GDPR refers to “the protection of natural persons concerning the processing of personal data”. It is basically a set of laws, regulations and best practice regarding the collection and use of personal data about individuals. Information security is defined as the practice of defending information (both physical and digital data) from unauthorized access, use, modification or disruption.

In xitee we provide services to keep your data safe and secure.

Cyber-attacks on critical infrastructures, such as on hospitals, are becoming more aggressive and frequent. To eliminate any possible risks of your solution, we offer the service of penetration testing. The goal is to use the methods which are typically used by hackers to identify vulnerabilities that allow the system to be compromised, confidential information to leak or impair the availability of services.

Additionally, we recommend and provide the GAP analysis to evaluate your processes, activities, and procedures regarding the requirements of ISO/IEC 27001 and identify all necessary measures to achieve conformity to the legal requirements as well as optional certification.