You must protect personal identifiable, sensitive and medical information of the user. There are different measurements that you need to take to ensure that this type of information is secure:

  • Client-side caching must to be clear of personal identifiable, sensitive and medical information
  • Logging and error messages must to be clear of personal identifiable, sensitive and medical information
  • Protection of data in transit
  • Protection of data in rest (see data storage section)

For the protection of data in transit, you must ensure:

  • To implement it using industry standards (TLS)
  • Certificates need to be checked for validity and correct chaining
  • That you only use secure ciphers and don’t allow to downgrade to less secure ciphers

 

On a mobile app, you need to ensure:

  • Keyboard caching is disabled on fields with personal identifiable, sensitive and medical information
  • The clipboard is disabled on fields with personal identifiable, sensitive and medical information
  • That personal identifiable, sensitive and medical information is removed from views when the app is send to the background
  • No labels