Telehealth App Audit and Refactoring to Launch a HIPAA-Compliant MVP
About Our Customer
The Customer is a North American telemedicine provider suggesting an alternative to traditional insurance-based healthcare. The company offers a subscription-based telehealth service that provides 24/7 nationwide access to urgent virtual care from a network of medical professionals.
Extra Talents Needed to Launch the Platform on Time
The Customer had a nearly ready telehealth platform that required comprehensive auditing before entering the market. To meet the strict project timelines, the Customer needed to augment its in-house development team with additional talents. The outsourced experts were to meticulously review the code, enhance the codebase, fix bugs, and stabilize the features. So, the Customer was looking for a reliable IT outsourcing company with a strong collaborative culture to smoothly integrate new talents into the existing team and deliver a market-ready version of the platform on time.
Assembling the Team for Telehealth Software Assessment
ScienceSoft's 8 years of experience in custom telehealth software development and an 18-year track record in web portal and mobile development were the critical factors in the Customer's decision to choose us as a partner.
The Customer received six dedicated experts from ScienceSoft: a project manager, a business analyst, a QA engineer, a .NET developer, a Xamarin developer, and a front-end developer. The project’s overarching goal was to review and improve the source code of the Customer’s telehealth product, which comprised a web portal (including both the end user and the admin interface) and mobile apps (iOS and Android), sharing the same back end.
Audit Uncovered Code Flaws and HIPAA Noncompliance
The telehealth platform audit phase lasted one month. ScienceSoft’s team checked the following:
- Architecture scalability and flexibility.
- Source code coverage by unit tests.
- Source code quality.
- Potential security vulnerabilities in the code.
The audit uncovered several key problem areas. Namely, it revealed the low code quality that would hinder the product’s scalability, support, and future evolution. ScienceSoft’s auditors also found cases of noncompliance with HIPAA.
In the code review report, our experts developed two lists of recommendations — "Must Have" and "Nice to Have" — for each component of the telehealth software. We advised applying the Must Have changes before any further development or stabilization activities to avoid merge conflicts and inconsistencies. The report also provided estimations of the change implementation timelines and budget.
Web Portal: Audit Findings and Recommendations
While reviewing the web portal’s front end, ScienceSoft’s team discovered that the file architecture was hindering code interpretation, expansion, and modernization. We also spotted defects of high severity during unit testing. To improve the web portal’s source code quality, our specialists recommended code refactoring.
Based on the issues spotted in the server part and the admin interface, our team recommended a range of improvements:
- Removing hard-coded secrets from the code.
- Fully covering the source code with unit tests.
- Updating NuGet packages to the current versions.
- Updating ASP.NET Core 2.2 to version 3.1. The outdated version no longer received security updates, bug fixes, or new features, making it a potential vulnerability.
To increase the security and scalability of the product, ScienceSoft also advised establishing separate identity server applications communicating via an exposed API. In addition, the team suggested migrating and separating databases, using logs for simplified localization and debugging, applying a consistent code style, removing the commented code, and abandoning the long-length method.
Mobile Apps: Audit Findings and Recommendations
In our audit of the Customer’s iOS and Android mobile apps, we focused on the following aspects.
Architecture and build configuration
ScienceSoft’s team evaluated how the software build was split into multiple layers, tiers, and files, confirming that it followed relevant code and design patterns. We also reviewed the settings for app compilation and package, including aspects such as the target platform, libraries, and dependencies required for successful app execution.
We discovered non-optimized options in some configurations, outdated minimum supported OS versions, disabled Package References, and inconsistent resource naming. At the same time, we found that the build fully complied with Xamarin.Forms framework and the model-view-viewmodel (MVVM) architecture requirements. It was observed that the code followed common code patterns and techs but did not utilize the latest C# version. Additionally, while the OOP and Reactive Programming patterns were generally respected, some classes used public variables instead of properties.
ScienceSoft assessed code formatting, the use of hard-coded values, constants, and magic numbers, the grouping of similar values under an enumeration, the code comments, and if-else blocks. The evaluation also covered the use of framework features and custom code.
We found that the build did not adhere to custom code formatting policies and had violations of the default code formatting policies and the naming convention. The code had non-localized hard-coded dictionary keys and string values, magic numbers, numerous commented-out blocks, and missing enumerations. The C# features were not fully utilized. Yet, the code was free of redundant or incorrect use of conditional code branching blocks.
When evaluating the platform’s maintainability, the team checked:
- Code readability (using appropriate names for variables, classes, and functions).
- Testability (how easy the code is to test, unit test coverage).
- Debugability (using logs to find an issue's root cause).
- Configurability (keeping the configurable values in one place so that no code changes are required for configuration).
Our experts ranked the code readability above average. They also found that the code was not covered with unit tests, the logs were of low quality, and there were no configuration files.
ScienceSoft verified authentication, authorization, sensitive data encryption, and input data validation mechanisms. We discovered configurations with hardcoded sensitive data for connecting to third-party services, insecure storing of encrypted user passwords in the shared preferences, and the use of an unencrypted SQL database, which violated HIPAA compliance.
The team assessed exception handling and cleanup of resources. For the iOS app, our experts did not detect any memory leaks and found that most exceptions were handled correctly. For the Android app, they spotted memory leaks in the view models, empty catch blocks or only exception logging for the majority of exceptions, and several issues with HTTP-request-related exceptions.
ScienceSoft checked the code’s adherence to the Don’t Repeat Yourself principle. Small duplicate parts of the code were spotted in the extension classes, and some of the view models contained repeated code parts. However, the Dry principle was mostly respected.
ScienceSoft checked the ease of adding enhancements with minimal changes to the existing code and concluded that the apps had good potential for extension.
The team analyzed and evaluated the efficiency and speed of the apps’ operation. We detected no issues in the iOS app but found that the Android app did not use Startup Tracing or AOT compilation, which significantly decreased its loading speed.
ScienceSoft reviewed the extent of code covered by tests. No unit tests were found.
In the Android app, we detected a compile-time error in the release configuration related to the linker and a runtime error associated with an incorrect resource path.
Mobile Apps Improvement Recommendations
We provided the Customer with general and OS-specific recommendations on how to improve the apps. They included:
- Optimizing options for all build configurations.
- Switching from iOS 10 to iOS 13.
- Enabling Package Reference and third-party NuGet packages.
- Renaming resources according to the naming convention.
- Updating C# 8.0 to 10.0.
- Using .NET Standard 2.1 instead of 2.0.
- Encapsulating variables.
- Fixing the code formatting according to the default policy.
- Extracting dictionary keys in a separate file as constants.
- Externalizing strings.
- Extracting magic numbers to constants with explanatory names.
- Extracting hardcoded values into a separate Enum file.
- Removing the outdated commented code.
- Implementing a logging library, configuring log levels, and adding missing logs.
- Moving the common code into a separate method, and more.
Concerning the apps’ SQL database, we recommended checking the stored data and, if sensitive data is involved, using an encrypted database (e.g., SQLCipher or LiteDB) to eliminate HIPAA noncompliance.
Code Refactoring, Bug Fixing, and Feature Stabilization
Upon completing the audit phase, ScienceSoft’s developers proceeded with improving the codebase. According to the audit results, the full scope of the required changes had to cover code refactoring, bug fixing, and stabilization of the existing functionality. Based on our estimates, all the activities would take 9 months.
Mindful of the narrow project timelines, the Customer requested ScienceSoft to deliver a minimum viable product in two months. Instead of overhauling the entire codebase, we focused on code refactoring. Our team conducted targeted code restructuring to enhance its readability, maintainability, and scalability. It involved changes to the code organization and design patterns, such as the Single Responsibility Principle and Dependency Injection. Alongside these improvements, we fixed the high-priority defects revealed during the audit and stabilized and evolved the core features to meet HIPAA compliance requirements. The project was completed in three sprints, each lasting three weeks, to fit into the timelines set by the Customer.
Successful Delivery of the Telehealth Platform MVP
In just three months, ScienceSoft’s experts helped the Customer review the code, optimize the codebase, and deliver a high-quality MVP of a HIPAA-compliant telemedicine product ready for market entry. During our cooperation, the Customer also reassessed the skills of its in-house development team, leading to a more effective allocation of resources.