HIPAA Compliant Software Development Checklist for 2023
Resources to download: “HIPAA Compliant Software Development Checklist 2022”
One of the most important things that healthcare software developers need to adhere to is the Health Insurance Portability and Accountability Act (HIPAA). This law protects private health information. Anyone who operates or invests in medical businesses knows about it, but failure to follow its rules correctly can result in very unforgiving consequences. Last year, millions of dollars in fines were issued due to HIPAA information privacy breaches. How can you ensure that your product is compliant with HIPAA?
There’s a good reason why these measures are in place. Rising demand on black market dark web sites for valuable healthcare information has led to a number of breaches.
Companies failed to reasonably and appropriately maintain confidentiality, integrity, and availability of ePHI. Combined with insufficient hardware and software controls, healthcare businesses faced millions of dollars in fines on behalf of the victims of the breaches.
As HIPAA compliant software developers, we at MobiDev want to ensure that you are aware of how to make your product compliant with HIPAA rules so that these devastating data breaches do not happen to you and your customers. To do that, we’re making our latest resource, the HIPAA Compliance Checklist 2022, available to you.
How to Develop HIPAA Compliant Web or Mobile Healthcare Apps
The means for making your medical software HIPAA-compliant or building one from scratch depends on your goals and the way sensitive data is stored and transmitted. However, let’s talk about seven general thoughts on how these requirements need to be met.
1. Transport Encryption
Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted. HIPAA-compliant software keeps sensitive health data encrypted during transmissions and the first step is to make it secure with SSL and HTTPS protocols. Your public or private cloud provider should allow for the configuration of your SSL to ensure strong encryption methods according to the HIPAA compliant hosting checklist. The former protects pages that collect or show health data as well as login pages. There should not be any alternate non-secure versions of these pages.
It’s recommended to validate if HTTPS protocol is set up properly and there are no expired or insecure TLS versions.
Passwords can be transmitted and stored with the help of hash values. Together with secure complex passwords, this can prevent compromising events. Here is the specific information about HIPAA compliance of WordPress-based websites.
2. Backup and Storage Encryption
Most hosting providers offer backup and recovery services so that data will not be lost in case of accident or emergency. Data should be backed up, stored securely, and accessible to authorized staff only.
When dealing with sensitive PHI, one must ensure that it is available to authorized personnel only. This covers all the data stored in your software system, including databases, backups, and even logs. It may happen to be stored in locations that are out of your control, such as on a server shared with other customers on the same hosting provider. Should this server be compromised in some way, the data must remain encrypted and inaccessible.
For this purpose we apply an industry approved encryption using AES and RSA algorithms with strong keys (preferably 256 bits for AES, and at least 4096 bits for RSA). PostgreSQL manager with a built-in data encryption feature could be an alternative solution.
We also use managed databases in the public cloud with encryption, for example, Amazon Relational Database Service (RDS) or Cloud SQL in the Google Cloud Platform.
3. Identity and Access Management
In order to maintain HIPAA compliance, identity and access management are essential. When it comes to institutional data, passwords and user IDs must be as secure as possible and never shared among employees. HIPAA has very strict rules about the level of security that must be maintained to ensure user data privacy and protection.
System logs are an important part of HIPAA compliance. The system should write access logs and event logs, to track all the login attempts and changes made to PHI.
To ensure that only authorized users are able to access sensitive data and information, Two Factor Authentication (2FA) should be used, using multiple forms of authentication to verify an individual’s identity.
However, there is demand to access this data quickly. In order to remain secure while providing data on demand, new technologies are rising in the healthcare industry like biometrics and single sign-on (SSO).
Single-Sign On enables users to securely sign in once and then access a network of applications and websites during a single session without having to sign in again. This is useful for healthcare professionals who need to gain access to user data across an ecosystem of apps and sites quickly and efficiently without sacrificing the privacy of institutional data.
Biometrics authentication solutions are also popular because of the uniqueness of the human fingerprint, face, or voice. However, these technologies require advanced anti-spoofing techniques. To prevent hackers from simulating the biometrics of another person, liveness detection can counteract spoofing attempts. Multimodal biometric authentication technology are security systems which require more than one form of authentication. This can make it even harder for hackers to crack healthcare security and helps better ensure HIPAA compliance.
Attribute Based Access Control is a way of resolving complications with user role management. This allows for dynamic and contextual access to various locations, apps, and other resources according to access control policies based on attributes instead of users and actions. Individual attributes are much more flexible, especially for changing structural rules over time. This especially helps resolve problems in traditional role-based authorization where roles overlap.
It is absolutely necessary to ensure that the information you collect, store, and transfer is safely kept from being damaged or altered in any undesirable way, intentionally or not. The first necessary step here is to make sure that your system is able to immediately detect and report any unauthorized data tampering, even if just a single element has changed. In website development, this is achieved by digitally signing and then verifying every piece of data stored or transmitted in the system, using such means as PGP, SSL, etc. Then, the entire system has to be designed and built in a way that prevents any unauthorized access to the data.
The measures mentioned above, like regular backup, encryption, access authorization with proper user roles and privileges, as well as restriction of physical access to the infrastructure, are a big factor in making your medical software HIPAA-compliant.
Blockchain has significant advantages for healthcare information security:
- Decentralization: Semi-trusted third parties are no longer needed.
- Security: There is a very low chance of a single point of failure. Insider attacks are also prevented by advanced cryptographic encryptions.
- Pseudonymity: Nodes in the blockchain network have pseudonymous addresses in order to protect their true identities.
- Immutability: Modification of block records is nearly impossible due to one-way cryptographic hash functions.
- Autonomy: Data rights are owned by healthcare patients and they have the ability to choose when and with who to share that data.
- Incentive mechanisms: Due to the incentive mechanism of blockchain, competitive corporations that may not otherwise cooperate can work together to develop medical services and research.
- Auditability: All transactions and data are recorded through blockchain, ensuring accountability and transparency.
Since blockchain is reliant on a decentralized, secure, distributed system, it is much more trustworthy than placing authority in a single human being. Instead, cryptography and mathematical methods are utilized to secure information.
Data is recorded in a public or permissioned ledger. Every node in the blockchain network has access to these ledgers at any time, resulting in data transparency that can build trust and accountability, especially in the case of an audit.
However, there are limitations of blockchain-based EHR systems for secure data storage. The most common of them are:
- High level of variability in medical records storage systems
- Non-uniform data structure
- High costs of storage within the network
Backed up and archived data has to expire and be permanently disposed of. This also applies to all the decryption keys. It must be foreseen that every location where the data is transmitted might be making backups or copying it. Whenever you are no longer using a server, the data must be disposed of as well to ensure healthcare data security and HIPAA compliance.
7. Business Associate Agreement
The final key to HIPAA-compliant software: ePHI should be hosted on servers of a company with whom a Business Associate Agreement is signed. Otherwise, it should be hosted on secure in-house servers. Most hosting providers are not familiar with HIPAA. They might not be willing to run any risks signing this agreement, which might contradict their own business processes.
We recommend a healthcare organization uses cloud storage at the most trusted HIPAA-compliant providers*, such as:
* !! Please be aware that Apple’s iCloud is not HIPAA-compliant !!
Business Associate Agreement must concern every vendor that deals with your sensitive health data.
Case Study: HIPAA Compliant App Development For A US Healthcare Enterprise
MobiDev’s team was asked to create a cross platform healthcare mobile and web application. The objective was to integrate patient-doctor interactions and allow them to exchange data. To do this, our team found a balance between speed and compatibility using native-like features, HealthKit/GoogleHealth integrations, live chat, and more. Being a complex app, it allowed for the analyzation and management of information on a large scale useful for hospitals. This enabled it to be integrated with EHR.
The app was needed to fulfill two primary functions: a portal for patients and doctors and a management and analytics module, as well as hospital-level integration. To help achieve this goal, the client’s in-house team was involved with development of integrations and database management.
While our team worked on a test and anonymized data, the client’s team worked on bridging and provided MobiDev with data structure. Synchronization between our teams was essential in order to create a reliable solution that would work with different Electronic Health Records (EHR).
Amazon Cloud Services (HIPAA compliant) were utilized in order to make the app reliable and secure. Although it was useful in this case, some hospitals are more interested in using local servers for data storage and operation. We worked with their support teams to ensure that the app fit their needs. In order to secure the data on Amazon’s web servers, our team utilized encrypted RDS.
In addition, data transportation and event management needed protection. MobiDev’s team utilized Encrypted ElastiCache to respond to this problem. Also, front end security features were added such as cache restrictions for browsers. This prevents users from saving cached images of x-ray scans.
Search history was also restricted for browsers to prevent personal patient data from being saved like names and emails. Oauth2 and JSON Web Token (JWT) were also used to protect user authentication.
COVID-19, Telemedicine, and HIPAA in 2021
During the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) laxed HIPAA enforcement. Notification of Enforcement Discretion allows health care providers to use less regulated communication systems like FaceTime, Zoom, Facebook Messenger, Google Hangout, and Skype for telehealth services that would not otherwise be HIPAA-compliant.
There are still many waivers in action due to the public health emergency (PHE). However, examples exist that indicate that telehealth may become more integrated into the healthcare industry. However, regulation makes developing solutions that can allow providers to offer services to patients online more difficult.
HIPAA compliance is essential in order to protect institutional healthcare data and to avoid steep regulatory fees. It’s better to get ahead of the game and design systems with HIPAA requirements in mind. Working with a developer like MobiDev who is already experienced in developing HIPAA-compliant healthcare software may be the right choice in order to adhere to government regulations and protect user data.