How We Ensure HIPAA-Compliant Software Development

January 13, 2017 946 Views
← Back
7 Security Rules To Make Your Software HIPAA-Compliant

The Health Insurance Portability and Accountability Act is an official document that protects private health information. This is a document that should be well-known to every medical professional that runs their business online. At MobiDev, we have comprehensive experience of software development for healthcare—and we'd love to share some insights with you.


What are the minimal requirements that make your software HIPAA-compliant?



HIPAA Security Rule #1: Data Transmission Encryption
1. Transport Encryption

Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted.




HIPAA Security Rule #2: Data Backup

2. Backup

ePHI can be backed up for recovery and restoration in case of need.



HIPAA Security Rule #3: ePHI Access Authorization

3. Authorization

ePHI can be accessed only by authorized staff.



HIPAA Security Rule #4: ePHI Integrity

4. Integrity

ePHI must not be subject to unsanctioned changes.



HIPAA Security Rule #5: Data Storage Encryption

5. Storage Encryption

Stored ePHI should be encrypted.



HIPAA Security Rule #6: Data Disposal
6. Disposal

When ePHI is no longer needed, it can be safely and permanently disposed of.



HIPAA Security Rule #7: Business Associate Agreement
7. Business Associate Agreement

The final key to HIPAA-compliant software: ePHI should be hosted on servers of a company with whom a Business Associate Agreement is signed. Otherwise, it should be hosted on secure in-house servers.



Does generic software meet the HIPAA requirements?


1. Transport Encryption

No. Data is not encrypted before or during transmissions.


2. Backup

Maybe. Most web hosting providers offer backup and restoration features.


3. Authorization

Maybe. It depends on the features of your medical software.


4. Integrity

No. There is no guarantee that data has not been modified.


5. Storage Encryption

No. Stored data is not encrypted.


6.Disposal

Maybe. It depends. Some hosting providers store backups indefinitely.


7. Business Associate Agreement

No. Most hosting providers are not familiar with HIPAA. They might not be willing to run any risks signing this agreement, which might contradict their own business processes.


As you can see, if your software wasn't created with privacy and security by design—or accordingly updated—it will fail at meeting HIPAA requirements.


How to ensure HIPAA compliance in website design and app development?


The means to making your medical software HIPAA-compliant—or building one from scratch—depend on your goals and the way sensitive data is stored and transmitted. However, we can outline general thoughts on how these requirements will be met:


HIPAA Security Rule #1: Data Transmission Encryption

Transport Encryption


HIPAA-compliant software keeps sensitive health data encrypted during transmissions, and the first step is to make it secure with SSL and HTTPS protocols. Your hosting provider should allow to configure SSL to use strong encryption methods. The former protects pages that collect or show health data as well as login pages. There should not be any alternate non-secure versions of these pages. What's more, if we have client-server data transmissions, i.e. data is transmitted in the body of POST requests, we can encrypt them on the sender's side and decrypt them on the receiver's side. This helps transmissions to be protected from man-in-the-middle attacks. Passwords can be transmitted and stored with the help of hash values. Together with secure complex passwords, this can prevent compromising. Therefore, the HIPAA requirement for security of user-website communication is met.


HIPAA Security Rule #2: Data Backup

Backup


Most hosting providers provide backup and recovery services, so the data will not be lost in case of accident or emergency. If your, say, web product sends data elsewhere (e.g. via email), messages should be backed up, stored securely, and accessible to authorized staff only.


HIPAA Security Rule #3: ePHI Access Authorization

Authorization


Authorization can be set up by our web team that builds or upgrades your medical software: audited access controls, secure logins that ensure that sensitive data can be accessed only by authorized personnel. If it can be accessed by the hosting provider, the issue of HIPAA Business Associate Agreement arises.


HIPAA Security Rule #4: ePHI Integrity

Integrity


It is absolutely necessary to ensure that the information you collect, store, and transfer is safely kept from being damaged or altered in an undesired way, whether intentionally or unintentionally. The first necessary step here is to make sure that your system is able to immediately detect and report any unauthorized data tampering, even if just a single bit has changed. In website development, this is achieved by digitally signing and then verifying every piece of data stored or transmitted in the system, using such means as PGP, SSL, etc. Then the entire system has to be designed and built in a way that prevents any unauthorized access to the data.


The measures mentioned above, like regular backup, encryption, access authorization with proper user roles and privileges, as well as restriction of physical access to the infrastructure, come in great help to make your medical software HIPAA-compliant. One step further can be taken by designing the software UI in a way that prevents input of invalid data or intelligently helps to detect and correct at least the most typical mistakes.



HIPAA Security Rule #5: Data Storage Encryption

Storage Encryption


Dealing with sensitive PHI, you have to make sure that it is available to authorized eyes only. This covers all the data stored in your software system, including databases, backups, and even logs. It may happen to be stored in locations that are out of your control, such as on a server shared with other customers of the same hosting provider. Should this server be compromised in some way, the data must remain encrypted and inaccessible.


For this purpose we apply an industry approved encryption using AES and RSA algorithms with strong keys (preferably 256 bits for AES, and at least 4096 bits for RSA). We also use such encrypted databases as SQLCipher to store data on the backend safely.



HIPAA Security Rule #6: Data Disposal

Disposal


Backed up and archived data has to expire and be permanently disposed of. The same concerns all the decryption keys. What's more, it must be foreseen that every location where the data is transmitted might be making backups or copying it. Whenever you no longer use a server, the data has to be disposed of as well.


HIPAA Security Rule #7: Business Associate Agreement

Business Associate Agreement


Business Associate Agreement must concern every vendor that deals with your sensitive health data and HIPAA compliance. Your web hosting provider will follow security requirements and provide an infrastructure that will be HIPAA-compliant. Our job is to follow the same rules during design and implementation.


You will make a lot of decisions and face careful considerations on what is necessary and appropriate to protect sensitive data of your users and meet these requirements. And if you have any further questions on how we can integrate healthcare applications with tech innovations—the Internet of Things and Augmented Reality included—feel free to ask!

Read more:
scroll top