How To Develop HIPAA Compliant ApplicationsFocusing on Cloud and Mobile Applications

How To Develop HIPAA Compliant Applications

▪ Introduction▪ Compliance Before the Public Cloud▪ Compliance During the Public Cloud▪ 3rd Party Cloud Options for Compliance▪ Software Development Practices for Compliance▪ Operating a HIPAA Compliant Solution▪ Keeping Mobile Apps Compliant

Introduction – Joel Garcia

▪ Engineering – Symantec – Host Intrusion Detection, Symantec Security Incident Manager

▪ VPE\CTO – MedVantage acquired by IMS Health – Clinical Quality and Affordability Metrics for Providers. Big Data from Claims and Episode Treatment Groups – HIPAA Compliant before the Cloud

▪ VPE – LiveVox acquired by Golden Gate Capital – Cloud based hosted dialer. PCI and SAS70

▪ AllCode – CTO – Developed and deployed a number of HIPAA Compliant solutions for startups: ConsejoSano, Aforacare, Contex, etc…

Introduction – HIPAA

▪ Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects most “identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper or oral. The Privacy Rule calls this information Protected Health Information (PHI).

▪ PHI under US law is any info in a medical record that can be used to identify an individual that was created in the course of providing a healthcare service, e.g. diagnosis or treatment.

Introduction - HIPAA Components

▪ Security Policies ▪ Human Resource Security ▪ Physical and Environmental Security – Colocation or Cloud▪ Communications and Operations Management ▪ Access Control – Password Management, Encrypted VPNs▪ Incident Management – Customers notified of a hack, Documented processes▪ Business Continuity Plan – DR, do you run your BCP?

Introduction - HIPAA Components

▪ IT Compliance ▪ System Development and Software Development Lifecycle that includes in a

security risk assessment: Scanning for application vulnerabilities, e.g. OWASP top ten, using something like WhiteHat, source control management, three tiered architecture with separate firewalls, data exchange

▪ Cloud Computing – IaaS, PaaS, SaaS▪ Cloud Security Services – DDoS attacks prevention, Physical and logical

separation of data, encrypting data at rest and in transit▪ Cloud Security Architecture

Compliance Before the Public Cloud

At MedVantage, before the public cloud, we built and operated a private cloud infrastructure for the claims and episodes treatment groups data from Blue Cross Blue Shield plans. This was a lot of work and cost a lot of $.

▪ Physical and Environmental Security ▪ Communication and Operation Management ▪ Access Control ▪ Incident Management – SSIM, Arcsight ▪ Security – DDoS and data loss prevention

Compliance During the Public Cloud

With the advent of the Public Cloud HIPAA solutions, we can now stand on top of these vendors for Software Development by having them sign a Business Associate Agreement (BAA)

▪ TrueVault▪ Aptible ▪ ClearDATA ▪ Amazon Web Services ▪ FireHost\Armor

Compliance During the Public Cloud (contd)

▪ Best to use a cloud solution that is focused on healthcare security. Solutions that are not focused on security may be reluctant to provide the information that you need, e.g. audit reports.

▪ Each of these vendors provide differing offers, but you’re effectively looking for a way to not have to implement some of the onerous tasks associated with protecting PHI and providing a secure private cloud platform.

▪ Only store the PHI in the the HIPAA compliant container. If you’re solution has components that don’t need to touch PHI, run these components elsewhere with communication going through SSL.

Compliance During the Public Cloud (contd)

▪ Things that I look for when picking a vendor:▪ A Virtual Private Cloud (VPC) sitting on top of AWS▪ Support for SFTP out of the box▪ Database traffic is encrypted at transit and ▪ Ease of use ▪ Centralized Access Control system ▪ Automated Risk Management.

Compliance During the Public Cloud (contd)

▪ Remember HIPAA is More than Technology - Incidence Response, Risk Assessment, Operations, Policies & Procedures, Security & Compliance Training are all priorities. To help with these issues there are compliance cloud platforms, which enable you to manage all of the audit reports to prepare for external audits and certifications. ▪ QIXpress - QIPSolutions▪ Gridiron – Aptible▪ ClearData▪ ZenGRC – Reciprocity Labs

Compliance During the Public Cloud (contd)

▪ These compliance platforms enable you to ▪ Generate sane, relevant security and compliance policies▪ Train your workforce in security and secure coding practices▪ Respond to security and privacy incidents▪ Conduct internal audits and compliance status check for your BCP, vulnerability

assessment, patch management. ▪ Prepare for external audits and certifications

Software Development Practices

▪ Running Production, Test, and Development environments in a HIPAA secure environment can be expensive and time consuming to maintain and deploy▪ For development environments, leverage Heroku and AWS ▪ For test environments, continue on Heroku AWS▪ For production environments, use the PHI containers and services.

Software Development Practices (contd)

For B2B solutions, data integration with your client for either eligibility files or EMRs needs to be considered at the architecture stage. You do not want to build your data integration solution as part of your web app or REST web service component.▪ SFTP - Large data files are typically transferred via SFTP.

• Customer deposits file into your SFTP account. Decrypt the file using PGP. ETL the data into your middleware with all communication going through HTTPS.

• You pull from Customer’s SFTP. This is the reverse. Client creates a name account for you using your private key. Pull the eligibility data at specified interval. When the download is complete, then the process is just like the FTP in.

•REST Web Services – Customer invokes REST Web Services to update data with all traffic encrypted via SSL.

Software Development Practices (contd)

Third party integrations can be tough in terms of compliancy. You need to read the BAAs.▪ Email – Most email providers are not HIPAA compliant, e.g. SendGrid. Certain email

providers are HIPAA compliant, e.g. MailGun. There is a cost associated with using Mailgun

▪ SMS – Most SMS message providers are Not HIPAA compliant. ▪ PHI must be encrypted in transit, which makes this difficult

▪ Secure Messaging is compliant when the communication is going over TLS to a secure machine, but this may not work when engaging with patients.

▪ Video Chat –OpenTok or Janus webRTC – AugMedix…

Operating a HIPAA Compliant Solution

When your production environment is locked down, everything will slow down when it comes to

▪ Deploying new code▪ Accessing the database to see what’s going on▪ Monitoring the log files▪ Bringing up machines that have crashed

Keeping Mobile Apps Compliant

• All network communication runs through SSL. • Try to store as little PHI on the mobile device as possible • When data is stored on the mobile device, PHI needs to be encrypted with AES-

256 • Try not to insert PHI into your push notifications. • Make sure that your app is not a medical device that requires FDA approval

Thank You Joel Garcia

joel@allcode.com(415) 890-6431

564 Market Street, Suite 607 SF, CA, 94104