Date post: | 20-May-2015 |
Category: |
Health & Medicine |
Upload: | madpow-health-20 |
View: | 224 times |
Download: | 9 times |
How to Build a HIPAA!Compliant Infrastructure!Jason Wang!Founder & CEO, TrueVault!
Step 1: Physical Safeguards!
• Physical security of ePHI!
• “HIPAA Compliance Ready” !
• Business Associate Agreement!
• Choices of HIPAA Compliant Hosting Providers!
• Initial Costs/Incremental Costs!
!
Step 2: Technical Safeguards!
• Digital Security of ePHI!
• Required vs Addressable!
• Am I HIPAA compliant if I just deploy my code to a HIPAA compliant hosting environment?!
!
Technical Safeguards!1. Access Control - Unique User Identification (required):
Assign a unique name and/or number for identifying and tracking user identity.!
!2. Access Control - Emergency Access Procedure (required):
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.!
3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.!
!4. Access Control - Encryption and Decryption (addressable):
Implement a mechanism to encrypt and decrypt ePHI.!
Technical Safeguards 5. Audit Controls (required): Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information systems that contain or use ePHI.!
6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.!
7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.!
!8. Transmission Security - Integrity Controls (addressable): Implement
security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.!
!9. Transmission Security - Encryption (addressable): Implement a
mechanism to encrypt ePHI whenever deemed appropriate.!
Am I Done?!
Am I Done?!
Not Quite … J!
Step 3: Security!
• Target Rich Environment!
• Application Security!
• Network Security/Intrusion Detection!
• Software/OS Security!
• Security Audit!• Time/Cost!
!
Step 4: HIPAA Audit!
• Who Certifies HIPAA Compliance?!
• 3rd party Audits!• What is the process like?!• Cost!• Time!
• Any other audits?!
Step 5: Insurance!
• Cyber Liability and Data Breach Insurance!
• Policy Issuers!
• Indemnification!
• Costs/Coverage!
What Else Do I Need to Know?!
• Typical implementation frame!
• HIPAA will change!
• On-going maintenance!
• Staffing!
• There must be an easier way ;-)!
What Else Do I Need to Know?!
• Typical implementation frame!
• HIPAA will change!
• On-going maintenance!
• Staffing!
• There must be an easier way ;-)!
• HIPAA Compliant Data Store!
Standard Database
TrueVault (HIPAA Compliant)
non-‐PHI Data
PHI Data (REST API)
Physical Safeguards Facility Access Ctrl, WorkstaGon Use and Security, Devices and Media Controls
Technical Safeguards EncrypGon and DecrypGon, Key Management, Key RotaGon, Access Control, Unique User IdenGficaGon, Emergency Access, AutomaGc Logoff, Audit Controls, Mechanism to AuthenGcate Electronic PHI, Person or EnGty AuthenGcaGon, Transmission Security, Integrity Controls
AdministraGve Safeguards
HIPAA Compliant HosGng
TrueVault • TrueVault handles both Technical
and Physical Safeguards.
• Developers can quickly start development on healthcare applicaGons without building a HIPAA compliant infrastructure.
• FireHost and AWS have high minimum charges ($1,115 and $1,500) and offer no help with the Technical Safeguards.
• RESTful API - No Steps 1 through 5 to worry about !
• BAA + Insurance!
• Works well with existing infrastructure!
• 400+ Customers!
• Usage based pricing, no contracts!
Q&A Time!Shameless Promotions:!!• TrueVault is hiring Developers, DevOps Engineers in San Francisco !
• Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!http://go.truevault.com/ios8!
!
Thank you!
Jason Wang Founder & CEO, TrueVault