How to Build a HIPAA!Compliant Infrastructure!Jason Wang!Founder & CEO, TrueVault!

Step 1: Physical Safeguards!

•  Physical security of ePHI!

•  “HIPAA Compliance Ready” !

•  Business Associate Agreement!

•  Choices of HIPAA Compliant Hosting Providers!

•  Initial Costs/Incremental Costs!

!

Step 2: Technical Safeguards!

•  Digital Security of ePHI!

•  Required vs Addressable!

•  Am I HIPAA compliant if I just deploy my code to a HIPAA compliant hosting environment?!

!

Technical Safeguards!1.  Access Control - Unique User Identification (required):

Assign a unique name and/or number for identifying and tracking user identity.!

!2.  Access Control - Emergency Access Procedure (required):

Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.!

3.  Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.!

!4.  Access Control - Encryption and Decryption (addressable):

Implement a mechanism to encrypt and decrypt ePHI.!

Technical Safeguards 5.  Audit Controls (required): Implement hardware, software, and/or

procedural mechanisms that record and examine activity in information systems that contain or use ePHI.!

6.  Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.!

7.  Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.!

!8.  Transmission Security - Integrity Controls (addressable): Implement

security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.!

!9.  Transmission Security - Encryption (addressable): Implement a

mechanism to encrypt ePHI whenever deemed appropriate.!

Am I Done?!

Am I Done?!

Not Quite … J!

Step 3: Security!

•  Target Rich Environment!

•  Application Security!

•  Network Security/Intrusion Detection!

•  Software/OS Security!

•  Security Audit!•  Time/Cost!

!

Step 4: HIPAA Audit!

•  Who Certifies HIPAA Compliance?!

•  3rd party Audits!•  What is the process like?!•  Cost!•  Time!

•  Any other audits?!

Step 5: Insurance!

•  Cyber Liability and Data Breach Insurance!

•  Policy Issuers!

•  Indemnification!

•  Costs/Coverage!

What Else Do I Need to Know?!

•  Typical implementation frame!

•  HIPAA will change!

•  On-going maintenance!

•  Staffing!

•  There must be an easier way ;-)!

What Else Do I Need to Know?!

•  Typical implementation frame!

•  HIPAA will change!

•  On-going maintenance!

•  Staffing!

•  There must be an easier way ;-)!

•  HIPAA Compliant Data Store!

Standard  Database  

TrueVault  (HIPAA  Compliant)  

non-­‐PHI  Data  

PHI  Data  (REST  API)  

Physical  Safeguards  Facility  Access  Ctrl,  WorkstaGon  Use  and  Security,  Devices  and  Media  Controls  

Technical  Safeguards  EncrypGon  and  DecrypGon,  Key  Management,  Key  RotaGon,  Access  Control,  Unique  User  IdenGficaGon,  Emergency  Access,  AutomaGc  Logoff,  Audit  Controls,  Mechanism  to  AuthenGcate  Electronic  PHI,  Person  or  EnGty  AuthenGcaGon,  Transmission  Security,  Integrity  Controls  

AdministraGve  Safeguards  

HIPAA  Compliant  HosGng  

TrueVault  •  TrueVault  handles  both  Technical  

and  Physical  Safeguards.  

•  Developers  can  quickly  start  development  on  healthcare  applicaGons  without  building  a  HIPAA  compliant  infrastructure.  

•  FireHost  and  AWS  have  high  minimum  charges  ($1,115  and  $1,500)  and  offer  no  help  with  the  Technical  Safeguards.  

•  RESTful API - No Steps 1 through 5 to worry about !

•  BAA + Insurance!

•  Works well with existing infrastructure!

•  400+ Customers!

•  Usage based pricing, no contracts!

Q&A Time!Shameless Promotions:!!•  TrueVault is hiring Developers, DevOps Engineers in San Francisco !

•  Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!http://go.truevault.com/ios8!

!

Thank  you!  

Jason  Wang  Founder  &  CEO,  TrueVault