One of the most important things healthcare software developers need to adhere to in the U.S. is the Health Insurance Portability and Accountability Act (HIPAA). This law protects private health information. Anyone who operates or invests in medical businesses knows about it, but failure to follow its rules correctly can result in very unforgiving consequences. Last year, millions of dollars in fines were issued due to HIPAA information privacy breaches. How can you ensure that your product is compliant with HIPAA?
There’s a good reason why these measures are in place. Rising demand on black market dark websites for valuable healthcare information has led to several breaches. In 2020, 616 data breaches were containing 500 or more records, reported to the HHS Office for Civil Rights. There were 28,756,445 healthcare records exposed, compromised, or impermissibly disclosed. This makes 2020 the third-worst year for the number of breached healthcare records.
Companies failed to reasonably and appropriately maintain confidentiality, integrity, and availability of ePHI. Combined with insufficient hardware and software controls, healthcare businesses faced millions of dollars in fines on behalf of the victims of the breaches.
How to Ensure HIPAA Compliance for Web or Mobile Healthcare Apps
The means for making your medical software HIPAA-compliant or building one from scratch depends on your goals and the way sensitive data is stored and transmitted. However, let’s talk about seven general thoughts on how these requirements need to be met.
Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted. HIPAA-compliant software keeps sensitive health data encrypted during transmissions, and the first step is to make it secure with SSL and HTTPS protocols. Your public or private cloud provider should allow your SSL configuration to ensure strong encryption methods. The former protects pages that collect or show health data as well as login pages. There should not be any alternate non-secure versions of these pages.
It’s recommended to validate if HTTPS protocol is set up properly and there are no expired or insecure TLS versions.
Passwords can be transmitted and stored with the help of hash values. Together with secure complex passwords, this can prevent compromising events.
Backup and Storage Encryption
Most hosting providers offer backup and recovery services so that data will not be lost in case of an accident or emergency. Data should be backed up, stored securely, and accessible to authorized staff only.
When dealing with sensitive PHI, one must ensure that it is available to authorized personnel only. This covers all the data stored in your software system, including databases, backups, and event logs. It may happen to be stored in locations that are out of your control, such as on a server shared with other customers on the same hosting provider. Should this server be compromised in some way, the data must remain encrypted and inaccessible.
For this purpose, we apply industry-approved encryption using AES and RSA algorithms with strong keys (preferably 256 bits for AES and at least 4096 bits for RSA). PostgreSQL manager with a built-in data encryption feature could be an alternative solution.
We also use managed databases in the public cloud with encryption, such as Amazon Relational Database Service (RDS) or Cloud SQL.
Identity and Access Management
To maintain HIPAA compliance, identity and access management are essential. When it comes to institutional data, passwords and user IDs must be as secure as possible and never shared among employees. HIPAA has stringent rules about the level of security that must be maintained to ensure user data privacy and protection.
System logs are an important part of HIPAA compliance. The system should write access logs and event logs to track all the login attempts and changes made to PHI.
To ensure that only authorized users can access sensitive data and information, Two Factor Authentication (2FA) should be used, using multiple forms of authentication to verify an individual’s identity.
However, there is a demand to access this data quickly. New technologies are rising in the healthcare industry like biometrics and single sign-on (SSO) to remain secure while providing data on demand.
Single-Sign-On enables users to securely sign in once and then access a network of applications and websites during a single session without signing in again. This is useful for healthcare professionals who need to gain access to user data across an ecosystem of apps and sites quickly and efficiently without sacrificing the privacy of institutional data.
Biometrics solutions are also popular because of the uniqueness of the human fingerprint, face, or voice. However, these technologies require advanced anti-spoofing techniques. To prevent hackers from simulating the biometrics of another person, liveness detection can counteract spoofing attempts. Multimodal biometric authentication technology is a security system that requires more than one form of authentication. This can make it even harder for hackers to crack healthcare security and helps better ensure HIPAA compliance.
Attribute-Based Access Control is a way of resolving complications with user role management. This allows for dynamic and contextual access to various locations, apps, and other resources according to access control policies based on attributes instead of users and actions. Individual attributes are much more flexible, especially for changing structural rules over time. This especially helps resolve problems in traditional role-based authorization where roles overlap.
It is necessary to ensure that the information you collect, store, and transfer is safely kept from being damaged or altered in any undesirable way, intentionally or not. The first necessary step here is to ensure that your system can immediately detect and report any unauthorized data tampering, even if just a single element has changed. In website development, this is achieved by digitally signing and then verifying every piece of data stored or transmitted in the system, using such means as PGP, SSL, etc. Then, the entire system has to be designed and built to prevent any unauthorized access to the data.
The measures mentioned above, like regular backup, encryption, access authorization with proper user roles and privileges, as well as restriction of physical access to the infrastructure, are big factors in making your medical software HIPAA compliant.
Blockchain has significant advantages for healthcare information security:
- Decentralization: Semi-trusted third parties are no longer needed.
- Security: There is a very low chance of a single point of failure. Insider attacks are also prevented by advanced cryptographic encryptions.
- Pseudonymity: Nodes in the blockchain network have pseudonymous addresses in order to protect their true identities.
- Immutability: Modification of block records is nearly impossible due to one-way cryptographic hash functions.
- Autonomy: Data rights are owned by healthcare patients and they have the ability to choose when and with who to share that data.
- Incentive mechanisms: Due to the incentive mechanism of blockchain, competitive corporations that may not otherwise cooperate can work together to develop medical services and research.
- Auditability: All transactions and data are recorded through blockchain, ensuring accountability and transparency.
Since blockchain relies on a decentralized, secure, distributed system, it is much more trustworthy than placing authority in a single human being. Instead, cryptography and mathematical methods are utilized to secure information.
Data is recorded in a public or allowed ledger. Every node in the blockchain network has access to these ledgers at any time, resulting in data transparency that can build trust and accountability, especially in an audit.
However, there are limitations of blockchain-based EHR systems for secure data storage. The most common of them are:
- High level of variability in medical records storage systems
- Non-uniform data structure
- High costs of storage within the network
Backed-up and archived data has to expire and be permanently disposed of. This also applies to all the decryption keys. It must be foreseen that every location where the data is transmitted might make backups or copy it. Whenever you are no longer using a server, the data must be disposed of to ensure healthcare data security and HIPAA compliance.
Business Associate Agreement
The final key to HIPAA-compliant software: ePHI should be hosted on servers of a company with whom a Business Associate Agreement is signed. Otherwise, it should be hosted on secure in-house servers. Most hosting providers are not familiar with HIPAA. They might not be willing to run any risks signing this agreement, which might contradict their own business processes.
We recommend a healthcare organization uses cloud storage at the most trusted HIPAA-compliant providers*, such as Google Cloud Platform, Microsoft Azure, and Amazon Web Services. Apple’s iCloud is not HIPAA-compliant. The business associate agreement must concern every vendor that deals with your sensitive health data.
COVID-19, Telemedicine, and HIPAA
During the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) relaxed HIPAA enforcement. Notification of Enforcement Discretion allows health care providers to use less regulated communication systems like FaceTime, Zoom, Facebook Messenger, Google Hangout, and Skype for telehealth services that would not otherwise be HIPAA-compliant.
There are still many waivers in action due to the public health emergency (PHE). However, examples exist that indicate that telehealth may become more integrated into the healthcare industry. However, the regulation makes developing solutions that can allow providers to offer services to patients online more difficult.
HIPAA compliance is essential to protect institutional healthcare data and to avoid steep regulatory fees. It’s better to get ahead of the game and design systems with HIPAA requirements in mind. Working with a developer already experienced in developing HIPAA-compliant healthcare software might be e the right choice to adhere to government regulations and protect user data.