The medical space has become more and more cloud-oriented with the ability to integrate all aspects of the employee, customer, and administrative experience. In addition, legacy applications that are local access only, are being pushed to cloud infrastructures. Virtually every medical provider from your local specialists, urgent care centers, and major hospitals are providing their patients with portals to review their visits. Behind all the access everywhere, and IoT medical devices, HIPAA looms large to ensure compliance is followed and patient data is protected. This can be intimidating but writing HIPAA compliant software shouldn’t be likened to facing your greatest nightmares. If you’re already developing with the highest of security standards then ensuring that you’re HIPAA compliant is really only a hop, skip, and a jump away.
As our medical records transitioned from paper to digital representations it became easier to transfer records but also increased the ease at which the records could be accessed maliciously. The Health Insurance Portability and Accountability Act (HIPAA) is a public law that provides national standards for electronic health care transactions specifically as it relates to privacy and security of protected health information (PHI). Data breaches across not only the medical space but all aspects of digital data and cloud computing are on the rise. While HIPAA stipulates best practice for medical institutions, these standards shouldn’t be any different from the standards that our applications follow. All our applications need to adhere to these high standards, whether it is providing proper authentication methods such as multi-factor, protecting our data in transit with the latest HTTPS and TLS, encrypting our data at rest, and protecting access to the data through a controlled authorization mechanism. As the adage says, “practice makes perfect” and we should be writing every one of our applications to pass HIPAA standards at a minimum and seeking to extend past those standards to ensure that our data and our client’s data is safe.
What tools exist?
With the emergence of cloud computing, the tools available as paid services have increased. Azure, Google, and AWS have made strides in providing HIPAA compliant solutions. The Google Cloud HIPAA compliant list of services covered under BAAs encompasses nearly all their paid services. AWS offers some strategical advice with a white paper for architecting HIPAA compliant solutions utilizing their services as well as the comprehensive list of covered services. Not to be outdone Azure offers their list of covered services and some guidance for compliance. Each one of these cloud hosting services offers off the shelf solutions for protecting data in transit, as well as at rest with encrypted database options and serverless architectures that decrease attack vectors.
Apart from the off the shelf services, there are a growing suite of tools to perform vulnerability scanning on your code repositories. These tools can scan your source for technical debt, maintainability issues, leaks, and of course security violations. Most of these can be run automatically when new source is merged which means once they are in place, they work on their own providing insight on potentially harmful code. GitHub offers their own code scanning tools as a paid service. One tool we’ve used is SonarQube which has a wealth of covered languages and most importantly provides dedicated scanning for OWASP criteria.
Whoa! What’s OWASP?
Yet another set of standards that each and every application should follow to maintain best practice security. The Open Web Application Security Project is a dedicated community that provides documentation and tooling to meet the stringent security standards as it relates to cloud computing. You can think of OWASP as a Superset of HIPAA security requirements and again is something every application you write should adhere to.
Generic Customer Portal
→Here’s an example of a Cloud-based customer portal using HIPAA compliant AWS services and best practice security mechanisms.
- Web Portal which can also be managed via AWS CloudFront is accessed on a local device (for readability purposes the web portal isn’t specified as being in the server, but CloudFront would exist there, and the app could be stored in an S3 bucket. All covered services)
- Sign up / Sign in can all be managed securely with AWS Cognito which can also provide Multi-factor Authentication. Each communication to this service is protected by SSL/TLS 1.2
- Upon successful sign in a JSON web token is used to communicate with the API Gateway in a secure manner, again using SSL/TLS 1.2. Note that the Load Balancer is optional but can be used if you expect heavy traffic on the API gateway. This will allow Amazon to dynamically size resources for the API Gateway based on need
- Calls to API Gateway are forwarded to Lambda Functions for business logic processing, again protected by TLS 1.2
- Finally, our Lambda functions access a Dynamo Database which is encrypted at rest
- One last piece is AWS CloudTrail which can provide auditing of access to our Cloud infrastructure. This can be important for verifying and auditing the access to our modules to ensure only covered entities have accessed data
What’s left in the above example for us to ensure HIPAA compliance?
- AWS is not responsible for limiting access to the AWS resources to covered entities. This is something that will need to be handled by your IT personnel and compliance team
- Any permissions schemes to limit access to PHI for the application are requirements of the administrative team
- Generated reports containing PHI need to be limited to covered entities or identification needs to be stripped as per HIPAA guidelines
- Mechanisms for the release of PHI to the patients or people they have authorized
Strive for it, Always
The above architecture can easily be for any web application as again the services used and mechanisms in place should be considered best practice. Data breach has become a huge liability for all industries with some larger such as Adobe, eBay, Equifax, and LinkedIn falling prey. These breaches have resulted in Billions of accounts and records being leaked. According to a 2019 Cost of Data Breach report from Ponemon Institute and IBM Security, breaches have grown in cost by 12 percent in the last 5 years to $3.92 million in 2020. With all the described tooling and a plethora of other Off the shelf services available there’s no excuse for not meeting best practices in security with every application you write. Be HIPAA compliant at a minimum with each solution but strive for more to be ahead of hackers and more importantly to gain and maintain your clients’ trust to do what is best for them and their users.