Transcription
Seaicpa.org/soc4soreOrganiz at i o n s S e r vSecure Cloud ServicesManaged & Compliant Infrastructureatiof orvicn deice888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
HIPAA-Compliant Developer Guide \\ Table of ContentsTable of ContentsThe laws: HIPAA & HITECH4The parties: covered entities & business associates4The rules: Privacy, Security, and Breach Notification5Checklist: HIPAA mobile app security8Checklist: HIPAA web app security11Rooting your development project in a HIPAA-17compliant host19ReferencesSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
HIPAA-Compliant Developer Guide \\ ForewordThe intended audience of this ebook isthose concerned with software development across the entire spectrum. Thatincludes readers who are taking on theirfirst project that involves the need for afederally compliant (i.e., legal) healthcareenvironment, as well as people who havebuilt medical apps in the past and just needa refresher on core concepts and terminology. It includes developers and those whoare managing development teams.Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
4HIPAA-Compliant Developer GuideThe laws: HIPAA & HITECHHealthcare is a tricky field when itcomes to development becausethere is an additional layer of concern beyond what is needed for thetypical website: federal compliance.You need to meet the regulationsmandated both by HIPAA and byHITECH.To understand the very basic function of these two laws, HIPAA waspassed in 1996 to allow people tocontinue coverage when leaving ajob or in similar scenarios (portability) and to establish guidelines forhealthcare organizations related tosafeguard protected health information,or PHI(accountability).HITECH, contained within theAmerican Recovery and Reinvestment Act of 2009 (ARRA), updatedsome of the HIPAA stipulations andstimulated (through incentives) theadoption of electronic records.Through the Young Lawyers Divisionof the American Bar Association1,Kara J. Johnson explained that thecore concern of HITECH was tomake it easier for authorized providers and other organizations toaccess your healthcare records."[H]owever, because of increasedconcerns associated with electronicrecords containing protected healthinformation ('PHI')," she added,"heightened enforcement and sanctions provisions in the [HIPAA] Privacy and Security Rules were implemented as well."HITECH is the basis of the HIPAAFinal Rule2, otherwise known as theHIPAA Omnibus Rule3 or the HIPAAOmnibus Final Rule4. The standard,which went into effect in 2013,expanded direct responsibility underthe law to third parties that handlePHI on behalf of healthcare organizations.The parties: covered entities & business associatesThe two types of organizations thatneed to meet HIPAA compliance arecalled covered entities (CEs) andbusiness associates (BAs). While aSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
5HIPAA-Compliant Developer GuideCE must be within one of three categories specified by the HHS –healthcare plans (e.g., insurance carriers), providers (e.g., hospitals), anddata clearinghouses – a BA is anycompany that comes into contactwith a healthcare organization's PHI.Examples of common business associates are shredding companies, webhosting firms, and attorneys. Thinkof any type of service that mightcome into contact with its clients'records, and you get the idea of abusiness associate.The rules: Privacy, Security,and Breach NotificationThree of the core requirements ofHIPAA that are often described inthe same breath5 are the Privacy,Security6, and Breach NotificationRules7. All of these standards arewithin the HIPAA AdministrativeSimplification Provisions8.The HIPAA Privacy Rule is a regulation that must be met by all healthcare providers, plans, and data clearinghouses in the United States – aswell as by their business associates –in their treatment of protectedhealth information. It creates national standards that should be used tosafeguard electronic health recordsand other types of confidential medical information. While a hugeamount of focus today is put onelectronic PHI (ePHI), protectedhealth information must be safeguarded in all its forms and ways itcan be communicated, extending topaper, film, and speech.In order to defend against potentialthreats to the privacy of these highlysensitive files, the organizations thatare regulated by HIPAA have to takeaction. First, they must actually setup technical protections for theePHI (which is the core focus of theSecurity Rule). Second, CEs and BAsmust set up controls, as indicatedwithin policy and procedure documents, to prevent any unauthorizeduse or disclosure (i.e., anything thatgoes beyond your written agreementwith the patient).The Privacy Rule also establishedSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
6HIPAA-Compliant Developer Guiderights of patients within the UnitedStates related to health records.Beyond the broad right to protectionof their records, US-based patientshave the specific right of access;they can acquire and assess any or allof their records. They also have theright to have any mistakes within theinformation rectified.guidelines with which organizationsmust safeguard the availability,integrity, and confidentiality of ePHIthat is transmitted, maintained,received, or created by a CE or BA.This regulation has been in effectsince April 20, 2005, for larger organizations and since April 20, 2006,for smaller organizations.As established above in the need forwritten agreement, another standard set forth within the PrivacyRule is that patients have to be givena notice of any ways that PHI mightbe disclosed and used, along withbasic information on the responsibilities of the CE and rights of the individual.The Security Rule made it necessaryfor any organizations handling ePHIto set up defenses in three categories – called administrative, technical, and physical safeguards. TheHIPAA regulations established broadneeds for healthcare records without usually giving specific directionsin terms of technologies, protocols,or methods. When you create launchspecifications for a HIPAA-compliant environment, you should includea greater idea of how you intend tomeet the demands of HIPAA; tomeet compliance, the choices youmake should be reasonable andbased on industry best practices.To actually enter the vortex and look atthis requirement, see 45 CFR Part 160and Subparts A and E of Part 164 inthe HIPAA Administrative Simplification provisions9. You can also potentially make use of the tools and guidance provided through the HHS Privacy Rule Page10.The HIPAA Security Rule createdIf you really want to dig into the Security Rule, you can find it in 45 CFR PartSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
7HIPAA-Compliant Developer Guide160, as well as in Part 164, Subparts Aand C, within the Administrative Simplification provisions11. The tools andresources organized on the HHS Security Rule Page12 may also be useful.The Breach Notification Rule13 is oneof the other key regulatory concernsfor covered entities and businessassociates. One thing should be clearand will help to explain the relationship between HIPAA and other corefederal healthcare law. The BreachNotification Rule was introducedwithin HIPAA and updated withinHITECH.The Breach Notification Rule established that healthcare organizationshad to let any patients know rightaway when their records had beencompromised; HITECH expandedthis same requirement to businessassociates. Scope of a breachimpacts the compliant reporting process. When the number of recordsbreached is greater than 500, thebreached organization should sendnotifications (beyond those directlyto patients) to the Secretary of theHHS and to the media. With anybreaches that are considered small(fewer than 500 records) should besent to the Secretary of the HHSonce per year. Plus, there is the issueof breach notification communication occurring properly betweenbusiness associates and coveredentities. When a business associateexperiences a compromise to thePHI it handles, it must promptly letthe covered entity know, in writing,of the incident.To look over the regulations within theHIPAA regulations, you can find it in 45CFR, 400-414 of Part 164 within theAdministrative Simplification provisions14. The inclusion of business associates as responsible parties related tothe need to communicate breaches isdescribed within HITECH15, section13407. You can get additional guidance and assistance through the information and resources on the HHS'sBreach Notification Rule Page16.Note that related to all of these otherrules and other important elementsof HIPAA and HITECH, it is neces-Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
8HIPAA-Compliant Developer Guidesary that you provide training to allyour personnel – which is also in thebest interests of your organization interms of avoiding all the negativeconsequences of a breach.Checklist: HIPAA mobileapp securityDevelopment requirements will be abit different depending on what typeof environment is involved – such asa website, mobile app, or web app.There is not enough space in thisebook for comprehensive coverageof steps for all scenarios; however, ithelps to get a bit more specific. Tothat end, we will drill more deeplywith checklists for the developmentof HIPAA-compliant mobile applications and web applications, uppingthe ante with the granularity in thesecond of the two. This informationshould help with development, andyou certainly want to modify theseparameters to suit your circumstances.First, to achieve HIPAA-compliantmobile app security, several stepsare key, as indicated by mobile appsecurity software firm NowSecure17.The checklist is organized into fivesections:Know what your part is in ensuring HIPAA compliance You should know the data protections that are needed withinhealthcare software. A security professional should look over the designto ensure it suits the scenario. Youdo not need to become an expert onsecurity or healthcare law to createthe app, provided you get advicefrom competent parties. Consider the ways that theapplication will be used. Think aboutthe types of data the software willbe processing and the storage environment. Protecting in-transit andat-rest ePHI is key to maintainingcompliance, so consider encryptionand other security methods of allsystem components. Be aware if there are other lawsthat are pertinent to the application.You can use the Mobile Health AppsInteractive Tool18 from the FederalSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
9HIPAA-Compliant Developer GuideTrade Commission (FTC) to automatically determine the regulations thatmight apply.Reduce your risk Think in terms of minimizing thedata that you are presenting, accessing, or storing. There is no reason togather date-of-birth, for instance,unless it really is needed. You shouldhave defined purposes for all personal data you collect. Develop an easily understandable privacy policy, and use it consistently. A privacy policy is importantwith all applications you develop, butit is particularly key to healthcare. One of the best ways to reduceyour security vulnerability is not tostore data that is highly sensitive.Whenever you do not need to storeprotected health information, do notdo it. It is key to ensure that any datayou remove from the system is completely wiped. It isn't impossible toensure SSD/flash data is completelyerased, but it can be difficult if not incontrol of the systems. By allowing aHIPAA-compliant hosting companyto manage the data, the erasure anddisposal of sensitive information istaken care of with processes that arealready tested and in place. It is crucial to consider securetransmission and storage of datawhen you use cloud technology. Forcloud service providers or any otheroutside contractors, you will need asigned business associate agreement(BAA), as indicated within the HHS’sGuidance on HIPAA & Cloud Computing19. Be aware of data related to geolocation. You should not be gettingspecific about the location of a particular individual if you can help it –which, according to the HHS, meansnot getting any more specific toexact location than the US state. Youmight be handling information thatdoes not seem that important orsensitive but that is turned into PHIbecause of geolocation.Send and store data using appropriate technical safeguards Encryption is a standard datasecurity method. App TransportSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
10HIPAA-Compliant Developer GuideSecurity (ATS) should be included sothat the application has to useHTTPS protocol to communicatewith servers rather than the standardHTTP – a method that ensuresencryption when data is in motion. There are many types of securitytools available, and they should beused to keep data safe both when itis being transmitted and stored.Encryption methods allow you toverify data as well, which is anotherkey point within the regulations. Consider any text messages, andbe certain there is no health datawithin them since SMS and MMS arebuilt without encryption. Do not come up with your ownencryption algorithm when you areencrypting local storage. Instead,implement protocols that are alreadywidely used.Set up security protections forthe application itself You want to have a timeoutperiod established for any local session so that people need to reauthenticate when they are not active-ly using the app. The determinationof a good session timeout should bebased on your use case for the app. Avoid push notifications. Theproblem with push notifications isthat it is possible they reach thedevice, and someone other than thepatient views it. You do not want to allow anyleakage of your health informationinto areas that tend to have poorprotections, such as log files. Withinan Android device, access is typicallyproblematic and leads to heightenedrisk because the permissions areoften not tightly controlled. Use a comprehensive set ofsecurity methods that are considered industry standards.Perform security testing Security testing should be conducted to verify that everything isprotecting the application properlyin both static and dynamic contexts. Penetration testing through athird party can be a good idea, particularly if the provider has HIPAAexpertise.Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
11HIPAA-Compliant Developer GuideChecklist: HIPAA web appsecurityThere is a checklist for buildingHIPAA-compliant web applicationsprovided by the Open Web Application Security Project (OWASP)20.There is a bit of overlap with theabove checklist. However, as statedabove, this checklist takes a differentapproach in getting very detailedwith the steps that are advised. It isorganized into 11 sections:Gather informationAssess the rendered site Look over the site. Use a spider to mine your data21and check for any hidden or missingelements. Check for data leakage via webserver metafiles, such as .DS Store,sitemap.xml, or robots.txt. Verify that you cannot beaccessed through search by checkingthe caches of prominent engines. Verify that content does notdiffer based on the user, such as asearch engine spider vs. mobile. Confirm that there is no dataleakage22 via webpage metadata andcomments.Assess development Verify the framework used inthe application's design. Fingerprinting of the app. Check the implemented technologies. Assess user roles. Determine points of entry. Be aware of client-side scripts. Determine all channels or versions of delivery – such as mobileapp, mobile web, and web.Assess the platform and hosting Determine any content that isserved by independent parties. Assess all ports and hostnamesused. Figure out what applications areco-hosted. Verify all web services systemManage configuration See what administrative orapplication URLs might be implemented that are too common to beSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
12HIPAA-Compliant Developer Guidesecure. See what files are unreferenced,backups, or old. Confirm all supported HTTPtechniques and that Cross Site Tracing (XST)23 is being prevented Verify the processing of fileextensions. Assess your policy to controlrich internet application (RIA) crossdomain access. Confirm that there are secureHTTP headers in place. Check policies for all technologies (such as robots, Silverlight, andFlash). Determine if there is any confidential information, such as logincredentials or API keys, withinclient-side script.Confirm transmission securityLook at encryption and protocolsused See what the key length is, thealgorithms that are used, and the SSLversion. Verify that you have valid digitalcertificates. Confirm that HTTPS is used anytime that usernames or passwordsare sent. Determine that HTTPS is implemented whenever the login form issent. Be sure that HTTPS is in placefor delivery of all session tokens. Verify the implementation ofHTTP Strict Transport Security(HSTS). Confirm that requests cannot beforged. Assess HTML5 web messaging. Confirm the use of CORS, alsoapplicable to HTML5.Assess representational state transfer (REST) and web services Verify REST implementation. Check for any problems withweb services.Verify authenticationDetermine functionality of the apppassword Confirm that the password quality rules suffice. Verify the proper working ofremember me. Check that recovery and resetSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
veloperGuide Goptions function correctly. Check that a password can bechanged correctly. Make sure the CAPTCHA isfunctioning properly. Confirm proper working order ofmulti-factor authentication (MFA). Verify that logout functions correctly. Check for any default logins Verify proper functionality ofnotifications related to passwordchanges and account lockouts. Be certain that your authentication is consistent throughout applications with alternative channelsand shared authentication schema/SSO. Determinequestion/answerissues that represent weak security.Assess other functionality concernswith authentication Check to see if nefarious partiescan successfully enumerate users. Determine if authenticationbypass can occur. Verify your defenses againstbrute force attacks. Confirm that encryption onuidehe Goods8channels through which credentialsare travelling is functional. Verify HTTP cache management(such as Max-age, Expires, andPragma). Determine proper working orderof any authentication history that isuser-accessible.Manage the session Determine whether tokens incookies, token in URL, or anothersession management method is inplace. Look for cookie flags with session tokens (both secure and HTTP). Confirm the max-age and expiration related to duration of sessioncookies. Following a maximum lifetime,determine that session terminationoccurs. Following a relative timeout,verify that the session terminates. Following a logout, verify thatthe session terminates. Check if it is possible to openmore than one simultaneous sessionper user.Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net13
14HIPAA-Compliant Developer Guide Gauge the randomness of session cookies. Confirm that when login, logout,and role changes occur, a new session token is created. When there is shared sessionmanagement for the app, verify thatsession management is consistentlyapplied. Determine if session puzzling isoccurring. Assess to ensure protectionfrom clickjacking and cross-siterequest forgery (CSRF)24.Verify that authorization is occurring properly Check on path traversal. Gauge the system for missingauthorization. See if insecure direct object references25 are present. See if privilege escalation isoccurring, which means you needstronger vertical access control. See if there are any issues withhorizontal access control.Ensure your cryptography isworking correctly Gauge for any instance of weakalgorithms. See if algorithms are being utilized correctly based on the appropriate context. Assess the randomness functions within your system. See that salting is occurring asintended. See that encryption is actuallyoccurring to the data.Confirm that data is validatedcorrectlyTest for various types of injection SQL HTML LDAP ORM XML XXE SSI XPath XQuery IMAP/SMTP Code Expression languageSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
15HIPAA-Compliant Developer Guide CommandNoSQLPerform additional validation tests See if reflected cross site scripting is occurring. Check for the occurrence ofstored cross site scripting. Verify that DOM based crosssite scripting is not taking place. Gauge the environment forcross site flashing. See if overflow is occurring. Check for any format stringissues. Determine if any incubatedweaknesses are present. See if smuggling or splitting ofHTTP is occurring. Check if there is verb tamperingwith the HTTP. See if open redirection is occurring. Verify that remote file inclusionis not occurring. Check to see that local file inclusion is not taking place. See that the validation rules forthe server-side and client-side areconsistent. Check to see if parameter pollution is occurring with HTTP. See if auto-binding is takingplace. Gauge for Mass Assignment See that NULL/Invalid SessionCookie is functioning properly. Check to see that the data integrity is maintained. See that work flows are notbeing circumvented26. Verify that you are protectedagainst misuse of the application. Confirm that you cannot gobeyond the limits of a feature orfunction. Check process timing27 for consistency. Related to HTML5, see if webstorage SQL injection is taking place. Confirm that the applicationfunctions properly when it is offline.Check for denial of service(DoS) concerns Gauge for anti-automation. See that account lockout28 isworking properly. Verify that SQL wildcard DoS isSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
16HIPAA-Compliant Developer Guidenot occurring. Check to ensure that the systemis not vulnerable to HTTP protocolDoS.Work directly with functionsthat make you vulnerableVerify that the uploading of files issecure Be certain that only the types offiles on your whitelist will upload. See that the total file count,upload frequency, and size limits arecorrectly in place. Gauge to see that the file typeand contents fit. See that anti-virus is implemented for all upload types. Verify that malicious files cannotbe uploaded. Make sure sanitizing is takingplace for any problematic filenames. Be certain that you cannot get tofiles you upload through the webroot. Check to see that the sameport/hostname is not servinguploads. Make sure that your authoriza-tion and authentication systems arebeing applied to all files you upload.See if there are issues with payment Check both the application andserver to see if known issues withconfiguration or weaknesses arepresent. Check to see if passwords areeither guessable or default. See if buffer overflows areoccurring. Check to see if there are anyweaknesses that might allow injection. Determine if insecure cryptographic storage is present. Gauge for insufficient protectionof the transport layer. See that error handling is proper. See if there are any weaknessespresent that have a score greaterthan 4.0 according to CVSS v229. Determine if there are any problems related to authorization orauthentication. Gauge the system for CSRF vulnerability.Verify correct handling of errorsSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
17HIPAA-Compliant Developer Guide Gauge the stack traces. See that the error codes areworking properly.Rooting your developmentproject in a HIPAA-compliant hostThat gives you a basic idea of keyHIPAA requirements and terminology, as well as specific checklist elements that are important for mobileand web application development.Using the above guidance, youshould be well on your way to aHIPAA-compliant development environment.Developing websites and applications can always be challenging.Simply concerning oneself withusability, it is always possible tomake it better. The same is true withprivacy and security – and securityrequires a particularly in-depthexploration when you are handlingePHI.Secure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
18HIPAA-Compliant Developer GuideGet Help with HIPAA ComplianceHIPAA Compliant Hosting by Atlantic.Net is SOC 2 & SOC 3certified and HIPAA & HITECH audited, designed to secure andprotect critical healthcare data and records. Get a freeconsultation today! Call 888-618-3282 or review our solutionsat ng lawyers/publications/the 101 201 practice series/hitech fessionals/privacy/index.htmlSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
ImportantHIPAA ComplianceYou Need to Know \\ The GoodsHIPAA-CompliantDeveloper FundamentalsGuide118 ps://www.owasp.org/index.php/Web Application Security Testing Cheat Sheet21https://www.owasp.org/index.php/Testing: Spidering and /index.php/Cross Site e Request Forgery (CSRF)25https://www.owasp.org/index.php/Testing for Insecure Direct Object References esting for the Circumvention of Work Flows p/Test for Process Timing p/Testing for Weak lock out mechanism /cvss/v2-calculatorSecure Cloud ServicesManaged & Compliant Infrastructure888-618-DATA (3282)sales@atlantic.netwww.atlantic.net
Secure Cloud Services Managed & Compliant Infrastructure 888-618-DATA (3282) sales@atlantic.net www.atlantic.net 4 4 5 8 11 17 19 HIPAA-Compliant Developer Guide \\ Table of Contents
