Topic: Securing App to HIPAA Security Rules

I have a client app that will store PHI (protected health information) that needs to conform to HIPPA security rules. It will be exposed to the Internet, not an internal only app. I'm not new to HIPAA, but am to the securing of electronic data.

Does anyone have experience securing a RoR app to HIPAA Security Rules?

I would appreciate discussing about your experience.

Thanks.
Karl

Last edited by threadhead (2007-10-25 18:35:51)

Re: Securing App to HIPAA Security Rules

My team is also working on an application that stores PHI.

We looked over the HIPAA requirements and ran them past the executives. What we found is that HIPAA itself really doesn't have a lot of technical mandates. Where it does those are based on a standard of "reasonable effort" by the software creator.

What that means is that if Sun goes and creates medical software, they're a big dog and can afford an entire team for security while a smaller software firm is only expected to make a reasonable effort for their size.

The two key requirements are:
1. Secure sign-on that is unique per user to access PHI
2. Sessions time out

In addition to that logging is key. HIPAA is a lot of CYA* and having logs to know who did what and when so action can be taken.

A recent example I learned of while talking to a HIPAA compliance officer at a customer is that George Clooney went to a hospital in New Jersey, 4 people were fired for looking at his records. The access controls simply authenticated each of those users and logged what they did rather than blocking access to records.

I'm guessing you're working for a smaller company too, feel free to email me and post here so we can share notes on this. I know that security, privacy, and auditing are important. I also know that the best way to ensure good security is peer review.

Also bear in mind that the information I have on HIPAA was gleaned from RTFM and by example from other medical software my company sells. IANAL. YMMV.

*CYA = Cover your ass

Re: Securing App to HIPAA Security Rules

Thanks so much for your reply.

I have spent a few hours reading over the details of the entire HIPAA Law. And I agree with you, it boils down to "reasonable effort to protect privacy of patients medical records and billing/account history". That's it in a nutshell.

But I, we, need more specifics. For example, email communication that contains PHI must be encrypted. But what encryption is acceptable? BinHex (pretty doubtful)? MD5? SHA-1? PGP/GPG? There is no definitive answer.

My compliance issues will be very simple. We are doing medical surveys that will ask health related questions. My client will then use this data to contact the person with more detailed questions.

Problem #1: How to send the client PHI.
I was planning on using GPG (GnuPG) to encrypt the body of an email message that contains the patient information. They basically want the information from the website as it is created. Should be fairly straightforward from a Rails perspective, but I'm just not sure that GPG is a secure enough form of encryption for compliance. But you know how large corporations (my client) are suspicious of anything open source or free.

Problem #2: Security of the Rails App.
I'll admit that tight security of Rails apps is out of my scope of experience, but there is quite a bit of info out there on how to secure RoR apps. Plus, I can eliminate one issue right up front... the app will have NO login capability, no accounts. It's simply collecting information and forwarding it on.

Problem #3: Db files and Their Security.
I'm planning on using MySQL for the app's backend. I have not seen anything that allows the binary file that resides on the server to be encrypted. Or have I missed something? But lets go with a standard InnoDB table format... if someone were to get a hold of those binary data files, they could easily extract the data. But even more troubling, my site host will be backing up those binary files and what sort of measures are they taking to ensure that the backup disks/tapes are secure. This has me a bit nervous.

For example, my doctor's small office uses a PMS (patient management system). You know as well as I that with a key disk and a couple of minutes someone could walk over to the sever and copy all the data files. And those files are not encrypted. What about the CDs they use for backups? Do they just toss them in the trash after a week or two, or leave them out on the receptionists desk? I'm sure the database files are not encrypted, nor are the backups.

Of course I could easily MD5 all the PHI in the database and not worry about it. But that makes me nervous about performance as the site scales. Is this overkill, or most/all HIPAA compliant data storage mediums encrypted?


It seems that most HIPAA compliance 'experts' focus on the authentication, authorization, and transmission aspects, but do very little to address backend issues.

And the part that amuses me the most, are all the HIPAA Compliance Consultants. Now, they have answers for you... but every one of them has a different answer based on the products they are selling wink

I hope this starts a good discussion, because I don't have the answers and frankly, haven't been able to find much either.

Karl

Re: Securing App to HIPAA Security Rules

threadhead wrote:

But I, we, need more specifics. For example, email communication that contains PHI must be encrypted. But what encryption is acceptable? BinHex (pretty doubtful)? MD5? SHA-1? PGP/GPG? There is no definitive answer.

We avoid the issue entirely. Policy at my company is to send links to PHI, those links would then hit our application which would require authentication. This ensures that the data is controlled, its not about encrypting it on the wire its about securely storing it long-term. A random email addresses inbox is not secure.

My compliance issues will be very simple. We are doing medical surveys that will ask health related questions. My client will then use this data to contact the person with more detailed questions.

Problem #1: How to send the client PHI.
I was planning on using GPG (GnuPG) to encrypt the body of an email message that contains the patient information. They basically want the information from the website as it is created. Should be fairly straightforward from a Rails perspective, but I'm just not sure that GPG is a secure enough form of encryption for compliance. But you know how large corporations (my client) are suspicious of anything open source or free.

See above. You would gather the information, store it in the DB (optionally encrypted), then email a link to that info. You hit the nail on the head about why we don't do that. PGP is great, but there are so many barriers to adoption it just won't work at most companies.

Problem #2: Security of the Rails App.
I'll admit that tight security of Rails apps is out of my scope of experience, but there is quite a bit of info out there on how to secure RoR apps. Plus, I can eliminate one issue right up front... the app will have NO login capability, no accounts. It's simply collecting information and forwarding it on.

Eeegh. My best advice right now is to reexamine that requirement. Perhaps instead of forwarding the data as email, you could send it on as HL7/SOAP/REST over a secure tunnel (SSH/VPN/SSL) to your customers database.

Problem #3: Db files and Their Security.
I'm planning on using MySQL for the app's backend. I have not seen anything that allows the binary file that resides on the server to be encrypted. Or have I missed something? But lets go with a standard InnoDB table format... if someone were to get a hold of those binary data files, they could easily extract the data. But even more troubling, my site host will be backing up those binary files and what sort of measures are they taking to ensure that the backup disks/tapes are secure. This has me a bit nervous.

I don't have any links handy, but this is a general problem. There are lots of solutions to store encrypted data in the database so some wanker can't just SELECT * FROM his way around your application.

For example, my doctor's small office uses a PMS (patient management system). You know as well as I that with a key disk and a couple of minutes someone could walk over to the sever and copy all the data files. And those files are not encrypted. What about the CDs they use for backups? Do they just toss them in the trash after a week or two, or leave them out on the receptionists desk? I'm sure the database files are not encrypted, nor are the backups.

Of course I could easily MD5 all the PHI in the database and not worry about it. But that makes me nervous about performance as the site scales. Is this overkill, or most/all HIPAA compliant data storage mediums encrypted?


It seems that most HIPAA compliance 'experts' focus on the authentication, authorization, and transmission aspects, but do very little to address backend issues.

Thats the sad truth of IT in healthcare and a lot of places. Its not about making it secure, its about appearing secure and knowing who to fire when something goes wrong. Some of my customers got into the habit of handing support/consultants the superuser accounts in the PM and EMR databases. We advise against it, but that doesn't mean we can make them stop.

And the part that amuses me the most, are all the HIPAA Compliance Consultants. Now, they have answers for you... but every one of them has a different answer based on the products they are selling wink

I hope this starts a good discussion, because I don't have the answers and frankly, haven't been able to find much either.

Karl

Your application sounds interesting. I assume its something along the lines of 'fill out this form online and don't have as much paper work to do in the waiting room'. What reasons are you having to email this data from your application server to a clinician? Is it just an early design option or are there other factors that mandate this?

The ideal goals seem to be:
1. Good authentication of users. Patients and clinicians are considered users, each has slightly different authentication needs.
2. Secure channels. SSL on the webform and SSL/SSH/VPN on anything moving between the rails server and the customers machines.
3. Secure storage. Anything stored in the rails database that is considered PHI should be encrypted. This can probably be done with rails or with settings in the database itself.
4. Secure communucation of information to your customer. PGP is on the table as is emailing a link then authenticating against the application. I would also suggest looking into HL7, it may be possible for your application to just fire a message off to the customer PM system. The data gets entered and you don't have to worry about secure storage in rails.

Have a look at http://mirthproject.org . Mirth has really helped us get some applications off the ground sooner as well as helped our interface team with their projects. It may be applicable here, there are also good experts in that community who may be able to advise further.

Re: Securing App to HIPAA Security Rules

We are also working with a rails app that does medical surveys and while there are no spelled out rules technical rules as you have both pointed out, I can say that security is paramount.

If you are collecting personal information from participants then you up the anti even more. Speaking from within a health system, HIPAA is taken as paramount and 'reasonable' I would claim to be a misnomer - you really need to do everything as securely as you possibly can conceive to do so - because the reality is even if you make a 'reasonable' effort and the information somehow gets out the fall out won't be pretty.

If you are doing surveys then most often those will have to pass an Internal Revue Board (IRB) which can be the bane of a researchers existence. It may be worth contacting that board (though you may not need to give them exact details) and finding out what their internal requirements are - they can vary on the technical side. Often we are required to run our surveys/databases of an internal server when we are storing patient information for example. Sometimes this is avoidable by documenting what encryption/security you have in place.

Regarding email, many health systems have encrypted internal email. Speaking with their IT department may allow you to access that system securely to send the information.

Re: Securing App to HIPAA Security Rules

Good ideas rburbach!

I still have a lot of concerns about email. It makes it easier for the users to make mistakes or to accidentally store a second copy of data in an unencrypted state. For example I could be using PGP over SSL to POP3, I get an email and print it or save it to my local machine. There could still be  an accidental forward as well.

Of course if you pass a link around they can still print or save after authenticating with a webpage but it is less of a habit for most users. Having users authenticate to a website to view information also guarantees that you have an auditable trail of who did what and when they did it.

One of the resources we use for HIPAA information is the Compliance Officer at our customers clinics. They typically aren't technical, but they do have the best understanding of what the business rules are for HIPAA.

Some rails tools that I see being helpful to this might be:
http://sentry.rubyforge.org/
acts_as_authenticated

Re: Securing App to HIPAA Security Rules

Bump.

Any new info on this?

My team is trucking along with our project, the current work is all in the back end so we have a chance to focus on things like HIPAA instead of what shade of mauve the marketing team wants the logo to be.

Re: Securing App to HIPAA Security Rules

not security related, but I just wanted to add that ruby-hl7 ( http://trac.hasno.info/ruby-hl7 ) is a fantastic library for parsing & creating hl7 messages.

Re: Securing App to HIPAA Security Rules

Free trial HIPAA email accounts are available at http://securemedical.net

Re: Securing App to HIPAA Security Rules

Hi,

Good post....thanks for sharing.. very useful for me i will bookmark this for my future needed. thanks for a great source.

---------------------------------------------
http://www.secure-bytes.com/security+compliance.php

Re: Securing App to HIPAA Security Rules

Child labor laws have no standing in buy wow accounts Azeroth, so Louis of ugg boots on Wyrmrest Accord saw no problem with having UGG ブーツ 通販 his squire do all of his fetching, lifting, and trudging through swamps looking for rare herbs for him. Until the squires wow accounts formed a union, that is. "One part Baby Spice, three wow account kaufen parts Papa Hummel's Old-Fashioned Pet Biscuits, three angry Argent Squires, one frightened warr... <squashed under the biggest boot you've ever seen aion gold kaufen," wrote Louis.Do you have any unusual, beautiful or interesting aion power leveling images that are just collecting dust in your screenshots wow accounts for sale folder? We'd love to see them on Around Azeroth! Sharing your screenshot is as simple as e-mailing bijoux tiffany with a copy of your shot and a brief explanation of the scene. You could be featured here next!

Re: Securing App to HIPAA Security Rules

Writing as a UX Designer for a healthcare software company, HIPAA compliance can get very tedious. Anyways I used the following website which had a lot of helpful links to information to help guide you have a better understanding of HIPAA compliance.
http://www.betterhealthcaremanagement.c … vacy/hipaa

Hope this helps,