This week we chat with Compliance Manager Henri Alfonso about the most important policies to have in place when developing a patient portal.
HIPAA Safeguards: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
US Standards for implementing HIPAA: https://www.nist.gov/programs-projects/security-health-information-technology/hipaa-security-rule

Transcript:

Adam
welcome to the HIPAA Vault show where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine, and I’m joined today by the CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil. 


Gil
Hey. 


Adam
And I’m also joined by a special guest today on the show, and it’s our compliance manager, Henri Alfonso. Welcome, Henri. 


Henri
How you doing, Adam? Hey, Gil. 


Adam
So last week we talked about WordPress optimization. This week we’re going to talk about developing HIPAA compliant websites. If you’ve watched a few of our videos already, make sure to subscribe now for more HIPAA related tips and content. So let’s get started. Our question for the week comes from the owner of a website development company who asks, my client wants me to develop a patient portal for their therapy practice. Do I need to be HIPAA compliant to do this? 


Gil
First question I like to ask is about the data. What kind of data is going to be stored on the website or if there is going to be any data stored on the website. Sometimes we’ve seen sites that have had third party HIPAA compliant forms where the data is actually not stored on the website. The form is on the website. We hit submit button, the data is actually stored elsewhere. So in those cases, the owner of the site themselves, they don’t have to be HIPAA compliant. So it really comes down to if there’s going to be protected health information and if it’s going to be stored locally, then I think the answer is clearly yes, it needs to be HIPAA compliant. 


Adam
So in the case where they’ve got a contact form on the website and maybe that information is getting sent to an email inbox, then they could set up the email inbox with HIPAA compliance there and then they’d be covered. But for scenarios where they need a patient portal like this one, HIPAA compliance would be needed. 


Gil
Yeah, I think so. I mean, there’s different levels for HIPA compliance. It’s a little bit more binary that you need it or you don’t, I would say. But even though that’s true, there are degrees of it. So there are very large portals that have millions of patient records and then there’s very small websites that a therapist might have for just scheduling appointments. And that’s on the very light side. Very light. So obviously you have to scale your HIPAA compliance and security to match that level of exposure and risk that you may have as a medical practitioner and as an owner. 


Adam
So I’m glad that, Henri, you’re able to join us today because I know that when it comes to HIPAA compliance, there are safeguards. Is that right? Could you talk a little bit about what safeguards would be relevant for HIPAA when it comes to setting up like a patient portal? 


Henri
Sure, it all depends on the hardware as well. Safeguards can include physical and logical. In terms of physical, depending on who owns the equipment, there should be things in place to monitor access, to monitor changes. In terms of logical safeguards, is the data encrypted, is data being monitored to who’s accessing and who’s changing any of the files located in that location where the phi may reside? It all depends on how much of the infrastructure contains phi and what type of infrastructure you’re using as well. 


Adam
So when it comes to the physical infrastructure, if they’re hosting the website in the cloud with a hosting provider that’s setting up the servers in the cloud, then would it be right to say that most of the physical safeguards would be on the hosting provider side to secure? 


Henri
That is correct. You’ll be inheriting their security posture in terms of their physical safeguards as well. But you also have to think internally of your own safeguards. You have physical security for your work laptop, your work computer, things like that as well. You have to take into consideration what. 


Adam
Kind of safeguards or maybe even policies does a software developer or website developer need to take care of and possibly implement? 


Henri
Usually a lot of the policies are taken care of during the software development lifecycle of the application. Things to include is redundancy backups if the code goes wrong and you push that to a website, is there a way to revert that? There should be a lot of internal policies to do regression if there’s any issues rolling out the application or any updates as well. A lot of the policies that are required are in terms of accessibility and availability of the data. If anything happens to the application, do you have policies, procedures in place to follow to fix that, have a what if scenario and have policies in place to fix that? 


Gil
I think for the audience, it’s important for them to know where they’re going to be hosted. Let’s say, for example, you’re a software developer and you’re making healthcare apps for your customers. So you might say, well, I can have my own equipment in a data center. Well, in terms of compliance, that could be the worst case scenario because you bought the equipment yourself, you’re the owner, you signed the checks and you have the credit card. Well, you got a lot of work to know. You need to be an expert in HIPAA compliance because you’re going to be literally putting those servers in the back of your truck and driving them to the data center and plugging them in. The responsibility is all yours, although that’s kind of rare these days. So that’s the extreme. I would not recommend doing that. 


Gil
The next level up is, let’s say you say, well, I’m not going to buy the equipment, I’m just going to go rent a server. There are many places you can just rent a server that’s already racked and stacked and it’s sitting there. And in that case, you’renting it, but you’re leasing it. It’s still your equipment and it’s sitting in a rack in some data center and it’s still your responsibility. They’ll make sure that the provider that you’re renting the server from has all the things necessary, including say, like a camera that can see your aisle, where your equipment is. And can anyone walk in? Can any visitor walk into that data center and happen to brush by your server and accidentally turn it off or maliciously do something? 


Gil
I mean, is there a segregation between clients or are you in a shared environment where all the servers are racked and anyone can log in there that belongs in that data center? Anyone can go in because they have equipment, but they can start messing around with other people’s equipment. But the best case scenario is to be if you’re a healthcare developer, is to go into the cloud, where the cloud provider has proven to be HIPAA compliant. They have all the certifications and they have attested to those they’re certified. And then you just use their certification by signing a business associate agreement. So sometimes a healthcare developer might get fooled into thinking, well, if I just rent my own equipment, look how much money I’m going to save because it’s a lot cheaper than if I go in the cloud. 


Gil
But yet now they have to have all the compliance expertise. Someone like Henri, who’s a CISSP and has years of experience, you’d have to hire somebody like that, for example, that might be a consideration. 


Adam
Is going through a HIPAA compliance program something that software developers can do? If so, are there any recommendations where they could do that? 


Gil
If I were a healthcare app developer and I’m a businessman, I certainly wouldn’t want well, I wouldn’t want to become an expert in other fields. I want to be an expert in what I’m good at, which is software development. I’d want to partner with somebody that has fulfilled the HIPAA compliance portion and let them handle that piece of it. So as far as getting certified and getting an education, yes, I definitely would take a training module. I would have proof that I’ve taken that training module. In fact, I take it every year and I have a little certificate to show that would be important. But that’s a very minimal investment of time and very minimal investment in money. But I wouldn’t go far past that if I were a healthcare developer. 


Gil
What I would do is spend some money taking a course on securing code. How do you ensure your code is secure? How do you ensure you don’t have cross site scripting enabled accidentally? How do you know that your code isn’t accessible by others? In GitHub all these things? It now is in your world, something. 


Adam
That came to mind, which is often the software developers don’t need to have access to live phi data when they’re developing the application, right? So that’s probably one good reason why they might not necessarily need to have all these certifications and third party audits coming out to say, we’ve gone through all these policies and procedures in order to be HIPAA compliant. But there might be a scenario where maybe the projects moved on and they’re being asked to be part of the maintenance of the portal. In those scenarios, maybe they would have access to phi. Is there a distinction here or is there a distinction to be made as to at what point does a software developer need to seriously consider going through a robust third party audit for their own HIPAA compliance? 


Henri
Even though the developer may not have access to phi data, the software will still process and manage that data. Because of that, the software needs to be compliant or HIPAA compliant, which means there has to be certain configurations, certain settings for the application. Is TLS enabled, is it above 1.3? Is it below that? They still would have to know what HIPAA Compliancy security configurations need to be applied to that software or that application as well. 


Gil
Yeah, and I would add to what Henri said, that the developer needs to factor in the multiple authentications. So they would need to have their software written in such a way where the owner of the software could say, well, I want to enable a second factor for logging in. It might be over email. Where a token is sent over email, they might give an option to say, well, let’s allow that six digit code as an example to go via SMS, which means over the cell phone to a cell phone. Or better yet, they could say, no, I’m going to use an app like Google Authenticator, where we’re going to have the end users have to have the Authenticator app on their phone. 


Gil
So they could and should consider that and say, wow, in my software, what options am I going to make available for multifactor authentication? Now, the worst case, and we’ve seen this happen, some of our customers, they have software that doesn’t have any authentication other than just simple username password. And we’ve seen problems between sites that get compromised, and that’s because at the application level, they didn’t have the right controls. 


Adam
So when it comes to resources, listeners and viewers can go to, are there any recommended places for more knowledge? 


Henri
A great resource is HHS gov. It’s the center of all health and human services in terms of HIPAA compliance, HIPAA documents, it’s a really good tool. I use it almost daily if I have any questions as well. They provide a lot of good information in terms of how to get started with HIPAA Compliancy. It drills down into the real technical portions where it references NIST standards. The National Institute of Standards and Technology at the US. Department of Commerce. It provides guidelines and security controls that help maintain the security posture of information systems. And it also provides a crosswalk where it combines HIPAA and NIST and it walks you through hey. In HIPAA, it shows that you need to have access control. Well, what do I have to do? What’s the technical portion? You will look at NIST and it’ll clearly dictate. 


Henri
All right, make sure there are logs enabled. Make sure that there’s traceability when people access files or folders. It really drills down into the technical portions of HIPAA compliancy when utilizing them both together. 


Adam
Gil, do you have any recommendations? 


Gil
Yeah, it’s daunting. If you’re a healthcare app developer and you’re a busy guy or busy woman, you’re writing code, and that’s your wheelhouse, that’s your passion, that’s your love. As soon as you turn over to the side of the fence where you’re dealing with policies and procedures, you’re going to be falling asleep. The TV is on, and you’re going to be sitting there asleep. So the question is, how can you still do all these things and be practical about it? Well, one thing to do is do a scan, have a scan on your application so you can load Gummy data, have a scanner go through, and then you’ll get a vulnerability report that shows were there any vulnerability, any weaknesses in your application. 


Gil
And then get busy patching those and changing your code, changing configuration to make sure that those vulnerabilities disappear after you rescan. 


Henri
And I agree that is a good starting point to see what local or on hand vulnerabilities are there. But it’s such high level, it goes into also policies, disaster recovery. There’s so many things that you have to consider that it is overwhelming. And again, the AGHS gov is such a great resource because it lays it down in a basic way where it says, all right, do you have these policies in place? This is what these policies should have in it. And also it references more technical documentation if you want to dive in deep. But again, HIPAA is a little overwhelming in terms of compliancy, but there’s a lot of resources out there that you can combine together to make it easier to have a flow and make your life a little bit easier as well. 


Gil
Yeah, I think that’s important. The scan is a good like Henri was explaining in another meeting that it’s a good way to just verify that you’re doing things properly. But you’re right. You have to have your policies and procedures. One piece of advice that’s important is don’t just go to your favorite compliance website. It’s like a candy machine. You can put in a nickel. Get a candy, you put in a nickel there and get your policies already written. Wow, good. I got this nice PDF. I’m done. And you just throw it in your filing cabinet. You never look at it yeah, sure, you have a checkbox there that you have your policies and procedures, but you didn’t go through the due diligence to understand them and to ensure that you’re covering all those things. So think about your policies and procedures as a roadmap. 


Gil
This is your map. This is how you’re going to get from point A to B. And then the scan that you do to check things is just your way of verifying that you follow that roadmap properly, that you’re doing things. And you could do a Pen test as well. That costs a lot more money, but you can do a Pen test to see as we actually hire a person, instead of just having an automated scanner, you’re actually hiring a brain behind the scanner that’s going to pick away at it and see if they can exploit the weakness. They’re actually going to try to penetrate through the weakness that they see in a report, and then they’re going to come back to you and say, hey, Mr. Healthcare Developer, look what I did. 


Gil
I hacked into your site and now you got to go back to the drawing board with your application and continue to secure it. 


Adam
We’ll include some useful links in the description as to the resources that we discuss. Are there any other considerations either of you would like to point out with regards to the software developer? 


Henri
Even if it’s not HIPAA related, everyone should practice good cybersecurity. Having a baseline is always nice, and NIST provides that as well for small businesses, small apps. The NIST CSF Cybersecurity Framework is a baseline framework where just to at least get the good checks enabled, have at least the basic security features enabled. I feel like everyone who is in the tech industry should at least have some type of security framework that they utilize, it being NIST or CIS or any of those other frameworks that are available as well. 


Adam
If you’re a software developer and you’re not sure on where to go when it comes to HIPAA, you can always reach out to us at podcast@hipaavault.com, tweet us at HIPAA hosting, or you can also visit us at hipaavault.com and chat into us. We have 24/7 live chat. And that’s all for this episode. Be sure to like, share and subscribe. And until next time, thanks for stopping by.