This week on the HIPAA Vault show we bring you 5 essential tips for developing HIPAA-compliant apps.

Transcript:


Adam
Hello, and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zenedine, and I’m joined, as always, by the CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil.


Gil
Hey. Welcome, Adam. I’m excited about today’s episode. 


Adam
I’m excited too. So before we dive in, if you enjoy this video, click subscribe and give us a like as well. It really helps us and helps you to get more informed with more tips and tricks with regards to HIPAA and the cloud. So let’s dive into this. Today we’re going to be discussing the five tips for developing HIPAA compliant applications. Gil, let’s dive into it. What are the five tips? 


Gil
Great. Yeah. This is exciting because we get a lot of potential customers and different companies looking for HIPAA compliance, which is a very broad topic. So what we want to do today is talk about the five things that a lot of companies miss. It’s like, oh, I’m HIPAA compliant. Well, maybe not. Have you checked these? So if you check these five, we think it’s a good practice to do that. So the first one is the encryption. So that’s the protecting the data. Most people know about encryption, even our business savvy customers that aren’t technical. And encryption is at two levels. It’s actually more than two levels, but the ones we’re going to talk about today are at rest and in transport. At rest means when you power off the system, you power off the virtual machine. It’s not running anymore. 


Gil
Well, is the data on the disk encrypted? Yes or no? And then the other one is in transit. When someone’s on the website, they’re clicking a button, submit is that data that’s traversing from the end user to the website, whatever distance that is that fully encrypted? So those are two things to keep in mind. That’s the first one. And I’ll go I’ll roll right into the next one, Adam, unless you have anything on. Okay. Then the next one is the lack of two factor authentication. So what we’ve seen and I think it’s just because life’s busy, the owners are going forward full speed ahead. They want to release their application, their healthcare app, and they release it. They’re so happy to get that thing up and running, and then they didn’t pay attention that two factor authentication isn’t included. 


Gil
So, in other words, their patient, audience, or whoever their end user is, the hospital administrators are able to log in without any kind of two factor authentication, which is usually a six digit code sent to an email or an SMS or an app. And so we have to make sure I know we’re in a rush and everybody wants to get their app up and running, but we need to have that two factor authentication enabled. Now, somebody who’s very astute and our audience is very smart, they might say, but Gil, where does it say you have to have two factor authentication enabled to be HIPAA compliant, and we don’t want to be legalistic. The bottom line is two factor authentication is a must have in the security world, even if it’s not specifically stated in the HIPAA regulation. 


Gil
Number three item is insufficient logging and monitoring. Because we’re in HIPAA, we have to keep the logs for six years, the audit logs. So audit logs are about who’s logging in, who’s accessed the system, who’s powered it off, who’s rebooted it, who’s deleted something so that’s the audit log, six years. And then the other patient information, the medical records that should be kept for at least seven years could be longer, depending on your state. Some states say, hey, you need to keep it for ten years. I even heard a case where they want to keep it forever. Right? As long as you patients alive, you need to keep their data. So you need to make sure that you have the data for multiple years and make sure that’s enabled. The other one is no data loss prevention DLP. 


Gil
So DLP is a fancy way of describing this data loss prevention, of keeping the sensitive data from leaking out of your application. So, for example, let’s say you have an application that has Social Security numbers, credit card numbers, patient records. You have to make sure that it’s not being leaked out. One thing that we’ve seen happen in real life is that in the logs of the application on the server, we’ll see, hey, there’s a patient record here, or here’s a Social Security number. The DLP software would flag that and say, hey, in your logs I’m seeing you’re leaking out sensitive data. It doesn’t need to be in the it shouldn’t be in the log. So that’s DLP is important. And finally, the fifth one is the Oasp. 


Gil
That’s the open source rule set that helps prevent certain kinds of attacks, like cross site scripting, SQL injection attacks. So that’s a really important one to have enabled as well, to protect the Web application. So those are the five. Adam, I don’t know if you had any other insights regarding those five. 


Adam
No, absolutely. I think one thing that it’s important to point out is that these are not all encompassing. These are just five of the main ones that we picked out and that you, Gil, in your decades of experience as a CTO have picked out. But there are a lot more. I’d like to encourage you as the listeners and viewers. Let us know what we missed out of those five. Is there anything that you would have added? Let us know in the comments below. You can also leave us any questions about the five that we mentioned by emailing us at podcast@hipaavault.com or tweeting xing us at @hipaahosting. I think, Gil, that’s it for this episode, unless you had anything else to just tell everybody. 


Gil
Enjoy the long weekend, and we kept this one short so you can get some time back and enjoy the long Labor Day weekend. 


Adam
Absolutely. Thank you again, everyone, for watching. And until next time, thanks for stopping by.