HIPAA Software Development  and Systems Development and Life Cycle that includes in a security risk assessment

Software Development Practices

  • Running Production, Test, and Development environments in a HIPAA secure environment can be expensive and time consuming to maintain and deploy
    •  For development environments, leverage Heroku and AWS from a purely practical standpoint. Develop, deploy, and test on these environment first. Otherwise, you will slow your product development way down.
    • For test environments, you’re going to need to put data in the environment to test. You don’t want to put PHI in the test environment. Write tools to de-identify production data in your test environment, so you can test before it hits production.
    • For production environments, the additional security comes with a cost, deploying code will take longer, accessing the data in the database will be trickier as you may have to use something like the partible toolbar in conjunction with ssh and postures to see the transactional data.
  • For B2B solutions, data integration with your client for either eligibility files or EMRs needs to be considered at the architecture stage. You do not want to build your data integration solution as part of your web app or REST web service component.
  • SFTP  – Large data files are typically transferred via SFTP.
    • Customer deposits file into your SFTP account. Decrypt the file using PGP. ETL the data into your middleware with all communication going through HTTPS.
    • You pull from Customer’s SFTP. This is the reverse. Client creates a name account for you using your private key. Pull the eligibility data at specified interval. When the download is complete, then the process is just like the FTP in.
  • REST Web Services – Customer invokes REST Web Services to update data with all traffic encrypted via SSL.
  • Third party integrations can be tough in terms of compliance. You need to read the BAAs.
    • Email – Most email providers are not HIPAA compliant, e.g. SendGrid. Certain email providers are HIPAA compliant, e.g. MailGun. There is a cost associated with using Mailgun.
    • SMS – Most SMS message providers are Not HIPAA compliant.
    • PHI must be encrypted in transit, which makes this difficult.
    • Secure Messaging is compliant when the communication is going over TLS to a secure machine, but this may not work when engaging with patients.
    • Video Chat –OpenTok or Janus webRTC – AugMedix

Operating a HIPAA Compliant Solution

  • When your production environment is locked down, everything will slow down when it comes to
    • Deploying new code
    • Accessing the database to see what’s going on
    • Monitoring the log files
    • Bringing up machines that have crashed

Keeping Mobile Apps Compliant

  • All network communication runs through SSL.
  • Try to store as little PHI on the mobile device as possible
  • When data is stored on the mobile device, PHI needs to be encrypted with AES-256
  • Try not to insert PHI into your push notifications.
  • Make sure that your app is not a medical device that requires FDA approval

Questions to consider in case of an organization host applications or provide software development services

Does this project or initiative involve application/software development practices?

If response is ‘NO’ to the above question, do you have access to the source code for applications in scope for this service?

Do you follow a documented Software Development Life Cycle (SDLC) for application development and enhancement?

You can follow Scrum – Agile Software Development methodology.

Does the SDLC include a security risk assessment?

Sofware quality assurance process includes a review of required security standards including encryption, penetration testing, social engineering, and the latest OWASP vulnerabilities.

Has the application code been scanned for application vulnerabilities?

You can use WhiteHat Security.

Are there controls in place to prevent unauthorized modification of the source code?

Is a formal release management procedure followed to manage the release of new or modified code?

You can use Hudson for CI. New code can be initially deployed to development as a container. After unit tests are passed, run through QA. If QA is passed, then roll it out the staging. You can have a different set of criteria to roll it out to production.

Is live data or personal information prohibited from being used in non-production/test environments?

Do you have escrow arrangements for the relevant application (s)?

Iron Mountain

Does the application use a three-tiered architecture with separate, firewalled network segments for web interface, application processing and database?

Are application security assessments conducted before the system is implemented?

You can run penetration tests on staging code before being deployed to production. You can also do security code reviews.

Are security requirements included in the systems design documents?

Have any other external reviews been carried out on this application?

You can contract with Clearwater Compliance for a quarterly review

Is user access to the application protected by encryption?


Is there a formal process for authorizing new users and for removing accounts when access is no longer needed?

New user accounts are granted to HR managers and end users. Organizations are expected to notify their client if there has been a change in employment or status for an administrator with access.

Is there a formal process for authorizing new administrator accounts?

Administrators accounts will be authorized on a very limited basis by a super administrator and only to those who are required.

Are client users required to have a unique (non-generic) user id?

Does the application enforce a password policy?

The password management is the same as the one you practice internally for your own users.

Is there a formal procedure for password resets?

You can enable the user to reset their password if they provide the answer to a set of security questions that they complete upon signup. If the user is not able to complete these questions, then they must go to their sysadmin to reset the password.

Are passwords protected in the application using encryption or a one-way hash function?

You can use AES-256 encryption algorithm

Are there controls in place to prevent other clients from accessing the company’s data or database?

For multi-tenant solution, you can offer two phase authentication to enable a client to only get access to their data. For single-tenant solution, you can offer dedicated application servers and databases.

Does the application support role-based user access groups?

Are cryptographic controls used to protect information in this application?

You can leverage the attr_encrypted gem to encrypt PHI fields in the db. The type of encryption is aes-256-cbc. You can also have a number of other encryption measures in place including encrypted database backups.

Does the application require any exchange of data files with the company or company’s clients?

You can communicate in two different manners. You can either communicate via a web service that leverages Oauth. You can also do SFTP of files back and forth. You can prefer for these files to be PGP encrypted.

Does the website associated with this project or initiative use session-based cookies?

You can leverage the Devise Ruby Gem.

Does the website associated with this project or initiative collect IP addresses?

You can collect IP addresses. You can also whitelist security. You can store the IP addresses encrypted in the database.

Does the website associated with this project or initiative utilize web beacons or other tracking technology?

Does this project or initiative use any email tracking technologies?