SlideShare a Scribd company logo

How to develop HIPAA Compliant Applications

Download as PPTX, PDF
Joel Garcia
Joel Garcia

How to develop HIPAA Compliant Applicants for the Cloud and Mobile

Healthcare
1 of 18
How To Develop HIPAA Compliant Applications Focusing on Cloud and Mobile Applications
How To Develop HIPAA Compliant Applications ▪ Introduction ▪ Compliance Before the Public Cloud ▪ Compliance During the Public Cloud ▪ 3rd Party Cloud Options for Compliance ▪ Software Development Practices for Compliance ▪ Operating a HIPAA Compliant Solution ▪ Keeping Mobile Apps Compliant
Introduction – Joel Garcia ▪ Engineering – Symantec – Host Intrusion Detection, Symantec Security Incident Manager ▪ VPECTO – MedVantage acquired by IMS Health – Clinical Quality and Affordability Metrics for Providers. Big Data from Claims and Episode Treatment Groups – HIPAA Compliant before the Cloud ▪ VPE – LiveVox acquired by Golden Gate Capital – Cloud based hosted dialer. PCI and SAS70 ▪ AllCode – CTO – Developed and deployed a number of HIPAA Compliant solutions for startups: ConsejoSano, Aforacare, Contex, etc…
Introduction – HIPAA ▪ Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects most “identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper or oral. The Privacy Rule calls this information Protected Health Information (PHI). ▪ PHI under US law is any info in a medical record that can be used to identify an individual that was created in the course of providing a healthcare service, e.g. diagnosis or treatment.
Introduction - HIPAA Components ▪ Security Policies ▪ Human Resource Security ▪ Physical and Environmental Security – Colocation or Cloud ▪ Communications and Operations Management ▪ Access Control – Password Management, Encrypted VPNs ▪ Incident Management – Customers notified of a hack, Documented processes ▪ Business Continuity Plan – DR, do you run your BCP?
Introduction - HIPAA Components ▪ IT Compliance ▪ System Development and Software Development Lifecycle that includes in a security risk assessment: Scanning for application vulnerabilities, e.g. OWASP top ten, using something like WhiteHat, source control management, three tiered architecture with separate firewalls, data exchange ▪ Cloud Computing – IaaS, PaaS, SaaS ▪ Cloud Security Services – DDoS attacks prevention, Physical and logical separation of data, encrypting data at rest and in transit ▪ Cloud Security Architecture
Compliance Before the Public Cloud At MedVantage, before the public cloud, we built and operated a private cloud infrastructure for the claims and episodes treatment groups data from Blue Cross Blue Shield plans. This was a lot of work and cost a lot of $. ▪ Physical and Environmental Security ▪ Communication and Operation Management ▪ Access Control ▪ Incident Management – SSIM, Arcsight ▪ Security – DDoS and data loss prevention
Compliance During the Public Cloud With the advent of the Public Cloud HIPAA solutions, we can now stand on top of these vendors for Software Development by having them sign a Business Associate Agreement (BAA) ▪ TrueVault ▪ Aptible ▪ ClearDATA ▪ Amazon Web Services ▪ FireHostArmor
Compliance During the Public Cloud (contd) ▪ Best to use a cloud solution that is focused on healthcare security. Solutions that are not focused on security may be reluctant to provide the information that you need, e.g. audit reports. ▪ Each of these vendors provide differing offers, but you’re effectively looking for a way to not have to implement some of the onerous tasks associated with protecting PHI and providing a secure private cloud platform. ▪ Only store the PHI in the the HIPAA compliant container. If you’re solution has components that don’t need to touch PHI, run these components elsewhere with communication going through SSL.
Compliance During the Public Cloud (contd) ▪ Things that I look for when picking a vendor: ▪ A Virtual Private Cloud (VPC) sitting on top of AWS ▪ Support for SFTP out of the box ▪ Database traffic is encrypted at transit and ▪ Ease of use ▪ Centralized Access Control system ▪ Automated Risk Management.
Compliance During the Public Cloud (contd) ▪ Remember HIPAA is More than Technology - Incidence Response, Risk Assessment, Operations, Policies & Procedures, Security & Compliance Training are all priorities. To help with these issues there are compliance cloud platforms, which enable you to manage all of the audit reports to prepare for external audits and certifications. ▪ QIXpress - QIPSolutions ▪ Gridiron – Aptible ▪ ClearData ▪ ZenGRC – Reciprocity Labs
Compliance During the Public Cloud (contd) ▪ These compliance platforms enable you to ▪ Generate sane, relevant security and compliance policies ▪ Train your workforce in security and secure coding practices ▪ Respond to security and privacy incidents ▪ Conduct internal audits and compliance status check for your BCP, vulnerability assessment, patch management. ▪ Prepare for external audits and certifications
Software Development Practices ▪ Running Production, Test, and Development environments in a HIPAA secure environment can be expensive and time consuming to maintain and deploy ▪ For development environments, leverage Heroku and AWS ▪ For test environments, continue on Heroku AWS ▪ For production environments, use the PHI containers and services.
Software Development Practices (contd) For B2B solutions, data integration with your client for either eligibility files or EMRs needs to be considered at the architecture stage. You do not want to build your data integration solution as part of your web app or REST web service component. ▪ SFTP - Large data files are typically transferred via SFTP. • Customer deposits file into your SFTP account. Decrypt the file using PGP. ETL the data into your middleware with all communication going through HTTPS. • You pull from Customer’s SFTP. This is the reverse. Client creates a name account for you using your private key. Pull the eligibility data at specified interval. When the download is complete, then the process is just like the FTP in. • REST Web Services – Customer invokes REST Web Services to update data with all traffic encrypted via SSL.
Software Development Practices (contd) Third party integrations can be tough in terms of compliancy. You need to read the BAAs. ▪ Email – Most email providers are not HIPAA compliant, e.g. SendGrid. Certain email providers are HIPAA compliant, e.g. MailGun. There is a cost associated with using Mailgun ▪ SMS – Most SMS message providers are Not HIPAA compliant. ▪ PHI must be encrypted in transit, which makes this difficult ▪ Secure Messaging is compliant when the communication is going over TLS to a secure machine, but this may not work when engaging with patients. ▪ Video Chat –OpenTok or Janus webRTC – AugMedix…
Operating a HIPAA Compliant Solution When your production environment is locked down, everything will slow down when it comes to ▪ Deploying new code ▪ Accessing the database to see what’s going on ▪ Monitoring the log files ▪ Bringing up machines that have crashed
Keeping Mobile Apps Compliant • All network communication runs through SSL. • Try to store as little PHI on the mobile device as possible • When data is stored on the mobile device, PHI needs to be encrypted with AES- 256 • Try not to insert PHI into your push notifications. • Make sure that your app is not a medical device that requires FDA approval
Thank You Joel Garcia joel@allcode.com (415) 890-6431 564 Market Street, Suite 607 SF, CA, 94104

Recommended

PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-managementAmit Bhargava
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxTrish McGinity, CCSK
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
HIPAA_CheatSheet
HIPAA_CheatSheetHIPAA_CheatSheet
HIPAA_CheatSheetDerrick McBreairty
 

Recommended

PTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC Cloud Services Datasheet: Security Primer
PTC Cloud Services Datasheet: Security PrimerPTC
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Marcelo Martins
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-managementAmit Bhargava
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxTrish McGinity, CCSK
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
HIPAA_CheatSheet
HIPAA_CheatSheetHIPAA_CheatSheet
HIPAA_CheatSheetDerrick McBreairty
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure IslandsSecure Islands - Data Security Policy
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm IJECEIAES
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoringjohandev
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...Rohan Singh
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree Ltd.
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Cloudera, Inc.
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Tudor Damian
 

More Related Content

What's hot

Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungardCheryl Goldberg
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.Mindtree Ltd.
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm IJECEIAES
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoringjohandev
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...Rohan Singh
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree Ltd.
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015Paul Hogan
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Cloudera, Inc.
 

What's hot (20)

Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
collateral_datasheet_sungard
collateral_datasheet_sungardcollateral_datasheet_sungard
collateral_datasheet_sungard
 
Mindtree agile offering.
Mindtree agile offering.Mindtree agile offering.
Mindtree agile offering.
 
Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm Data loss prevention by using MRSH-v2 algorithm
Data loss prevention by using MRSH-v2 algorithm
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Protective Monitoring
Protective MonitoringProtective Monitoring
Protective Monitoring
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Mindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principlesMindtree distributed agile journey and guiding principles
Mindtree distributed agile journey and guiding principles
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
 

Similar to How to develop HIPAA Compliant Applications

Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the CloudRapidScale
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Tudor Damian
 
Company concern risk migration
Company concern risk migrationCompany concern risk migration
Company concern risk migrationRaj Raj
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud projectPetteri Heino
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Tudor Damian
 
To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security Inside Analysis
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared CarstensenCloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared Carstensenjaredcarst
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Cloudera, Inc.
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsBill Burns
 
Leveraging The Power Of The Cloud For Your Business
Leveraging The Power Of The Cloud For Your BusinessLeveraging The Power Of The Cloud For Your Business
Leveraging The Power Of The Cloud For Your BusinessJoel Katz
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial ServicesCloudera, Inc.
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentationAdrian Hall
 

Similar to How to develop HIPAA Compliant Applications (20)

Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the Cloud
 
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
Digital Transformation in the Cloud: What They Don’t Always Tell You [2020]
 
Company concern risk migration
Company concern risk migrationCompany concern risk migration
Company concern risk migration
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloud
 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
 
Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]Security & Compliance in the Cloud [2019]
Security & Compliance in the Cloud [2019]
 
To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security To Serve and Protect: Making Sense of Hadoop Security
To Serve and Protect: Making Sense of Hadoop Security
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
Cloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared CarstensenCloud computing - Assessing the Security Risks - Jared Carstensen
Cloud computing - Assessing the Security Risks - Jared Carstensen
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
 
Key Capibilities.pptx
Key Capibilities.pptxKey Capibilities.pptx
Key Capibilities.pptx
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burns
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Leveraging The Power Of The Cloud For Your Business
Leveraging The Power Of The Cloud For Your BusinessLeveraging The Power Of The Cloud For Your Business
Leveraging The Power Of The Cloud For Your Business
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
Tech equity - Cloud presentation
Tech equity - Cloud presentationTech equity - Cloud presentation
Tech equity - Cloud presentation
 

Recently uploaded

VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Memriyagarg453
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.ktanvi103
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...Call Girls Noida
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaRussian Call Girls in Ludhiana
 
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabad
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In FaridabadCall Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabad
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabadgragmanisha42
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meetpriyashah722354
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Memriyagarg453
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋Sheetaleventcompany
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...Gfnyt.com
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girls Service Chandigarh Ayushi
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking Models
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking ModelsDehradun Call Girls Service 08854095900 Real Russian Girls Looking Models
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking Modelsindiancallgirl4rent
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipurgragmanisha42
 
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsi
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsiindian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsi
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana TulsiHigh Profile Call Girls Chandigarh Aarushi
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591adityaroy0215
 
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...gurkirankumar98700
 
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...Vip call girls In Chandigarh
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...indiancallgirl4rent
 
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Gfnyt
 
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Niamh verma
 

Recently uploaded (20)

VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near MeVIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
VIP Call Girls Noida Jhanvi 9711199171 Best VIP Call Girls Near Me
 
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
Call Now ☎ 9999965857 !! Call Girls in Hauz Khas Escort Service Delhi N.C.R.
 
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
pOOJA sexy Call Girls In Sector 49,9999965857 Young Female Escorts Service In...
 
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In LudhianaHot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
Hot Call Girl In Ludhiana 👅🥵 9053'900678 Call Girls Service In Ludhiana
 
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabad
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In FaridabadCall Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabad
Call Girls Service Faridabad 📲 9999965857 ヅ10k NiGhT Call Girls In Faridabad
 
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real MeetChandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
Chandigarh Call Girls 👙 7001035870 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
 
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
💚😋Mumbai Escort Service Call Girls, ₹5000 To 25K With AC💚😋
 
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
❤️♀️@ Jaipur Call Girls ❤️♀️@ Jaispreet Call Girl Services in Jaipur QRYPCF ...
 
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar SumanCall Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
Call Girl Price Amritsar ❤️🍑 9053900678 Call Girls in Amritsar Suman
 
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Thane Just Call 9907093804 Top Class Call Girl Service Available
 
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking Models
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking ModelsDehradun Call Girls Service 08854095900 Real Russian Girls Looking Models
Dehradun Call Girls Service 08854095900 Real Russian Girls Looking Models
 
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In RaipurCall Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
Call Girl Raipur 📲 9999965857 ヅ10k NiGhT Call Girls In Raipur
 
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsi
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsiindian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsi
indian Call Girl Panchkula ❤️🍑 9907093804 Low Rate Call Girls Ludhiana Tulsi
 
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
VIP Call Girl Sector 25 Gurgaon Just Call Me 9899900591
 
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...
Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8923113531 ...
 
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
No Advance 9053900678 Chandigarh Call Girls , Indian Call Girls For Full Ni...
 
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
 
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
Bangalore call girl 👯‍♀️@ Simran Independent Call Girls in Bangalore GIUXUZ...
 
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
Call Girls Service Chandigarh Gori WhatsApp ❤7710465962 VIP Call Girls Chandi...
 

How to develop HIPAA Compliant Applications

  • 1. How To Develop HIPAA Compliant Applications Focusing on Cloud and Mobile Applications
  • 2. How To Develop HIPAA Compliant Applications ▪ Introduction ▪ Compliance Before the Public Cloud ▪ Compliance During the Public Cloud ▪ 3rd Party Cloud Options for Compliance ▪ Software Development Practices for Compliance ▪ Operating a HIPAA Compliant Solution ▪ Keeping Mobile Apps Compliant
  • 3. Introduction – Joel Garcia ▪ Engineering – Symantec – Host Intrusion Detection, Symantec Security Incident Manager ▪ VPECTO – MedVantage acquired by IMS Health – Clinical Quality and Affordability Metrics for Providers. Big Data from Claims and Episode Treatment Groups – HIPAA Compliant before the Cloud ▪ VPE – LiveVox acquired by Golden Gate Capital – Cloud based hosted dialer. PCI and SAS70 ▪ AllCode – CTO – Developed and deployed a number of HIPAA Compliant solutions for startups: ConsejoSano, Aforacare, Contex, etc…
  • 4. Introduction – HIPAA ▪ Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects most “identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper or oral. The Privacy Rule calls this information Protected Health Information (PHI). ▪ PHI under US law is any info in a medical record that can be used to identify an individual that was created in the course of providing a healthcare service, e.g. diagnosis or treatment.
  • 5. Introduction - HIPAA Components ▪ Security Policies ▪ Human Resource Security ▪ Physical and Environmental Security – Colocation or Cloud ▪ Communications and Operations Management ▪ Access Control – Password Management, Encrypted VPNs ▪ Incident Management – Customers notified of a hack, Documented processes ▪ Business Continuity Plan – DR, do you run your BCP?
  • 6. Introduction - HIPAA Components ▪ IT Compliance ▪ System Development and Software Development Lifecycle that includes in a security risk assessment: Scanning for application vulnerabilities, e.g. OWASP top ten, using something like WhiteHat, source control management, three tiered architecture with separate firewalls, data exchange ▪ Cloud Computing – IaaS, PaaS, SaaS ▪ Cloud Security Services – DDoS attacks prevention, Physical and logical separation of data, encrypting data at rest and in transit ▪ Cloud Security Architecture
  • 7. Compliance Before the Public Cloud At MedVantage, before the public cloud, we built and operated a private cloud infrastructure for the claims and episodes treatment groups data from Blue Cross Blue Shield plans. This was a lot of work and cost a lot of $. ▪ Physical and Environmental Security ▪ Communication and Operation Management ▪ Access Control ▪ Incident Management – SSIM, Arcsight ▪ Security – DDoS and data loss prevention
  • 8. Compliance During the Public Cloud With the advent of the Public Cloud HIPAA solutions, we can now stand on top of these vendors for Software Development by having them sign a Business Associate Agreement (BAA) ▪ TrueVault ▪ Aptible ▪ ClearDATA ▪ Amazon Web Services ▪ FireHostArmor
  • 9. Compliance During the Public Cloud (contd) ▪ Best to use a cloud solution that is focused on healthcare security. Solutions that are not focused on security may be reluctant to provide the information that you need, e.g. audit reports. ▪ Each of these vendors provide differing offers, but you’re effectively looking for a way to not have to implement some of the onerous tasks associated with protecting PHI and providing a secure private cloud platform. ▪ Only store the PHI in the the HIPAA compliant container. If you’re solution has components that don’t need to touch PHI, run these components elsewhere with communication going through SSL.
  • 10. Compliance During the Public Cloud (contd) ▪ Things that I look for when picking a vendor: ▪ A Virtual Private Cloud (VPC) sitting on top of AWS ▪ Support for SFTP out of the box ▪ Database traffic is encrypted at transit and ▪ Ease of use ▪ Centralized Access Control system ▪ Automated Risk Management.
  • 11. Compliance During the Public Cloud (contd) ▪ Remember HIPAA is More than Technology - Incidence Response, Risk Assessment, Operations, Policies & Procedures, Security & Compliance Training are all priorities. To help with these issues there are compliance cloud platforms, which enable you to manage all of the audit reports to prepare for external audits and certifications. ▪ QIXpress - QIPSolutions ▪ Gridiron – Aptible ▪ ClearData ▪ ZenGRC – Reciprocity Labs
  • 12. Compliance During the Public Cloud (contd) ▪ These compliance platforms enable you to ▪ Generate sane, relevant security and compliance policies ▪ Train your workforce in security and secure coding practices ▪ Respond to security and privacy incidents ▪ Conduct internal audits and compliance status check for your BCP, vulnerability assessment, patch management. ▪ Prepare for external audits and certifications
  • 13. Software Development Practices ▪ Running Production, Test, and Development environments in a HIPAA secure environment can be expensive and time consuming to maintain and deploy ▪ For development environments, leverage Heroku and AWS ▪ For test environments, continue on Heroku AWS ▪ For production environments, use the PHI containers and services.
  • 14. Software Development Practices (contd) For B2B solutions, data integration with your client for either eligibility files or EMRs needs to be considered at the architecture stage. You do not want to build your data integration solution as part of your web app or REST web service component. ▪ SFTP - Large data files are typically transferred via SFTP. • Customer deposits file into your SFTP account. Decrypt the file using PGP. ETL the data into your middleware with all communication going through HTTPS. • You pull from Customer’s SFTP. This is the reverse. Client creates a name account for you using your private key. Pull the eligibility data at specified interval. When the download is complete, then the process is just like the FTP in. • REST Web Services – Customer invokes REST Web Services to update data with all traffic encrypted via SSL.
  • 15. Software Development Practices (contd) Third party integrations can be tough in terms of compliancy. You need to read the BAAs. ▪ Email – Most email providers are not HIPAA compliant, e.g. SendGrid. Certain email providers are HIPAA compliant, e.g. MailGun. There is a cost associated with using Mailgun ▪ SMS – Most SMS message providers are Not HIPAA compliant. ▪ PHI must be encrypted in transit, which makes this difficult ▪ Secure Messaging is compliant when the communication is going over TLS to a secure machine, but this may not work when engaging with patients. ▪ Video Chat –OpenTok or Janus webRTC – AugMedix…
  • 16. Operating a HIPAA Compliant Solution When your production environment is locked down, everything will slow down when it comes to ▪ Deploying new code ▪ Accessing the database to see what’s going on ▪ Monitoring the log files ▪ Bringing up machines that have crashed
  • 17. Keeping Mobile Apps Compliant • All network communication runs through SSL. • Try to store as little PHI on the mobile device as possible • When data is stored on the mobile device, PHI needs to be encrypted with AES- 256 • Try not to insert PHI into your push notifications. • Make sure that your app is not a medical device that requires FDA approval
  • 18. Thank You Joel Garcia joel@allcode.com (415) 890-6431 564 Market Street, Suite 607 SF, CA, 94104

Editor's Notes

  1. 2
  2. 3
  3. 4
  4. 5
  5. 6
  6. 7
  7. 8
  8. 9
  9. 10
  10. 11
  11. 12
  12. 13
  13. 14
  14. 15
  15. 16
  16. 17