This document discusses securing healthcare mobile applications in compliance with HIPAA regulations. It covers topics like common mobile security threats, weaknesses in mobile apps, best practices for securing apps, and HIPAA technical, administrative and physical safeguards for mobile devices. The document is intended to introduce measures to develop secure healthcare apps that protect electronic protected health information on mobile platforms.
Local Housewife and effective ☎️ 8250192130 🍉🍓 Sexy Girls VIP Call Girls Chan...
Securing Mobile Healthcare Application
1. This document is confidential and contains proprietary information, including trade secrets of CitiusTech. Neither the document nor any of the information
contained in it may be reproduced or disclosed to any unauthorized person under any circumstances without the express written permission of CitiusTech.
CitiusTech Thought
Leadership
Securing Healthcare Mobile Apps in
Compliance with HIPAA
30 September 2017 | Author: Sonal Raskar, Technical Lead Grade I, CitiusTech
2. 2
Agenda
Securing Healthcare Mobile Apps in Compliance with HIPAA
Cyber Security and Data Breaches in healthcare
Top Mobile Security Threats
Potential Weaknesses in Mobile Applications
HIPAA – Regulatory Compliance Review
Security considerations to protect mobile devices
Security considerations to protect mobile devices
Security Best Practices for healthcare Applications
Secure HIPAA Implementation Cycle
HIPAA Regulation Safeguards for Mobile Devices
References
3. 3
Securing Healthcare Mobile Apps in Compliance with HIPAA
Mobile health has gathered tremendous pace in the recent years. The extensive use of
mobile technology in various clinical areas has changed many aspects of clinical practice.
o There has been a rapid growth in development of medical software applications for
mobile platforms
o Many mobile applications enable healthcare providers to track prescription drugs,
view patient information and manage their schedules
Mobile health has made healthcare data security and confidentiality more challenging, as
sensitive protected health information is utilized by the healthcare mobile applications,
If adequate security controls are not implemented, devices become vulnerable to
compromise and expose the electronic Protected healthcare Information (ePHI) stored on
them
One of the main objective of HIPAA (Health Insurance Portability and Accountability Act)
legislation is to provide data privacy and security provisions for safeguarding medical
information. It requires healthcare organizations to ensure that applications are secure,
and sensitive patient data is protected when in use, during transmission or when stored in
a mobile device
This document introduces the measures to secure healthcare applications in compliance
with HIPAA
4. 4
Cyber Security and Data Breaches in Healthcare
The volume, frequency, impact and cost of data breaches in healthcare industry has been constantly high since last
few years. The healthcare data breach database maintained by the Office Of Civil Rights (OCR), highlights that the
top 10 healthcare data breaches for the year 2016 were the results of hacking or health IT related incident which
thereby emphasize the need of better technical safeguards in healthcare industries.
79% have experienced multiple breaches over two years
45% have experienced five or more breaches in the past
two years
Only 4.2% breaches were “secure breaches”
where encryption rendered the stolen data
useless
89%
11%
Data Breach over past 2 years
[2015-16]
Data Breach
Data Secure
28%
15%
12%
12%
11%
9%
13%
Data Breach by Industry
Healthcare
Government
Retail
Finance
Technology
Education
Other
59% of the organizations don’t think their
security budget is sufficient to curtail or
minimize data breach
89% of the healthcare organizations experienced data
breaches over past two years
5. 5
Top Mobile Security Threats
Implementing security best practices against cyber threats will
provide reasonable assurance that the mobile application is
secured from the cyber attacks.
28%
26%
9%
7%
4%
0% 5% 10% 15% 20% 25% 30%
Cyber Attacks
Employee Negligence and
Malicious Insiders
Mobile Applications
Insecurity of IoT Devices
DDoS attacks on Network
Top Security Threats in Healthcare
Criminal attacks are the main cause of data breaches.
50% of healthcare organizations report the root cause of the breach was a criminal attack.
Top Cyber Attack Concerns
in Healthcare
Denial of Service
[48%]
Ransomware
[44%]
Malware
[41%]
Phishing
[32%]
Rogue Software
[11%]
Password Attacks
[8%]
6. 6
Potential Weaknesses in Mobile Applications
Data Flow
Can you establish an audit trail for data? Is data in transit protected?
Who has access to it?
Data Storage
How is data stored on the device? Is it encrypted? Cloud solutions can
be a weak link for data security.
Data Leakage Is data leaking to log files, or out through notifications?
Authentication
When and where are users challenged to authenticate? How are
users authorized? Is it possible to track password and IDs in the
system?
Server-Side Controls
Are there server side validations present on the input fields? Are all
potential client-side routes into the application being validated?
Session
Management
Is the user session being invalidated after idle timeout and after user
logout, to prevent unauthorized access to the application?
There are many potential weak spots in mobile apps. Understanding them can help developers to
build a robust app and protect the user data
7. 7
HIPAA – Regulatory Compliance Review (1/2)
HIPAA Security Rule sets US National Standards to ensure protection of ePHI that is created,
modified or maintained by the covered entities
Required specifications are mandatory, whereas the addressable specifications can be
skipped if not relevant to the organization, after stating and documenting a valid reason
The Administrative Safeguards are a collection of policies and procedures that govern the
conduct of the workforce, and the security measures are put in place to protect ePHI
The Physical Safeguards are a set of rules and guidelines that focus on the physical access to
PHI
The Technical Safeguards focus on the technology that protects PHI and controls access to it
HIPAA REGULATION
8. 8
HIPAA – Regulatory Compliance Review (2/2)
•Administrative Safeguards
•Physical Safeguards
•Technical Safeguards
•Organizational Requirements
•Uses and Disclosures
§164.508, §164.510, and
§164.512
• Password Security
• Account Lockout Policy
Authentication
Security
• System Administrator
identity
• Device Login Procedures
• Auto Log offs
Identity Access
Management
• Access Control Lists
• Emergency Access
Control
Access Control
• Encryption of Data at
Rest
• Encryption of Data in
Transit
Encryption
• Audit Logs and Retention
• Remote Access Logs
• Log Review Process
Audit Controls
§164.314 and §164.316
§ 164.312
§164.310
§164.308
9. 9
Security Considerations to Protect Mobile Devices (1/2)
User authentication
Authentication is the process of
verifying the identity of a user,
process, or device. Mobile devices
can be configured to require
passwords, personal identification
number, or passcodes to gain
access to it.
Install and enable encryption
Encryption protects health
information stored on and sent by
mobile devices. Data encryption
keys should be updated
periodically and they should be
stored separately from the data.
Install remote wiping
Remote wiping enables deletion of
data on a mobile device remotely. If
the remote wipe feature is enabled,
data stored on a lost or stolen
mobile device can be permanently
deleted.
Disable file sharing applications
File sharing is a software or a system
that allows users to connect to each
other and trade computer files. But
file sharing can also enable
unauthorized users to access the
mobile without user knowledge.
10. 10
Security Considerations to Protect Mobile Devices (2/2)
Install and enable security software
Security software can be
installed to protect
against malicious
applications, viruses,
spyware, and malware-
based attacks.
Keep your security software up to date
Regular update of security
software, prevent unauthorized
access to health information on or
through the mobile device.
Protect data in transit over public Wi-Fi
Public Wi-Fi networks allows
unauthorized users to intercept
information. Protect and secure
health information by not sending
or receiving it when connected to
a public Wi-Fi network, unless
over secure, encrypted
connections.
Delete all stored health information before
discarding or reusing the mobile device
Use software tools that thoroughly
delete (or wipe) data stored on a
mobile device before discarding or
reusing the device, to protect and
secure health information from
unauthorized access.
11. 11
Security Best Practices for Healthcare Applications (1/4)
Implementing software development best practices can help mitigate most of the common
vulnerabilities in the application and reduce the implementation cost of fixing the issues that would
come up after the application is developed. Some of these best practices derived from OWASP
Mobile Top 10 are broadly categorized as:
Category Implementation Best Practices
Session Management
Session management is
the technique used by
developers to make the
stateless HTTP protocol
support session as state.
Implement an idle or inactivity timeout preferably after 15-20 minutes of
inactivity on all sessions
Enforce session timeout management and expiration at server-side
Immediately invalidate session on logout. In addition, discard/terminate the
session token on server side once logged out of the session
Generate random and complex session IDs/ Auth tokens. Session IDs must not
be related to any personal information of the user or device (like the device ID)
Send session IDs over secure channels (for example HTTPS), to prevent
adversary from hijacking the session
12. 12
Category Implementation Best Practices
Data at Rest
Data at Rest generally refers to
data stored in persistent storage.
Mobile devices are often subject
to specific security protocols to
protect Data at Rest from
unauthorized access when lost or
stolen.
Avoid storing sensitive data on device, and if stored, always encrypt the
data using strong encryption algorithms which are FIPS 140-2 compliant -
such as AES, RSA and SHA-256
Use strong encryption so that if access controls such as usernames and
passwords fail, encrypted data is not compromised
Periodically update data encryption keys and store them separately from
the data
Remove unnecessary application and system documentation that can
reveal sensitive information to attackers
Data in Transit
Data in transit or data in motion
is the data moving from one
location to another across the
internet or through private
networks.
SSL Certificate Pinning: Certificate pinning means keeping a keystore
(Certificate extract) on the mobile device. This keystore is generated out
of the SSL certificate hosted on the server. By using this technique, the
app can guarantee that it is getting connected to the correct server. One
disadvantage is that if the certificate on server changes, you need to
update the keystore in mobile app accordingly
Implement network security solutions like firewalls and network access
control to secure the networks used to transmit data against malware
attacks or intrusions
Enable user prompting, blocking, or automatic encryption for sensitive
data in transit
Maintain cached data only for a session
Security Best Practices for Healthcare Applications (2/4)
13. 13
Category Implementation Best Practices
Data in Transit
Data in transit or data in motion
is the data moving from one
location to another across the
internet or through private
networks.
Use server authentication as an anti-spoofing measure. Although server
authentication is optional in the SSL/TLS protocols, it is always
recommended to be implemented. Otherwise, an attacker might spoof
the server, affecting the users and damaging organization’s reputation in
the process
Never send passwords over a network connection in clear text form.
Prevent the interception of highly sensitive values (e.g., login IDs,
passwords, PINs, account numbers, etc.) via a compromised SSL/TLS
connection, with additional encryption (e.g., VPN) in transit
Use the set-cookies headers like Secure and HTTPOnly settings. Setting
the HTTPOnly flag on a cookie prevents attacks such as cross-site
scripting (XSS), because the cookie cannot be accessed via the client side
scripts
Do not use loopback when using sensitive data. Use proper cache-control
headers to ensure data is not cached when requesting resources
Code Obfuscation
Mobile applications contain
compiled code which, when
extracted and decompiled can
enable the attacker to read the
complete source code
Obfuscation is the strategy to make code harder to understand or read,
generally for privacy or security purposes
Use obfuscator tools or online libraries to convert straight forward code
to an imperceptible format, so that an attacker wouldn't be able to
understand the logic behind the code. For example, variable names
would be renamed from patientNameString to shsggehehheh
Security Best Practices for Healthcare Applications (3/4)
14. 14
Category Implementation Best Practices
Audit Logs
Audit logs provide documentary
evidence of the events that
affect the application at any
specific time or event. It is
necessary for an application to
maintain logs to trace back to an
event in case of an incident or
error
Document the IP addresses, timestamp and information of crucial events
of the application and other information depending on the business
requirement in the Audit logs
Maintain the Audit logs locally in the device memory and periodically
sync with the Log server
Audit logs contain sensitive information as compared to other generic
Transaction logs, therefore implement proper authorization checks
before providing access to these logs
Hard Coded Sensitive
Information
Developers often leave sensitive
information such as security
tokens or encryption keys or
proprietary algorithms,
hardcoded in the application
code
Do not store passwords, connection strings or other sensitive information
in clear text or in any non-cryptographically secure manner on the client
side. This includes embedding in insecure formats like ms-viewstate,
Adobe Flash or compiled code
Always remember to use encryption and never save passwords or SSN
directly in app or server. It should be encrypted with hashes and should
not be recognized by anyone unless it is in the decrypted format
Remove comments in user accessible production code that may reveal
backend system or other sensitive information
Security Best Practices for Healthcare Applications (4/4)
15. 15
Secure HIPAA Implementation Cycle
PHASE 1
Identify entry points of
the PHI information
Identify locations of ePHI
information storage
Identify ePHI in transit
PHASE 2
Identify vulnerabilities
in components, design,
implementation using
security testing
Identify threats
Identify risks
(vulnerabilities +
threats) and rate the
impact
PHASE 3
Review the systems and applications
based on HIPAA technical and
administrative safeguards
Identify non-compliance based on Risk
Assessment report and HIPAA review
PHASE 4
Identify appropriate controls
to mitigate top risks
Implement the security
measures to reduce or
eliminate the risk
Mitigate high and medium
risks
PHASE 5
Test the controls
implemented to mitigate
risks
Document the process of
HIPAA risk analysis
Repeat the process
annually
Conduct mobile device
privacy and security
awareness and training for
providers and professionals
Risk
Assessment
/ Threat
Analysis
HIPAA
Compliance
Review
Implement
Controls
Test, Train
and Repeat
Define Scope
[PHI Data
Flow]
16. 16
HIPAA Regulation Safeguards for Mobile Devices (1/2)
Implementation Specification and Requirement for Administrative and Physical Safeguards
Administrative Safe
Guards:
Information Access
Management -
164.308(a)
Access Authorization 164.308(a)(4) : Implement policies and procedures for
granting access to ePHI, for workstations, transactions, programs, processes, or
other mechanisms
Protection from Malicious Software 164.308(a)(5): Implement procedures for
guarding against, detecting, and reporting malicious software
Log-in Monitoring 164.308(a)(5): Implement procedures for monitoring and
reporting log-in attempts and discrepancies
Password Management 164.308(a)(5)(ii)(D): Implement procedures for
creating, changing, and safeguarding appropriate passwords
Data Backup Plan 164.308(a)(7): Establish and (implement as needed)
procedures to create and maintain retrievable, exact copies of ePHI during
unexpected negative events
Physical Safeguards
HIPAA Regulation:
164.310
Media Disposal and Disposition or Reuse 164.310(d)(2)(i),(ii) : The practice has
policies and procedures for removing ePHI from hardware or electronic media
on which it is stored prior to disposal or re-use
17. 17
HIPAA Regulation Safeguards for Mobile Devices (2/2)
Implementation Specification and Requirement for Technical Safeguards
Technical
Safeguards:
HIPAA
Regulation:
164.312
Unique User Identification 164.312(a)(2)(i): Assign a unique name and/or number for
identifying and tracking user identity
Automatic Logoff 164.312(a)(2)(iii): Implement electronic procedures that terminate an
electronic session after a predetermined time of inactivity
Encryption and Decryption 164.312(a)(2)(iv) & Encryption 164.312(e)(2)(ii) : Implement
an appropriate mechanism to encrypt and decrypt ePHI
Audit Controls 164.312(b): This standard does not have corresponding implementation
specifications. However, compliance with the standard itself is required
Confidentiality 164.312(c)(1): Web-based email account such as (but not limited to)
yahoo and hotmail are not allowed to be used for transmitting any type of ePHI
Mechanism to Authenticate Electronic PHI 164.312(c)(2): Implement electronic
mechanisms to corroborate that ePHI not been altered or destroyed in an unauthorized
manner
Person or Entity Authentication 164.312(d): This standard does not have
corresponding implementation specifications. However, compliance with the standard
itself is required
Integrity Controls 164.312(e)(2)(i): Implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection until
disposed of
19. 19
Thank You
Authors:
Sonal Raskar
Technical Lead Grade I
thoughtleaders@citiustech.com
About CitiusTech
2,700+
Healthcare IT professionals worldwide
1,200+
Healthcare software engineers
700+
HL7 certified professionals
30%+
CAGR over last 5 years
80+
Healthcare customers
Healthcare technology companies
Hospitals, IDNs & medical groups
Payers and health plans
ACO, MCO, HIE, HIX, NHIN and RHIO
Pharma & Life Sciences companies