10 things you can do to be HIPAA ready
If you are dealing with any form of PHI at some point you will have to attain HIPAA compliance but are you taking steps to make things easy for you to get it when you are ready.
As a startup, you want to secure a few pilots and once you have proven the business model with the help of a few early customers you can invest in getting the actual compliance done.
1. Work with a cloud service that does sign HIPAA BAAs
You can take advantage of cloud services to architect a product that has to comply. Make sure though that you can enter into a Business Associate Agreement (BAA) with the cloud service provider (CSP). More info here.
2. Make sure you understand which of the products from the cloud service can come under a BAA
Not all cloud services provided by the CSP are eligible to enter a BAA. For example here is a list of eligible AWS services.
3. Have a security auditor – Doesn’t have to be full-time
Coming up with a security policy, audit schedule and having someone accountable for it within the team is a really good practice to bake in from the get-go. You can keep iterating over it as you grow as a company. This will allow you discover security gaps early on and help when you start getting serious about the compliance.
Creating permission structure that allows you to easily give access to and remove to the production environment. You should be using some sort of permissions management system. For example; If you are using AWS; creating IAM policies and groups that you can easily add/remove users from will help you tightly control access to the data.
5. Encrypt credentials to cloud resources like database and use a key management system (KMS)
Have keys and secrets committed in the code are never a good idea but you need to absolutely avoid that. Basically, these services provide you tools to encrypt things and manage the keys for you. The cloud services automatically have access to these keys to decrypt information that is needed. Engineers on your team don’t need to have the actual key and the key used to decrypt doesn’t have to be committed to the code. This makes sure if your codebase is compromised for some reason your credentials are protected
6. De-identify health data
You want to separate health data and user information that can be used to connect the two together. If someone gets access to the health data they would have no idea who it belongs to. Read more about methods to de-identify data here. There are around 18 HIPAA identifiers that you need to watch out for. Here is a list.
7. Firewall and restrict access to the outside world
Everything is behind a firewall and vpc and only the http ports are accessible from the outside
This again is basic security hygiene but should be done
8. Isolated microservices
Architecting an application that is not monolithic makes things tremendously easy to scale. Also, if you isolate them and have a secure way for them to communicate it helps in lessening your exposure if there is a breach in one of them and also makes it easier for you store data in a way that is hard to tie to a particular user.
9. Data transport and backup
All your data transport needs to be done over an encrypted channel. Regardless of whether you think you’ve done a phenomenal job at de-identifying data, it is a good idea to encrypt backups of all data sources used in your stack if you take backups. And you should take backups!
Logging is an essential tool to help resolve issues and address customer complaints but in case of applications dealing with health data you want to make sure your logs are kosher. You can’t do all the above only find out that your logs have info that is going to put you in violation of the law.
HIPAA is a tough law and you really need to take it seriously if you are dealing with health data from the US. The fines can go to the tunes of millions. Here is a list of recent medical lawsuits that involve HIPAA violations.
Would love to know what you are doing get ready for getting the compliance?
About CauseCode: We are a technology company specializing in Healthtech related Web and Mobile application development. We collaborate with passionate companies looking to change health and wellness tech for good. If you are a startup, enterprise or generally interested in digital health, we would love to hear from you! Let's connect at email@example.com