Measures to be taken for Health compliant site

Download Zip file of Points to be considered

• Download Source - 13.7 KB

Introduction

Health compliance's are based on country, but there are some general rules which must be followed by all countries. Which leads to the security of the patient's information shared with the site? 

Background  

I have worked on so many projects related to health care domain, worked for different countries also. While working always faced problem, which all rules to be followed as for US HIPAA has a guide line, for UK EUDPD has a guideline and so for other countries.

After working on many applications, I have found some common points which should be considered before developing a site/application on health care domain, may be being a covered entity or not a covered entity.

Points to be considered

All the health care sites have main focus on how to secure the information that they are collecting from the users on the site. As protecting users information as per law is also important.

Here I am listing some methods which can be used by all sites which are being developed for health care domain. It can be developed on .Net, Java, Android, ios any platform that doesn't matter, what matters is what precautions are taken to protect user's data.

1. Encryption/Decryption of Data: 

There are many ways to keep data protected from unauthorized access; the best way is to encrypt data. The data holding PHI (Patient Health Information) or PII (Patient Identity Information) should be encrypted, so that it's secure. 

1.  We can encrypt the complete database on the client and server side.
2.  We can encrypt specified tables holding PHI and PII information server side
3.  When data is send from site to server it's already encrypted. 

Any of the ways can be used to secure the data.

Next question is very obvious, "What encryption method should be used."

There are many encryption methods that can be used.  

• Hash Algorithm 
• AES (Advanced Encryption Standard)Algorithm 
• DES (Data Encryption Standard) Algorithm

Any mechanism which supports 256 bits is best, but compliance's never say follow this mechanism only, it is always developers choice which one to use and why.

Rijndael was selected by US National Institute of Standards and Technology (NIST) as the candidate for the Advanced Encryption Standard (AES).  

For my two project which were developed in .Net I used this algorithm, supports 256 bits and easy to implement. 

After selecting type of encryption next question is "what all is to be encrypted" other than PHI and PII data.

1. All the files uploaded related to the patient, like reports, charts, images should be encrypted. 
2. Mails that contain PHI information should be encrypted
3. If mail contains an attachment related to patient's information that attachment should also be encrypted.
4. Sending SMS related to PHI, should be encrypted.

Information or Data over the network should travel in secure mode, for that site should be SSL certified. Certificate can be purchased from any of the available organizations. All the pages on the site holding personal information should work on https.

2. Points related to Sign In  

1. Unique user identification, user should have unique Email or Username which is unique for the complete application.  
2. Automatic log off: If user's session is ideal for more than 10 mins, system should log off user from the application, as this will help preventing data or can set screen server with password after 10 mins.
3. Catch vulnerable attempts for login, if wrong credential are supplied for more than three attempts, lock the site and send the verification link to the user, asking is he the one trying for the same, then should use forgot password, if not someone else is trying to look into users account.
4. This check should also be applied when security question and answer are supplied in case of forgot password. Three attempts, if wrong account should be locked.
5. Identification of user who has send the request: 

• By sending confirmation link on email, and link should have an expiry usually within 24hrs.
• By sending a key on SMS and verifying the same.
• Using Bio metrics like voice recognition, retina scanning, or thumb impression.

3. Password related measures:

Password strength should be used. Following rules can be used 

1. Minimum length should be eight characters. 
2. Should be combination of Lowercase, Uppercase, Symbol and Number.
3. Should not be same as username or First name of the user. 
4. Should be updated in 45 days and should not be same as last password.
5. In case of forgot password, system generated password should be send and user should be asked to change password after login.

4. Maintaining Audits:

1. Audit logs should be made for all the entries related to user.
2. All insert, delete and update records should be recorded in the database.

5. Deleting records when not required: 

1. Patient's information should be deleted if not required.
2. If a patient delete its account from the site, all its personal data should be permanently deleted.
3. Inorder to save in case if a complaint is fired against the site, audits can be kept if the law in that country permits.  
4. Deletion should be hard delete, no information should be kept with the site, if patient has removed its account from the site or has requested to delete its information.

Points of Interest:

We can find so many sites letting us know about the compliance's, but it's difficult to find all at one place. I have tried to cover maximum technical points at one place. I know it's not all, there are many more, but they have to be country specific. I hope this helps all of them who are working on Health care domain.

Once this is achieved we can focus on the other aspects like Administrative safeguard, Safe Harbor principal, Physical safeguard, Cookie policy.