Alpha Anywhere by developers for building;
-- Secure PCI compliant financial apps and other apps where security is of paramount importance
When building HIPAA applications it is essential to make sure that the applications follow HIPAA security rules. In the USA, HIPAA compliance is the protocol designed to protect the privacy of individual health records. Similar rules exist in other countries as well.
While some of the HIPAA privacy rules are fairly straightforward, a number of them are open to interpretation, making the development of a HIPAA compliant application a tricky task. Fortunately, Alpha Anywhere has been designed with all the tools needed to protect sensitive data and meet the demands of key HIPAA requirements.
Below, Alpha developer Jerry Brightbill, who has had extensive experience building HIPAA compliant healthcare applications, including a large system currently in use by over 40 large hospitals in the US, explains some of the most important requirements to think about
when developing a HIPAA compliant application or mhealth app:
Building HIPAA Compliant Web Applications
by Jerry Brightbill, Alpha Software.
Building a HIPAA compliant application is somewhat challenging as the requirements cover many aspects of the design and implementation. Every security consultant will evaluate the requirements slightly differently and give slightly different recommendations.
However, there are generally accepted requirements for handling PHI (Patient Health Information) to achieve HIPAA compliance.
The good news is Alpha Anywhere was designed to have all options and tools needed to allow developers to build HIPAA Compliant health care applications
Data encryption in applications
Most developers of browser-based applications have moved toward SQL based databases such as MS SQL Server. Those systems offer a number of encryption options.
One we are very familiar with is MS SQL Server TDE - Transparent Data Encryption - , which is very good and has been evaluated and accepted by government agencies. The same applies to Oracle databases which also offer TDE. Alpha Anywhere supports a wide range of SQL databases.
Tracking edits, and viewing of data in applications
Alpha Anywhere web components offer a wide array of options to record data every time a user requests a view or makes an edit. We do this with "events" where some code can be added to save data into log tables.
If you are using a SQL based data system, most SQL databases provide programming options such as triggers where the back end database can manage adding data to the view and edit logs. This is often selected as more secure as it is independent of the user interface.
Access security in applications
Alpha Anywhere has full security measures to prevent unauthorized access to any data. The system has features to track all login and logout activity. Access to specific forms, reports, and data can be regulated with the built in security.
In addition, our web server system supports SSL encryption and offers protection against common security threats such as SQL injection.
HIPAA regulations also require segregating data to limit access to only users who have the authority to see that sensitive data. In simple systems, this is often not a concern as anyone who has access to the system can see any data in the system. In a more complex system, users may be limited to accesses only limited data. Alpha Anywhere offers a wide range of filtering options to limit user access in HIPAA compliant applications.
Industry evaluations of the issues surrounding HIPAA compliance in applications
Below are links to a few documents that are very useful for navigating HIPAA requirements. Put together by the American Medical Association, the Department of Health and Human Services, and Information Week, these documents answer many of the questions that may arise when developing for HIPAA compliance.
Example of a HIPAA compliant application built with Alpha Anywhere in use in over 40 hospitals
Some videos from the system that Jerry has built are shown here (Note: this is not real patient data in the screen shots and video):
- Building A HIPAA Compliant Hea
lth Care Application With Alpha Anywhere Part 1 - Building A HIPAA Compliant Hea
lth Care Application With Alpha Anywhere Part 2 - Building A HIPAA Compliant Hea
lth Care Application With Alpha Anywhere Part 3 - Building A HIPAA Compliant Hea
lth Care Application With Alpha Anywhere Part 5 - Building A HIPAA Compliant Hea
lth Care Application With Alpha Anywhere Part 6
Some of the Alpha Anywhere tools and methods developers are using to build HIPAA compliant apps:
- Use SSL certificates for data "in-transit"
- Take advantage of Alpha Anywhere's two-factor authentication.
- Let Alpha Anywhere encrypt connection strings.
- Design "group security" (built into Alpha Anywhere) from the ground up vs adding it after the app is built.
- Design database tables with security in mind. For example, developers may want to bifurcate PHI (Protected Health Information) into separate tables.
- Take advantage of Alpha Anywhere’s column encryption. (You don’t need to encrypt the entire database.) However, it’s not just about encrypting client names, address, date of birth, social security number, and credit card numbers. You have to analyze all the columns and make sure that a hacker can’t glean PHI from text fields or other types of HTML columns or reports.
- If you are using IIS security, you can also use client-side roles with JavaScript to also limit screens and let users know they don’t have security before it locks them out.
- Alpha Anywhere also makes it easy to have column-based security or screen security.
- Stored-procedures and views will also provide excellent security. For example, reports that need to be sent to Medicare need to be HIPAA compliant. There is an option to show the MRN (Medical Record Number) instead of PHI (Protected Health Information). View can handles this requirement so, when the data comes back from the SQL database it shows the MRN instead of the PHI.
- Create a security checklist that users of the app must follow because security is more than just the application but also the way people use the applications. Have a shredder for all your paper. Make sure your email and texting are encrypted.
Alpha makes it very easy to use the Office 365 encryption within your application. - Consider using Alpha Cloud because of all the security that AWS offers that Alpha Cloud leverages and builds on
Comment