Blog



Building HIPAA Compliant Web and Mobile  Applications rapidly with Alpha Anywhere

 
One of the trends we have noticed as we survey our customers is the increasing use of Alpha Anywhere by developers for building;
-- Secure HIPAA compliant web and offline-capable mobile applications for healthcare and
-- Secure PCI compliant financial apps and other apps where security is of paramount importance
In this blog we will focus on HIPAA applications but the same principles apply to PCI and others security sensitive apps

See how to build HIPAA compliant applications that protect sensitive data in healthcare, health plan, health insurance, and hospital apps.When building applications it is essential to make sure that the applications follow HIPAA security rules. In the USA,  HIPAA compliance is the protocol designed to protect the privacy of individual health records. Similar rules exist in other countries as well.

While some of the HIPAA privacy rules are fairly straightforward, a number of them are open to interpretation, making the development of a HIPAA compliant application a tricky task. Fortunately, Alpha Anywhere has been designed with all the tools needed to protect sensitive data and meet the demands of key HIPAA requirements.

Below, Alpha developer Jerry Brightbill, who has had extensive experience building HIPAA compliant healthcare applications - including a large system currently in use by over 40 large hospitals in the US, explains some of the most important requirements to think about when developing a HIPAA compliant application or mhealth app:

 

Building HIPAA Compliant Web Applications

by Jerry Brightbill, Alpha Software.

Building a HIPAA compliant application is somewhat challenging as the requirements cover many aspects of the design and implementation. Every security consultant will evaluate the requirements slightly differently and give slightly different recommendations.

However, there are generally accepted requirements for handling PHI (Patient Health Information) to achieve HIPAA compliance.

The good news is Alpha Anywhere was designed to have all options and tools needed to allow developers to build HIPAA Compliant health care applications

 

Data encryption in applications

Most developers of browser-based applications have moved toward SQL based databases such as MS SQL Server. Those systems offer a number of encryption options.

One we are very familiar with is MS SQL Server TDE - Transparent Data Encryption - , which is very good and has been evaluated and accepted by government agencies. The same applies to Oracle databases which also offer TDE. Alpha Anywhere supports a wide range of SQL databases.

 

Tracking edits, and viewing of data in applications

Alpha Anywhere web components offer a wide array of options to record data every time a user requests a view or makes an edit. We do this with "events" where some programming code can be added to save data into log tables.

If you are using a SQL based data system, most SQL databases provide programming options such as triggers where the back end database can manage adding data to the view and edit logs. This is often selected as more secure as it is independent of the user interface.

 

Access security in applications

Alpha Anywhere has full security measures to prevent unauthorized access to any data. The system has features to track all login and logout activity. Access to specific forms, reports, and data can be regulated with the built in security.

In addition, our web server system supports SSL encryption and offers protection against common security threats such as SQL injection.

HIPAA regulations also require segregating data to limit access to only users who have the authority to see that sensitive data. In simple systems, this is often not a concern as anyone who has access to the system can see any data in the system. In a more complex system, users may be limited to accesses only limited data. Alpha Anywhere offers a wide range of filtering options to limit user access in HIPAA compliant applications.

 

Industry evaluations of the issues surrounding HIPAA compliance in applications

Below are links to a few documents that are very useful for navigating HIPAA requirements. Put together by the American Medical Association, the Department of Health and Human Services, and Information Week, these documents answer many of the questions that may arise when developing for HIPAA compliance.

 

Example of a HIPAA compliant application built with Alpha Anywhere in use in over 40 hospitals

Some videos from the system that Jerry has built are shown here (Note: this is not real patient data in the screen shots and video):

Some of the Alpha Anywhere tools and methods developers are using to build HIPAA compliant apps: 

  1. SSL certificates for data "in-transit"
  2. Take advantage of Alpha Anywhere's two-factor authentication.
  3. Let Alpha Anywhere encrypt connection strings.
  4. Design "group security" (built into Alpha Anywhere) from the ground up vs adding it after the app is built.
  5. Database tables need to be designed with security in mind. For example, developers  may want to bifurcate  PHI (Protected Health Information) into separate tables.
  6. Take advantage of Alpha Anywhere’s column encryption. (You don’t need to encrypt the entire database.)  However, it’s not just about encrypting client names, address, date of birth, social security number, and credit card numbers.  You have to analyze all the columns and make sure that a hacker can’t glean PHI from text fields or other types of HTML columns or reports. 
  7. If you are using IIS security, you can also use client-side roles with JavaScript to also limit screens and let users know they don’t have security before it locks them out. 
  8. Alpha Anywhere also makes it easy to have column-based security or screen security.
  9. Stored-procedures and views will also provide excellent security. For example, reports that need to be sent to Medicare need to be HIPAA compliant. There is an option to show the MRN (Medical Record Number) instead of PHI (Protected Health Information). View can handles this requirement so, when the data comes back from the SQL database it shows the MRN instead of the PHI.
  10.  Create a security checklist that users of the app must follow because security is more than just the application but also the way people use the applications.  Have a shredder for all your paper. Make sure your email and texting are encrypted. 
    Alpha makes it very easy to use the Office 365 encryption within your application.
  11. Consider using Alpha Cloud because of all the security that AWS offers that Alpha Cloud leverages and builds on

 

Learn more about building HIPAA compliant applications for hospitals, insurance companies and health plans in Alpha Anywhere by emailing marketing@alphasoftware.com

Top Tips for Reopening Safely
Innovation continuing at a fast Pace. Announcing Alpha Anywhere 4.6.2.2

About Author

Default Author Image
Jerry Brightbill

Related Posts
Alpha Cloud - Built with Security in Mind
Alpha Cloud - Built with Security in Mind
Migrating from PhoneGap Build to Cordova CLI or Ionic Appflow
Migrating from PhoneGap Build to Cordova CLI or Ionic Appflow
Innovation continuing at a fast Pace. Announcing Alpha Anywhere 4.6.2.2
Innovation continuing at a fast Pace. Announcing Alpha Anywhere 4.6.2.2

Comment

Subscribe To Blog

Subscribe to Email Updates