Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Transcription

1 Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA Verivo Software 1000 Winter Street Waltham MA

2 TABLE OF CONTENTS Executive Summary... 3 Mobile Infrastructure... 3 Security-focused Features... 4 A Closer Look at the HIPAA Regulations... 4 HIPAA Administrative safeguards... 5 HIPAA Physical safeguards... 6 HIPAA Technical safeguards... 6 Verivo Akula... 8 Conclusion... 9 Verivo Software 1000 Winter Street Waltham MA [email protected] 2

3 EXECUTIVE SUMMARY As health care providers look to bring the benefits of mobile technology to their workforces and customers, they must assess the impact on their compliance with the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). Any time internal business process and sensitive data is pushed beyond the firewall, ensuring proper security and compliance takes on a whole new dimension. Before investing time and money, you should consider three principles when building mobile apps: Make as few changes to existing infrastructure as possible building a HIPAA-compliant mobile app does not mean redesigning middleware and policies, but rather extending existing infrastructure to mobile devices Work with the IT department IT is ultimately responsible for security, and they need to be heavily involved in the planning and design phases of development Separate mobile infrastructure from the user interface the user experience and security are two very distinct components of HIPAA-compliant mobile apps, and should be owned by two different teams The Akula mobile app platform from Verivo Software is mobile-specific infrastructure that simplifies the building and operation of HIPAA-compliant custom mobile apps. With Akula, health care companies can implement their mobile strategies with confidence. This paper describes the means by which Akula can help mobile apps satisfy the privacy and security requirements of HIPAA. MOBILE INFRASTRUCTURE The key to maintaining HIPAA compliance while introducing mobile apps into your portfolio is to make as few changes and additions to your existing safeguards as possible. Verivo Akula is designed to drop in behind your firewall and integrate with your existing infrastructure. There are three key characteristics that make this possible: Akula is lightweight and standards-based. The Akula server component is a single Java application that runs on any J2EE app server. You use your own existing server configurations, including databases, firewalls, load balancing, failover, and disaster recovery. The Akula server is stateless. Protected health information is never stored on the server; it is accessed as needed from your protected systems of record. Verivo Software 1000 Winter Street Waltham MA [email protected] 3

4 Akula is fully open and extensible. You can integrate any data source, identity provider, and systems management tool, leveraging the safeguards already in place with these existing systems. With Akula, the amount of additional policy development and documentation, employee training, and infrastructure certification and deployment is minimized. SECURITY-FOCUSED FEATURES Akula was designed and built with enterprise security requirements at the forefront. Here is a brief list of core capabilities that are instrumental in building secure mobile apps: An open authentication mechanism that delegates the actual authentication to your existing identity provider and from there handles mobile session management. Akula supports any multi-factor authentication scheme. Open, role-based, fine-grained authorization that is defined on the server and enforced both on the server side and the client side. A credential storage capability that allows backend credentials and service tokens to be encrypted and securely stored on the Akula server and kept off of the mobile device. Built-in encryption of mobile device persistent data, using the industry standard AES-256 algorithm. This protection is completely independent of the device operating system s crypto. An encryption key management utility is also included. Runtime management controls that include the ability to initiate actions on a targeted device or set of devices from the Akula server. In addition to built-in actions, such as force logout and wipe persistent data, any app-specific action can be defined and subsequently initiated asynchronously from the server. A CLOSER LOOK AT THE HIPAA REGULATIONS Part 164 of the Code of Federal Regulations contains the Privacy and Security regulations of HIPAA. Subpart C ( Security Standards for the Protection of Electronic Protected Health Information ) has the relevant regulations for information systems that handle Protected Health Information (PHI). The regulations describe the safeguards necessary to ensure the privacy of PHI. There are three categories of safeguards: administrative, physical, and technical; all are relevant to the building and operation of mobile apps. Below you will find a cross-reference of each regulation to the Akula characteristics and/or features that will assist you in meeting the requirements of the regulation. Verivo Software 1000 Winter Street Waltham MA [email protected] 4

5 HIPAA ADMINISTRATIVE SAFEGUARDS (a)(1)(i)(d) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(3)(ii)(a) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed (a)(3)(ii)(c) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section (a)(4)(ii)(b) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism (a)(4)(ii)(c) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Akula server logs are extensible and configurable, and use an open framework that allows log streams to be directed to existing monitoring systems. All changes to the Akula configuration are audited. Akula integrates with your existing directories/identity providers; a separate user database is not required. Authorization for Akula-powered apps is driven by group membership in the corporate directory. Existing termination/off-boarding procedures will be maintained with little to no change to accommodate mobile app access. Mobile app offline data can be wiped automatically as part of termination/off-boarding procedures. No changes to existing access authorization policies and procedures are required to support mobile apps. Verivo Software 1000 Winter Street Waltham MA [email protected] 5

6 (a)(5)(ii)(c) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies (a)(5)(ii)(c) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords (a)(6)(ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. Leverage existing procedures, augmented by Akula access log messages if necessary. Leverage existing procedures in corporate identity providers. Akula server logs are extensible and configurable, and use an open framework that allows log streams to be directed to existing monitoring systems. HIPAA PHYSICAL SAFEGUARDS (a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Akula is designed to be deployed on-premise on top of existing infrastructure; no certification of cloud providers is necessary. HIPAA TECHNICAL SAFEGUARDS (a)(2)(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Akula sessions are enforced on the client, with a timeout value that is configured on the server. Akula session timeouts are enforced even when the mobile device is offline. Verivo Software 1000 Winter Street Waltham MA [email protected] 6

7 (a)(2)(iii) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network (e)(2)(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of (e)(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. If PHI is to be stored locally on the device, it is encrypted using the AES-256 encryption algorithm, recommended by HHS and NIST Special Publication ( 4.2.1: Whenever possible, AES should be used for the encryption algorithm because of its strength and speed ). The Akula client library includes a facility to securely manage encryption keys on the device. Akula server logs are extensible and configurable, and use an open framework that allows log streams to be directed to existing monitoring systems. Akula integrates with your existing directories/identity providers; a separate user database is not required. Akula supports any multi-factor authentication solution. Electronic PHI is protected during transmission by the use of an SSL tunnel, which is recommended by HHS and NIST Special Publication The SSL tunnel can be configured on the Akula server or can be an existing SSL gateway or appliance. In either case, careful selection of permitted cryptographic cipher suites and SSL certificates ensure protection against unauthorized access or data loss via man-in-themiddle attacks. If PHI is to be stored locally on the device, it is encrypted using the AES-256 encryption algorithm, recommended by HHS and NIST Special Publication ( 4.2.1: Whenever possible, AES should be used for the encryption algorithm because of its strength and speed ). The Akula client library includes a facility to securely manage encryption keys on the device. Verivo Software 1000 Winter Street Waltham MA [email protected] 7

8 VERIVO AKULA Verivo, with over 15 years of experience in enterprise mobility and the father of the app server as CTO, is revolutionizing the industry with the world s first mobile app server. It offers all of the above functionality and more to help organizations develop, secure and govern mobile apps. Akula can be deployed on-premise or in the cloud, and is extensible to accommodate any business requirement. Figure 2. The Verivo Akula Mobile App Server The open and extensible platform consists of a J2EE-compliant server, client SDKs, a server SDK, and a GUI management console for Comprehensive mobile security - Akula leverages existing security infrastructure and policies to extend authentication, authorization, data protection, and logging to mobile devices. Enterprise Data integration - Data is retrieved, aggregated and presented in a mobilefriendly format, and synched with back-end systems so apps can be used off-line. Proactive App Management - IT can monitor the state of all deployed apps centrally, and push actions to devices on-demand. Verivo Software 1000 Winter Street Waltham MA [email protected] 8

9 CONCLUSION If your organization has made a significant investment in becoming HIPAA compliant, then that investment can be extended to mobile apps with a small augmentation to your infrastructure. The Verivo Akula mobile app platform is mobile infrastructure that drops into your existing environment and extends your security and governance policies to mobile apps. If you are interested in learning more about Verivo Akula, you may enjoy these resources: Akula Technical White Paper - examines the challenges around building enterprise mobile apps, but it also presents a comprehensive strategy for mobilizing the enterprise with Akula Akula Overview Webinar a tour of the features and architecture of Verivo Akula and a demo, with a focus on security and governance Akula Evaluation work with Akula and the Verivo support team to build a Proof of Concept (PoC) free of charge For additional recourses please visit Verivo.com, and if you have any additional questions do not hesitate to contact us. Verivo Software 1000 Winter Street Waltham MA [email protected] 9