Healthcare Software Development: Securing PHI AND PII

Introduction

Ensuring the integrity and confidentiality of protected health information (PHI) is of the utmost importance. In this post we give a high level overview of what constitutes PHI and many important factors for ensuring that your handling of PHI is consistent with regulatory guidelines and software engineering best practices.

What are PHI & PII?

PHI is information that relates to a patient’s medical condition or treatment. This includes information about a patient’s medical history, medical conditions, medical treatment, and other information from the patient’s medical record. PII (Personally identifiable information) is any data that can be used to identify a person.

HIPAA/GDRP Compliance Requirements for Medical Software

Building compliant medical software requires the incorporation of a number of key features and policies. Based on our work with hospitals and other third-party vendors, we’ve put together a list of some of the core features you’ll want to consider.

• Protect the information you have.

  HIPAA and GDPR require healthcare providers to protect patient information by ensuring it is not compromised, lost or stolen. Make sure your organization has a written information security policy, which includes specific steps to ensure the security of PHI.

• Encrypt your data.

  HIPAA and GDPR require healthcare providers to encrypt their data to ensure the security of the information in their possession, which means encrypting the information using a strong encryption algorithm, such as AES 256, to protect it from unauthorized access. Data should always be encrypted in transit and at rest.

• Minimize the use of personal identifiers.

  Only send, receive or store the data you need. Identifiers such as patient names, birth dates, social security numbers and medical information should only be sent on an “as needed” basis. Make sure to remove all unnecessary PHI from electronic records, and keep them secure.

• Train employees on data security.

  A yearly compliance certification and a security awareness training are required for employees of healthcare providers (Covered Entities) and Business Associates to ensure employees are aware of HIPAA and GDPR requirements and know how to implement them.

• Consider compliance as part of your organization’s overall risk management program.

  Conduct regular risk assessments and disaster recovery drills. Healthcare providers are required to conduct regular risk assessments to determine the level of risk associated with their organization and ensure their data security measures are effective.

• Operate under Business Associate Agreements.

  HIPAA Business Associate Agreements (BAAs) are a critical component of HIPAA compliance. They are a contractual agreement between an entity and its partners that outline the specific responsibilities and obligations of each party. The BAA is a legally binding document that outlines the rights and responsibilities of each party, and establishes the processes and procedures that must be followed in order to protect PHI. The use and structure of these agremeents can vary greatly from one entity to another.

• Back up your data.

  It is crucial to ensure data is never lost or corrupted. A robust backup plan will include full and incremental backups in multiple levels of storage in different physical locations. Backups must be verified regularly to verify their integrity.

• Be prepared with a Disaster Recovery Plan (DRP).

  A Disaster Recover Plan is a crucial part of planning and preparing for emergencies. Audit your DRP to ensure the processes are up to date. Conduct Disaster Recovery Drills regularly to verify your backups and processes. Record the results. Your organization needs to be prepared in the event of an outage or cyberattack.

Healthcare Software Development Security

Healthcare web application security features will be thoroughly analyzed and vetted by healthcare institutions to determine compliance before connecting sensitive patient data. A third-party vendor must implement robust security protocols including:

• Login

  • 2 factor authentication (2FA)
  • Failed login attempts disable user login

• Session

  • Session timeout
  • Session invalidation on logout
  • Prevent 2 simultaneous sessions for users

• Access control

  • Employees and clients should have minimal access needed to PHI
  • Unique user IDs for system access
  • Data segmentation and separation capability by user roles and organizations

• Implement strong passwords. Passwords should be unique and not easily guessed. Use a combination of letters, numbers and special characters, and change them regularly. A password expiration policy should also be in place to ensure passwords are updated regularly.

• Static code analysis & Dependency Management.

  Examine source code and identify issues so they can be resolved before they’re released to production systems.

• Conduct regular vulnerability assessments.

  Internal vulnerability assessments should be conducted quarterly. An external vulnerability assessment should be conducted yearly.

Conclusion

By integrating these practices into your organization’s risk management and software development processes, and staying abreast of evolving compliance requirements, you can better protect patient data and strengthen your cybersecurity posture.

Need Help? Saga IT offers comprehensive medical software development services: