HIPAA - Health Insurance Portability and Accountability Act là 1 bộ luật của Mỹ về y tế ban hành năm 1996. Bài này chúng ta sẽ tìm hiểu HIPAA là gì, tại sao nó lại quan trọng. Với developer chúng ta cần biết ai là người chứng thực chuẩn HIPAA cho hệ thống mình xây dựng, ai sẽ thanh tra hệ thống bất chợt hay thường niên.
Bộ luật này nhằm nâng cao chất lượng y tế và bảo mật thông tin cá nhân thông qua các luật, cơ chế ... trong thời đại số. Trong bài này m sẽ trình bày về HIPAA là gì cho mọi người bình thường hiểu sơ qua. Phần sau dành cho developer về việc implement chuẩn HIPAA cho ứng dụng.
Phần cuối là CASE study apply HIPAA comliant cho project cụ thể. Phần cuối này m sẽ giữ bí mật để đảm bảo ko leak thông tin cho dự án.
HIPAA là bộ luật có nhiều phần (title) như việc thống nhất việc định danh các bọn liên quan đến y tế như tên viện, tên hãng thuốc ... sẽ được đánh mã ID duy nhất cho tiện quản lý và theo dõi. Có phần về bảo mật thông tin bệnh nhân là phần mà chúng ta sẽ bàn ở đây. Bộ luật này áp dụng cho tất cả cá nhân, tổ chức liên quan lãnh vực ý tế, bệnh nhân ...
4 HIPAA Rules:
Privacy Rules
Security Rules
Enforcement Rules
Breach Notification
We only focus on Security Rules and may be Breach Noti. But we need to see bigger picture of problem.
Who cetificate HIPAA compliant ? No one.
Who audit ? HIPAA audit or OCR : Office for Civil Right or Department of Human and Health Service (HHS)
Chuẩn HIPAA xoay quanh việc bảo mật thông tin bệnh nhân PHI (Private Health Infomation).
So what PHI ?
1. Names
2. All geographical identifiers smaller than a state chi tiết hơn coi wiki.
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Ví dụ về PHI:
Some examples of PHI:
* Billing information from your doctor
* Email to your doctor's office about a medication or prescription you need.
* Appointment scheduling note with your doctor's office
* An MRI scan
* Blood test results
* Phone records
Examples of non-PHI data:
+ Number of steps in a pedometer
+ Number of calories burned
+ Blood sugar readings w/out personally identifiable user information (PII) (such as an account or user name)
+ Heart rate readings w/out PII
Who does it ? - Ai liên quan:
Với Bussiness Associate:
Here are some examples of potential Business Associates:
- Data processing firms or software companies that may be exposed to or use PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants hired to conduct audits, perform coding reviews, etc.
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Accreditation agencies
- e-prescribing services
- Medical transcription services
In contrast, these folks are NOT Business Associates:
- Covered Entity’s Workforce
- Individuals or companies with very limited and incidental exposure to health information, such as a telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
3 Parts to the HIPAA Security Rule
Administrative Safeguards
Technical Safeguards
Physical Safeguards
We only focus on Technical and some Physical.
How much is "some" need to be discuss later.
* Administrative Safeguards
The administrative components are really important when implementing a HIPAA compliance program; you are required to:
- Assign a privacy officer
- Complete a risk assessment annually
- Implement employee training
- Review policies and procedures
- Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI)
- Companies like Accountable can help with the administrative components of a compliance program.
- Accountable -- http://accountablehq.com
- Compliance Helper -- http://www.compliancehelper.com
- Compliancy Group -- http://compliancy-group.com
For more information, see Administrative Safeguards from the HIPAA Security Rule Educational Paper Series
Technical Safeguards
Technical safeguards outline what your application must do while handling PHI.
While there are both required and addressable elements to these safeguards you should implement them all. Addressable elements (such as automatic logoff) are really just best practices.
Access Control Requirements
- Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
- Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
- Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
- Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
Transmission Security
Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
Audit and Integrity
Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
For more information, see Physical Safeguards from the HIPAA Security Rule Educational Paper Series
Physical Safeguards
The Physical Safeguards really have to do with who has access to PHI data and how that access is managed. Much of the Physical Safeguard requirements that developers need to worry about are handled by HIPAA compliant hosting companies (such as TrueVault, AWS, Firehost and Rackspace).
Other parts of the Physical Safeguards are handled by your internal rules around who can and can't access PHI.
Facility Access Controls
Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of data restoration under the disaster recovery and emergency operations plan in the event of an emergency.
Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
Device and Media Controls
Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
Workstation Security
Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
For more information, see Technical Safeguards from the HIPAA Security Rule Educational Paper Series
Required vs. addressable specifications
Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented.
Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.
It is important to remember that an addressable implementation specification is not optional.
When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
HIPAA Devoloper guide
TrueVault API Doc:
https://docs.truevault.com/
Overview
Authentication
API Keys
Access Tokens
API Requests
API Responses
Sample 2xx Response
Sample 4xx Response
Usage Tracking (Billing)
Users API
Create a User
Read a User
List all Users
Update a User
Delete a User
Create Access Token for a User
Create API Key for a User
Create Access Key and Secret Key for a User
Authentication API
Login a User
Logout a User
Verify a User
Groups API
Access Grid
Specifying Ids
Ownership
Ownership Resource Specifiers
Changing Ownership
Searching with Ownership
Example Group Policies
Create a Group
Read a Group
List all Groups
Update a Group
Delete a Group
Vaults API
Create a Vault
Read a Vault
List all Vaults
Update a Vault
Delete a Vault
BLOBs API
Create a BLOB
Read a BLOB
List all BLOBs
Update a BLOB
Update a BLOB’s Owner
Delete a BLOB
Documents API
Create a Document
Read a Document
List all Documents
List all Documents with Schema
Update a Document
Update a Document’s Owner
Delete a Document
Reindex a Document
Schemas API
Create a Schema
Read a Schema
List all Schemas
Update a Schema
Delete a Schema
Create the User Schema
Read the User Schema
Update the User Schema
Delete the User Schema
Search API
Overview
Search Permissions
Defining Search Options
Sample search_option
Sample Search Response
Searching TrueVault System Fields
Searching and Sorting By Geospatial Distance
Example Geo Point Document Field:
Example Geo Point Schema:
Example Geo Point Search Option:
Example Geo Point Search Result:
Search Documents
Search Users
Email API
Email Request Format
Template Substitution
Value Specifiers
Email a user
Một bài hay về tổng quan web security.
https://martinfowler.com/articles/web-security-basics.html#AuthorizeActions
Blog tiếng việt của anh Thái về infosec:
vnhacker.blogspot.com
Google group VietInfoSec:
https://groups.google.com/forum/#!forum/viet-infosec
Câu hỏi:
1. Best practice cho API hay web app develop rõ ràng là không đảm bảo HIPAA. Why ?
Best practice cho security vd như cách tốt nhất hay dùng để encode password có đảm bảo HIPAA ?
Lật lại vđ Khi HIPAA audit kiểm tra "Có mã hóa DB ko ?"
- Có nhưng mã hóa tồi.
- No.
- Có và mã hóa tương đối ổn, có note lại tại sao dùng cách mã đó.
=> Có mã hóa nhưng mã hóa ko tốt vd như dùng md5 cho password .. có bị Auditor bắt lỗi ko ?
Bộ luật này nhằm nâng cao chất lượng y tế và bảo mật thông tin cá nhân thông qua các luật, cơ chế ... trong thời đại số. Trong bài này m sẽ trình bày về HIPAA là gì cho mọi người bình thường hiểu sơ qua. Phần sau dành cho developer về việc implement chuẩn HIPAA cho ứng dụng.
Phần cuối là CASE study apply HIPAA comliant cho project cụ thể. Phần cuối này m sẽ giữ bí mật để đảm bảo ko leak thông tin cho dự án.
HIPAA là bộ luật có nhiều phần (title) như việc thống nhất việc định danh các bọn liên quan đến y tế như tên viện, tên hãng thuốc ... sẽ được đánh mã ID duy nhất cho tiện quản lý và theo dõi. Có phần về bảo mật thông tin bệnh nhân là phần mà chúng ta sẽ bàn ở đây. Bộ luật này áp dụng cho tất cả cá nhân, tổ chức liên quan lãnh vực ý tế, bệnh nhân ...
4 HIPAA Rules:
Privacy Rules
Security Rules
Enforcement Rules
Breach Notification
We only focus on Security Rules and may be Breach Noti. But we need to see bigger picture of problem.
Who cetificate HIPAA compliant ? No one.
Who audit ? HIPAA audit or OCR : Office for Civil Right or Department of Human and Health Service (HHS)
Chuẩn HIPAA xoay quanh việc bảo mật thông tin bệnh nhân PHI (Private Health Infomation).
So what PHI ?
1. Names
2. All geographical identifiers smaller than a state chi tiết hơn coi wiki.
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Some examples of PHI:
* Billing information from your doctor
* Email to your doctor's office about a medication or prescription you need.
* Appointment scheduling note with your doctor's office
* An MRI scan
* Blood test results
* Phone records
Examples of non-PHI data:
+ Number of steps in a pedometer
+ Number of calories burned
+ Blood sugar readings w/out personally identifiable user information (PII) (such as an account or user name)
+ Heart rate readings w/out PII
Who does it ? - Ai liên quan:
Với Bussiness Associate:
Here are some examples of potential Business Associates:
- Data processing firms or software companies that may be exposed to or use PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants hired to conduct audits, perform coding reviews, etc.
- Lawyers
- External auditors or accountants
- Professional translator services
- Answering services
- Accreditation agencies
- e-prescribing services
- Medical transcription services
In contrast, these folks are NOT Business Associates:
- Covered Entity’s Workforce
- Individuals or companies with very limited and incidental exposure to health information, such as a telephone company, electrician, etc.
- Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.
3 Parts to the HIPAA Security Rule
Administrative Safeguards
Technical Safeguards
Physical Safeguards
We only focus on Technical and some Physical.
How much is "some" need to be discuss later.
* Administrative Safeguards
The administrative components are really important when implementing a HIPAA compliance program; you are required to:
- Assign a privacy officer
- Complete a risk assessment annually
- Implement employee training
- Review policies and procedures
- Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI)
- Companies like Accountable can help with the administrative components of a compliance program.
- Accountable -- http://accountablehq.com
- Compliance Helper -- http://www.compliancehelper.com
- Compliancy Group -- http://compliancy-group.com
For more information, see Administrative Safeguards from the HIPAA Security Rule Educational Paper Series
Technical Safeguards
Technical safeguards outline what your application must do while handling PHI.
While there are both required and addressable elements to these safeguards you should implement them all. Addressable elements (such as automatic logoff) are really just best practices.
Access Control Requirements
- Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
- Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
- Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
- Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
Transmission Security
Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
Audit and Integrity
Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
For more information, see Physical Safeguards from the HIPAA Security Rule Educational Paper Series
Physical Safeguards
The Physical Safeguards really have to do with who has access to PHI data and how that access is managed. Much of the Physical Safeguard requirements that developers need to worry about are handled by HIPAA compliant hosting companies (such as TrueVault, AWS, Firehost and Rackspace).
Other parts of the Physical Safeguards are handled by your internal rules around who can and can't access PHI.
Facility Access Controls
Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of data restoration under the disaster recovery and emergency operations plan in the event of an emergency.
Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
Device and Media Controls
Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.
Workstation Security
Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
For more information, see Technical Safeguards from the HIPAA Security Rule Educational Paper Series
Required vs. addressable specifications
Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented.
Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.
It is important to remember that an addressable implementation specification is not optional.
When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
HIPAA Devoloper guide
TrueVault API Doc:
https://docs.truevault.com/
Overview
Authentication
API Keys
Access Tokens
API Requests
API Responses
Sample 2xx Response
Sample 4xx Response
Usage Tracking (Billing)
Users API
Create a User
Read a User
List all Users
Update a User
Delete a User
Create Access Token for a User
Create API Key for a User
Create Access Key and Secret Key for a User
Authentication API
Login a User
Logout a User
Verify a User
Groups API
Access Grid
Specifying Ids
Ownership
Ownership Resource Specifiers
Changing Ownership
Searching with Ownership
Example Group Policies
Create a Group
Read a Group
List all Groups
Update a Group
Delete a Group
Vaults API
Create a Vault
Read a Vault
List all Vaults
Update a Vault
Delete a Vault
BLOBs API
Create a BLOB
Read a BLOB
List all BLOBs
Update a BLOB
Update a BLOB’s Owner
Delete a BLOB
Documents API
Create a Document
Read a Document
List all Documents
List all Documents with Schema
Update a Document
Update a Document’s Owner
Delete a Document
Reindex a Document
Schemas API
Create a Schema
Read a Schema
List all Schemas
Update a Schema
Delete a Schema
Create the User Schema
Read the User Schema
Update the User Schema
Delete the User Schema
Search API
Overview
Search Permissions
Defining Search Options
Sample search_option
Sample Search Response
Searching TrueVault System Fields
Searching and Sorting By Geospatial Distance
Example Geo Point Document Field:
Example Geo Point Schema:
Example Geo Point Search Option:
Example Geo Point Search Result:
Search Documents
Search Users
Email API
Email Request Format
Template Substitution
Value Specifiers
Email a user
Một bài hay về tổng quan web security.
https://martinfowler.com/articles/web-security-basics.html#AuthorizeActions
Blog tiếng việt của anh Thái về infosec:
vnhacker.blogspot.com
Google group VietInfoSec:
https://groups.google.com/forum/#!forum/viet-infosec
Câu hỏi:
1. Best practice cho API hay web app develop rõ ràng là không đảm bảo HIPAA. Why ?
Best practice cho security vd như cách tốt nhất hay dùng để encode password có đảm bảo HIPAA ?
Lật lại vđ Khi HIPAA audit kiểm tra "Có mã hóa DB ko ?"
- Có nhưng mã hóa tồi.
- No.
- Có và mã hóa tương đối ổn, có note lại tại sao dùng cách mã đó.
=> Có mã hóa nhưng mã hóa ko tốt vd như dùng md5 cho password .. có bị Auditor bắt lỗi ko ?
Commenting on a blog is an art. Relationships are built from positive comments. He did an amazing job. Keep it up. Thanks, I'm a professional blogger. Can you check your APM (actions per minute]) from your clicks per second? If not, you can access information about many APM testing tools through this profile. Here is the profile I wrote. I look forward to seeing you in Online APM Test for Mouse. I appreciate your concern.
ReplyDelete