If you’re a healthcare entity in the United States, then you’ll certainly be familiar with HIPAA. Enacted by congress in 1996, HIPAA addresses the security and privacy of health data among a number of other items. The most important aspect for healthcare providers, insurers and other health related entities to take away is the need to keep patient information secure and to know when, how much and with who the information can be shared.
In terms of web site security, the requirements are fairly generalised, unlike PCI standards which specify how data should be secured, HIPAA leaves the security methods in the hands of those it applies to. The main point to take note of is 164.312 as below, but 164.306 and 164.308 are also relevant. You can view these in our HIPAA rules and compliance white paper, or for the full HIPAA documentation view it online here.
164.312 (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
So, how can your business or organisation comply with HIPAA? The first exercise would be to identify any flaws currently existing in your web security, which can be done by a professional known as a penetration tester, usually with the help of tools including a web vulnerability scanner. Acunetix is one example of such a product, and even includes a custom report to highlight the areas of HIPAA where compliance is at risk. It then provides details and the location of the vulnerabilities which are putting your compliance at risk.
Once the identified vulnerabilities have been fixed at code level, then regularly repeated scanning for vulnerabilities would be a recommended course of action. New vulnerabilities are being identified all the time and web applications are constantly being modified, so web site security is not something which can be addressed annually; it’s a constant security measure which needs to be maintained.