When architecting healthcare mobile apps and software systems it is imperative to have a thorough understanding of HIPAA compliance, and the necessary safeguards and implementations that software systems must provide to ensure privacy and security of ePHI (Protected Health Information).
What are the HIPAA standard to consider when building a Web Application:
- Https TLS/SSL secure connections across application components.
- Proper ACL permissions for internal users to view and edit data they are allowed access, this includes patients and doctors or any other data pieces.
- Force Logout inactive sessions after a specific period of time.
- Implementing 2FA and logging back in can be via PIN, Touch ID or password.
- Frequent backups of data, for example, Save all cloud-based data in a local data-center (this is more US-centric but data should be saved in the local country of origin, for AU we use AWS data-centers in Sydney to comply for the US you would use SFO or NYC, etc.
- Consider restricting access to data via IP.
- Data encryptions, especially for sensitive data like SSN in the database when saving and decrypt when viewing.
- Link sensitive data with a hashed IDs instead of known identifiers like email or username or at the least architect your system so data is not traceable back to a single user on a first name last name basis; i.e. if the database is exposed you should not be able to plainly see the data listed in text; should be encrypted and need a key to decrypt as created.
- Keep access logs for the server, i.e. do not provide root user access to the server, there should be a key person that commissions the server and then any sub-level users should be created and provided to IT staff; this is so if a security breach occurs a time-stamped log can be reviewed to trace back
How to Archive HIPAA With AWS & Laravel?
I believe these recommendations are becoming necessary for almost all types of applications, not just for the ones that require HIPPS compliance, why? , because of the internet threats that keep increasing every day, every day we hear news about compromised logins, stolen passwords, compromised accounts, so it’s really important to have mechanisms in your architecture to protect it, restore it for any data breach and even being able to trace how the attacker was able to access my applications.
The following mechanisms will satisfy the HIPAA compliance for your application developed by Laravel and hosted under AWS:
- Data Store encryptions: AWS supports data encryption on reset for almost all of their services, including EBS where usually your web application is stored.
- RDS where your database will be hosted. S3 where assets like documents, attachments will be stored. or EFS, where data requires sharing, will be allocated.
- use ACL permissions and role plugins to define proper permissions and data access to users.
- use 2FA like google 2FA https://github.com/antonioribeiro/google2fa-laravel to have a second step for authentication.
- use AWS cloud watch logs agent to upload laravel logs at storage/logs in addition to server logs to cloud watch in addition to storing it to S3 and Glacier for long term backups.
- use HashIds and UUID for data reference across your tables, for example, https://github.com/vinkla/laravel-hashids
- use Activity log and HTTP logs extensions to capture requests and actions for example https://github.com/spatie/laravel-activitylog
- use AWS ACM with a load balancer to install the SSL certificate and to make sure all access to data is being limited through the load balance only, and using SSL proptocol.
LARASHIP & AWS PS:
Laraship has taken care of all the Laravel side pieces that require to be HIPAA compliant, and they managed with the cooperation of AWS PS Managed AWS hosting to deliver a fully HIPAA compliant solutions to their customer.
There are so many details to be considered when implementing a HIPAA compliant Web Application, however, the right design of your web application will help you at the end with a minimum impact of operations, instead of trying to achieve all these aspects after you go live, because it may require data migration, and complete overhaul to your system.