- What should be standard operating procedure for how protected health information (PHI) is accessed?
- What should we record or log?
- What should we do in case of emergency?
It is best to audit log as much as you can, in-case-of-emergency. At minimum, log any access attempts and changes to database records.
- How do we prevent malicious activity?
- What code/software will be used to prevent malicious activity?
- How do we securely store, access, and transmit PHI?
- How do we prevent breaches due to loss/theft?
- If a random person found a phone with your app running on it, or a computer with a bookmark to your web app, how secure would it be? What needs to be done to alleviate these concerns?
If an unauthorized person was holding a device with your app installed on it, how easy would it be for them to read PHI? If this question brings an expression of terror, session management needs to be a higher priority.
By quickly running through these questions we can determine some basic security needs for a new feature or platform implementation.
Putting These Questions Into Practice:
Let’s say our organization wants to build a messaging component for providers and patients to communicate about medical needs. Let’s also assume we want to add this feature to a mobile app that our organization already offers. Let’s see how these questions can be used to judge security needs:
- What should be standard operating procedure for how PHI is accessed? Providers and patients should only be able to see messages they have sent and received. Patients should only be able to message their primary care physician. We will have policies in place so that only users and qualified administrators can view messages with PHI.
- What should we record or log? We will save each message in a secure database, along with the sender, recipient, and the status of the message.
- What should we do in case of emergency? If a user is using our messaging feature in a malicious manner, we will freeze a user’s ability to access our messaging service. We will make logs related to this user available to authorized individuals.
- How do we prevent malicious activity? We will encrypt messages from end-to-end and implement access control policies so users can not see messages from any other users.
- What code/software will be used to prevent malicious activity? We will use a HIPAA compliant solution for the local encryption and access control.
- How do we securely store, access, and transmit PHI? We have a HIPAA compliant server we will connect to with a secure connection to store and access data.
- How do we prevent breaches due to loss/theft? We will require users to login and enter a pin after a certain amount of time. We will disable a user’s access if there is an issue of loss/theft.
- If a random person found a phone with your app running on it, or a computer with a bookmark to your web app, how secure would it be? What needs to be done to alleviate these concerns? Our session security will only allow the appropriate user to be able to access the messaging pages that have PHI.
By answering these questions we were able to determine some basic needs for access control, auditing, and encryption solutions. These needs can be added into the specification for how our component will be built. We can also go through these same questions for implementation of this feature on a web dashboard to determine similar security needs.