This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
With the litany of ever-evolving compliance requirements that govern IT around the globe, it’s easy to miss some important details related to web application security. Looking at the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which has been on the books and enforceable since early 2005, there are thousands and thousands of healthcare-related businesses that are considered covered entities, business associates, or subcontractors that must follow the requirements.
Businesses as a whole, specific departments or network segments, and specific web applications must meet the HIPAA security requirements if business leaders wish to stay out of hot water. Still, we continue to see news stories and statistics involving healthcare-related breaches involving businesses that would assume or otherwise claim that they’re HIPAA compliant.
HIPAA’s 18 Standards
Looking at the original HIPAA Security Rule and its 18 standards, there’s not a single item that wouldn’t impact enterprise web applications in some way:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness/Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
- Access Control
- Audit Controls
- Person/Entity Authentication
- Transmission Security
These core HIPAA Security Rule standards are simply a re-hashing of basic security principles we have known about for decades, but continue to struggle with. It’s not just these 18 HIPAA Security Rule standards. HIPAA has had two major updates via the HITECH Act of 2009 and the Omnibus Rule of 2013 which further fleshed out the definitions and requirements involving breach notifications, encryption, and risk analysis.
It’s not just the five technical areas either. All types of security are involved in keeping web environments in check. Given all the details and moving parts, and based on what we see in our work, you could go as far as performing in-depth HIPAA Security Rule audits on individual web applications and find numerous gaps and quantifiable risks in every one of them. In a world where weak passwords, poor user session management, insecure data storage, and other flaws impact so many web applications, combined with larger information security program weaknesses, there’s obviously a lot of room for improvement in terms of web-focused HIPAA compliance.
HIPAA Is More Than Checking Boxes
The spirit of HIPAA is more than merely checking boxes to meet minimum audit requirements. Instead, it’s about getting all the right people on board with doing what’s necessary to reasonably and adequately protect personal health records – today and on an ongoing basis. Contrary to popular philosophy – HIPAA compliance is not someone else’s job. Rather than assuming that compliance officer, legal counsel, or whomever in the organization is handling the details, HIPAA compliance in terms of web security can be very granular requiring the involvement of developers, QA professionals, and other technical IT/security staff.
There Is Always Room for Improvement in Web Application Security
Do your homework. Instead of thinking about HIPAA compliance from a high-level business perspective, think about how each of your Web applications are impacted by HIPAA’s requirements and where they fall short. If you review each of the 18 standards above and truly dig into your Web systems being honest with yourself and your organization, you’ll no doubt find room for improvement. The real benefit will be a more resilient environment with a side-benefit of complying not only with HIPAA but other regulations as well.
Your Information will be kept private.