HIPAA requires covered entities – and now business associates – to comply with the HIPAA Security Rule. However, compliance with these requirements is not the same as effective security.
This fact can be illustrated in the case of business associates offering cloud-based computer services to the healthcare industry. These companies write and deliver complex software for electronic records, billing, lab management, and a wide variety of other functions. HIPAA Security includes 42 “implementation specifications” – but none of these specifications include anything about software development.
Other security frameworks have a lot to say about software development. For example, ISO 27001/27002 includes with the domain “Information Systems Acquisition, Development and Maintenance” the following sub-domains:
Security Requirements analysis and specification
- Correct processing in applications
- Cryptographic Controls
- Security of System Files
- Security in Development and Support Processes
- Technical Vulnerability Management
These 5 sub-domains are further broken into 16 controls. Overall, the ISO 27001/27002 framework provides excellent guidance on processes that will insure secure systems.
Government regulators do their best within the political process to develop their rules. This author’s theory is that when the original security rule was written governing health insurance companies, clearinghouses and health care providers, the regulators assumed that these entities were by and large not developing software but instead were purchasing it.
Failure to attend to secure software development can and will lead to data breaches. Organizations that develop software will need to look beyond the HIPAA Security Rules for guidance on management approaches to build secure software. This is what I mean when I say that compliance is not security.
However, some will say that the HIPAA Security rule does address this. One of the 42 implementation specifications “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level .. ” This high-level, non-specific requirement covers just about anything – but provides very little guidance.
