Independent Application Developers Network

Login|Join

Return to Blog

Q & A about HIPAA, GDPR, PCI compliant Software

By Lee Vasic - October 01, 2022

Alpha Anywhere has all the tools needed to build  
HIPAA, GDPR, PCI compliant Software 

Lee Vasic has been developing secure applications for companies that interface with Banking, DOD, and Medicare. 

You started your career developing banking software. How did that influence your security mindset? 
I worked in the banking industry years ago in Los Angeles, California. At that time, Los Angeles was the bank robbing capital of the world.  Friday afternoon was the most popular time for the banks to be robbed. Smart banks would double the guards. Others, with clueless branch managers, would limit the guard’s hours and would get robbed several times. It’s time for us as developers to double the guards.  
 
What happened to security when file servers started to replace mainframes? 
The mainframe was built with a foundation of security. It would sometimes take a week for a new employee to get an account to log in. The room where the mainframe was located was also secure with two-door authentication. You also needed two different key cards to get in the room plus someone had to buzz you in.  When the servers started to appear, they would just be put in an unlocked closet.  I remember at the time that file security was obfuscation. They didn’t tell anybody the names of the directories.  They seemed to be surprised when they got hacked. (How did they find my files?) The whole ecosystem is more than screens and databases, how are file feeds handled? 
A lot of our coding was sending and receiving files from the mainframe. At first, we used a modem directly to the mainframe. It was slow but secure. That evolved into a secure FTP environment.  Today I’m still sending and receiving from the Medicare mainframe. I’m sending and receiving many HIPAA compliant files to the mainframe. Alpha software makes it very easy to create these files and zip them into one file to be sent.   Medicare still requires us to have a fax machine. The paradigm shift is slow within the government.
 
We hear a lot about HIPAA. How serious is Medicare about compliance? 
Medicare is very serious about HIPAA and compliance. The fine for a single violation starts at 50,000 dollars per incident.  If you experience a significant breach, you are in luck because the fines max out at 1.5 million per year.  If you say you are HIPAA compliant and you are not, you can get ten years jail time with 250,000 per-incident and no ceiling.  
 
What is considered HIPAA compliant? 
The rules state that the data must be encrypted, “At rest and in transit.”  It seems simple on the surface. However, if it is simple on the surface, behind the scenes are usually complicated.
 
How aggressive are the HIPAA audits? 
There was a large software company (EMR for doctor’s offices) that advertised that their data was encrypted. Medicare found out it wasn’t, plus other violations. They fined the company 120 million dollars. The company was big enough that they paid the fine and are still in business.  
Recent fines include: 
  • Memorial Healthcare System received a fine of $5,500,000 in 2017 
  • Children’s Medical Center of Dallas incurred a penalty of $3,200,000 in 2017 
  • Advocate Health Care Network’s violation warranted a $5,500,000 fine in 2016 
 
 
What tools do you use in Alpha Anywhere to be compliant? 
  1. I use SSL certificates for my test and production server (This is the in-transit part). 
  2. I use Alpha’s two-factor authentication. 
  3. Encrypt your connection string. Alpha makes it easy. 
  4. Always use arguments in your SQL statements. An Alpha method. 
  5. Design Group security (built-into Alpha) from the ground up. I see many developers adding group security after their application is complete, almost like an afterthought. Start with it.  
  6. Your database tables need to be designed with security in mind. You may want to bifurcate your PHI (Protected Health Information) into separate tables. 
  7. Use Alpha’s column encryption. You don’t need to encrypt the entire database.  However, it’s not just about encrypting client names, address, date of birth, social security number, and credit card numbers.  You have to analyze all the columns and make sure that a hacker can’t glean PHI from text fields or other types of HTML columns or reports.  
  8. If you are using IIS security, you can also use client-side roles with JavaScript to also limit screens and let users know they don’t have security before it locks them out.  
  9. Alpha also makes it easy to have column-based security or screen security. You may need to create two or three screens to limit the data.  
  10. Stored-procedures and views will also give you excellent security. For example, I have several reports that I need to send to Medicare. The reports need to be HIPAA compliant. There is an option to show the MRN (Medical Record Number) instead of PHI (Protected Health Information). The view handles it. So, when the data comes back from SQL it shows the MRN instead of the PHI.  
  11. You can’t just hide a field. That is discoverable with the Google developer tools. You have to think about that, and how to design it, so it doesn’t come back from the database. 
  12.  Most people think that this will never happen to them. I train my employees to work on our security checklist. It’s more than just the application. Because if they guess your password, none of the encryption matters.  Put a VPN on your router, smartphone, etc. Have a shredder for all your paper. Make sure your email and texting are encrypted. 
    Alpha makes it very easy to use the Office 365 encryption within your application. We also talk a lot about phishing attacks. We spend a lot of money on software for firewalls, anti-virus software, and email encryption. 
  13. Zebra Host has developed a cloud for your application with security requirements.  There is a VPN that is used during development, and the SQL file server can only talk to the IIS file server.  
  14. DigiCert has tools to run against your website to make sure it is compliant.  
 
Final thoughts? 
Alpha has all the tools available to build HIPAA, GDPR, PCI compliant software. I would never build an application without security, no matter how simple the app appears to be.   
The money is not in the bank anymore; it is in the data of your application.