Building applications that meet HIPAA standards

See how using GitLab can help you with HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection.

Within HIPAA regulations, "The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule." See the HHS website for more.

The Security Rule requires companies that deal with Protected Health Information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.

Security Rules

  1. Administrative Safeguards must establish and enforce company privacy policies and procedures (for example, disaster recovery and contingency plans).
  2. Physical Safeguards must encompass restrictions and rules that deal with physical access to facilities and machines, access controls, as well as the associated policies and procedures that deal with the physical entities in the organization.
  3. Technical Standards contain all of the safeguards and practices that relate to the intangible information contained in the organizations computer systems such as intrusion prevention, data corroboration, and access controls. Here we will focus on the technical standards section because they contain most of the actionable items for developers.

Principles

The security provisions are intended to:

Within the technical standard, there are several controls required. The controls that can be affected by the software development lifecycle are shown, along with GitLab features that contribute to their compliance.

Standard Requirement Applicable Specifications How GitLab helps
Access Controls Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Unique User Identification allows an entity to track specific user activity when that user is logged into an information system and hold users accountable for functions performed on information systems with EPHI when logged into those systems. GitLab helps users comply with Unique User Identification via:
1. Protected branches
2. Only authorized people can approve the code via Merge request approvals
3. Unprotect permission
4. Approval jobs in CI pipelines
5. Two-person access controls
6. It is Self-managed so you can install in a Virtual Private Cloud and have app and data under your control.
7. Permissions
Audit Controls Entities must “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity, especially when determining if a security violation occurred.
1. One concept of a user across the lifecycle to ensure the right level of permissions and access
2. Audit logs
3. Audit events
4. Container image retention
5. Artifact retention
6. Test result retention
7. Audit event helps you view changes made.
8. Future: Disable squash of commits
9. Future: Prevent purge
Integrity Controls Implement policies and procedures to protect electronic protected health information from being altered or destroyed in an unauthorized manner.
Note: Application Security Testing can help identify vulnerabilities that enable unauthorized access to data, logic, and reporting.
Once covered entities have identified risks to the integrity of their data, they must identify security measures that will reduce the risks. Best practices include:
* Scan applications regularly for vulnerabilities.
* Establish criteria for the prioritization of vulnerabilities and remediation activities.
* Pay special attention to internally or custom developed applications with dynamic and static analysis.
* Establish secure coding as a culture, and provide qualified training on secure coding.
* Establish and document a secure development life-cycle approach that fits your business and developers.
1. SAST
2. DAST
3. Dependency Scanning
4. Container Scanning
5. Security Dashboard
6. Security Paradigm
In addition to Application Security Testing to help you deliver secure apps, GitLab's own application has security to prevent unauthorized access to the application code as well as audit and logging capabilities of changes to the code.