What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient data. HIPAA ensures the protection of patient information, provides electronic and physical security of patient information, limits disclosure of information to the minimum necessary, and specify patient rights to the information, minimize fraud/abuse, simplify bill and other transactions. Any company that deal with PHI (protected health information) must ensure that all the required physical, network and process security measures are in place and followed.

Does Your Mobile App Need to be HIPAA Compliant?

If you are a healthcare application vendor, then you must look at its functionality. If your application is only storing PHI of patient then HIPAA is not mandatory but if it is also sending data to doctor, hospital or other covered then HIPAA compliance becomes mandatory.

What are the issues faced by healthcare mobile application?

hipaa

Mobile is becoming a core platform for healthcare communications and services because of its portability and easy to access features. As information access expands to more people and more devices, mobile creates new systems and processes that are subject to HIPAA compliance. There are many healthcare application in android and iOS but most of them do not comply with HIPAA as they don’t have any specific standard to follow as HIPAA do not have specific standard for mobile applications.

There are certain requirements which a merchant and client should make sure its application has:

  • To process it only in ways compatible with the purposes for which it was given   initially
  • To make sure that PHI of patient is only shared with those who really need it for any useful purpose.
  • To keep personal data safe and secure
  • To keep data accurate, complete and up-to-date
  • To ensure that it is adequate, relevant and not excessive
  • To retain it no longer than is necessary for the specified purpose or purposes.

 

 

HIPAA checklist for mobile application

HIPAA checklist is divided into three types of controls and not all the controls map to mobile applications so we will have separate checklist for mobile applications as their need is different.

  1. ADMINISTRATIVE SAFEGUARD

In general administrative controls deal with administrative actions, policies and procedures to manage   the security measures to protect EPHI and the purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment. There are some administrative controls which are under privacy rule while some are under security rule.

Some controls which fall under rules like Security Incident Procedures, Contingency Plan, Evaluation, Information Access Management, and Evaluation are to be followed by mobile application while some rules like Assigned Security Responsibility, Workforce Security and Security Awareness and Training are not useful for mobile application.

2. PHYSICAL CONTROL

Physical controls measures, policies, and procedures to protect a covered entity’s electronic information Systems and related buildings and equipment, from natural and environmental hazards, and unauthorized Intrusion. Some controls related to mobile application are facility controls, device and media control and the once not related to mobile application are workstation use and Workstation security.

3. TECHNICAL CONTROLS

Technical safeguards are defined as the technology and the policy and procedures for its use that protect electronic protected health information. Technical safeguards are becoming increasingly more important due to technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protectingelectronic protected health information (EPHI).All the technical safeguards are compliant to mobile applications some of them are like managing access control, audit controls, Integrity, person or entity authentication, transmission security.

WHAT IS PCIDSS

PCI DSS (Payment Card Industry Data Security Standards) standard developed in order to ensure the security of card data and to reduce card fraud. Companies that are PCI DSS compliant must obey specific rules and fulfill requirements (technical, procedural, etc.) defined by the PCI Security Standards Council. The PCI DSS have six major objectives. First, a secure network must be maintained in which transactions can be conducted. Second, cardholder information must be protected wherever it is stored. Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. Fourth, access to system information and operations should be restricted and controlled. Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities.

WHAT ARE THE RISK ASSOCIATED WITH MOBILE PAYMENT GATEWAY?

With increase in number of platform for making payment and with growing demand for e-commerce, the act of paying for a product or service with a credit or debit card must remain easy, efficient, and safe. Because the process is so critical to both businesses and consumers, it is highly regulated and constantly changing. Today each purchase launches a complex, automated, and highly integrated process involving not just merchants but also banks, acquirers, payment processors and potentially a host of other players. New technologies such as smartphones and digital wallets, shifts in buying habits, demands by individuals to accept card payments, and growing interest in peer-to-peer payments have created a fierce battle within the industry, as organizations fight to maintain their position or disrupt the status quo. No longer a set of isolated processes, today’s entire payments ecosystem is just a component of the broader commercial landscape—playing an integral role in fraud management and data privacy as part of a comprehensive IT security framework that must span the Internet, mobile devices, social networks, and cloud services. Merchant using payment gateway or in-house purchase needs to align with the PCIDSS 12 verticals, but in case of mobile application all are not applicable.

 

PCIDSS CHECKLIST FOR MOBILE APPLICATION

PCIDSS has got 12 requirements which includes 256 controls but not all are applicable to mobile application so following is list of requirements for mobile applications.

  • Install and maintain a firewall configuration to protect cardholder data.

 

 Firewall configuration is invalid for mobile applications but some sub controls are still applicable to mobile applications like to make diagram that shows all cardholder data flows across systems and networks, Restricting inbound and outbound traffic which is necessary for the cardholder data environment and not allowing unauthorized outbound traffic from the cardholder data environment to the Internet.

  • Do not use vendor-supplied defaults for system passwords and other security parameters.

 

Yes, it is applicable to mobile applications. It works on front end, using default password can increase vulnerability to the user of application. There are certain controls important for mobile application like enabling only necessary services, protocols, daemons, etc., as required for the function of the system and proper security should be implemented for wireless environments connected to the cardholder data environment.

  • Protect stored cardholder data

Yes, all the controls are applicable and are of utmost important for mobile applications. Control restrict vendor to store customer information until it creating some value to the customer and if it is stored, it is protected with the key and key should be kept safely using strong cryptography and should be changed at regular intervals. Also, some of the customer credentials like CVV, PIN etc. should not be stored.

  • Encrypt transmission of cardholder data across open, public networks.

Yes, it is applicable to mobile applications. When cardholder data is transmitted from mobile to server it should have proper encryption method. Strong security protocols should be used to safeguard transmission of cardholder data and unprotected PANs should never be sent by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).

  • Use and regularly update antivirus software

Yes, gadget storing customer’s credential should have anti-virus programs which should be capable of detecting, removing, and protecting against all known types of malicious software. Anti-virus mechanisms should actively run and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

  • Develop and maintain secure systems and applications.

 

Yes, developer should address common coding vulnerabilities during software-development processes. Also, Developers should be trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data should be handled in memory.

  • Restrict access to cardholder data by business need-to-know

 

No, control is not applicable to mobile applications. Control restrict employees to cardholder’s data on server side but for mobile applications cardholder data is stored on client side. 

  • Assign a unique ID to each person with computer access. 

 

Yes, not all but some of the controls related to mobile security are applicable to mobile applications. For example for each unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrases.

  • Restrict physical access to cardholder data.

 

Yes, not all but some of the controls related to security of physical access to mobile are applicable to mobile applications. Like using appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment and storing media backups in a secure location, preferably an off-site facility, such as an alternate or backup site.

  • Track and monitor all access to network resources and cardholder data. 

 

No, Control track and monitor all access to network resources which is not applicable to mobile applications

  • Regularly test security systems and processes.

 

No, control test security systems and processes which is not applicable to mobile application.

  • Maintain a policy that addresses information security

 

Yes, control maintain and disseminate a security policy that accomplishes the security policy at least annually and update the policy when the environment changes and implement an incident response plan.

Having a Cloud environment is becoming simpler day by day. But Management, Expansion, Monitoring, Regulating, Controlling, Security of Cloud has become real worry in any Organization who as of now have a Cloud domain. If Operations related to these are not legitimately taken care of then it influences the growth of the organization and its market value as well.

Major issues faced by organizations related to Cloud Security

  • Managing the Cloud Infrastructure.
  • Assessment of overall security status of the Cloud infrastructure.
  • Data Encryption
  • User roles in Cloud
  • Provisioning of security controls
  • Difficulty in Risk Assessment
  • Security of new workloads in the Cloud
  • Unclear about Compliances related to Cloud
  • Monitoring of workloads across different Clouds (Hybrid, private, public)
  • Management of Cloud Resources
  • Tracking of Cloud Resources Usage
  • Poor Incident management

How ISO 27001 will solve these Issues?

ISO 27001 is a framework for ISMS which brings disciplined tight process flow in information security. It has 10 clauses, 14 groups and 144 Controls in ISMS. ISO 27001 standard helps any organization to make the Information Security Management System appropriate as per their requirements. With ISO 27001 you can make your cloud and its management more secured. ISO 27001 has list of controls which can solve the problem of a CISO of the company in managing the Cloud. It has controls for Physical security, Logical security, Policies, Access control, etc for protection of organizational assets.

ISO 27001 Sections

A5 – Security Policies:

In this you can review the existing policies for the cloud security. You can check whether your policy covers sufficient controls for cloud security or not. And if something is absent there you can include it. SOP (Standard of Procedures) helps a CISO to monitor the Cloud and check whether security controls are in place or not.

A6 Organization of information security

You can define and manage different cloud security roles, Manage information security in project management. With Segregation of Duties it becomes easy to separate the work of different employees in a systematic manner. You can manage mobile device policies (e.g.: BYOD policies)for your Cloud.

A7 – Human resource security

          You can characterize administration obligations towards cloud security additionally you can maintain detailed information about employees’ logs, access rights, agreements, etc.

A8 – Asset management

          In Cloud Security asset management becomes a necessity With this Resource distribution, upkeep, following, resource marking, and so on you can accomplish for your Cloud to make it secure.

A9 – Access control

Access control solves the problem of managing authorized user access in Cloud. Here you can manage User access, oversee User responsibilities; manage system and application control for your Cloud.

A10 – Cryptography

Cryptography control solves the problem of data encryption in Cloud. You can manage Keys for secure data transfer in the Cloud.

A11 – Physical and environmental security

          You can place sufficient security controls to protect your cloud infrastructure.

 

A12 – Operations security

Here you can review and oversee the operational responsibilities and procedure, oversee the protection cloud from malwares, Technical vulnerabilities, check for backups, audit the Capacity management and change management plans.

A13 – Communications security

          When it comes to cloud, Communication security becomes important in terms of data transfer, transmission channels, network security, etc. And ISO 27001 solves these issues in a efficient way.

A14 – System acquisition, development and maintenance

          When you think of expanding your cloud and its operations System acquisition, development and maintenance comes into picture. Management of increasing workload

A15 – Supplier relationships

          If you have different suppliers for purchasing of required resources for your cloud this will help you to manage your supplier relationships.

A16 – Information security incident management

Incident management control of ISO 27001 can handle the incidents which are occurring in the cloud. RACI (responsible, accountable, consulted, informed) matrix helps in managing the incident, like who is responsible for a particular incident? Risk Assessment & Risk Treatment with ISO 27001 helps you to assess and mitigate the risk associated with Cloud in a structured manner.

A17 – Information security aspects of Business Continuity

ISO 27001 helps in making decisions of Continuity Planning & Improvement in current cloud operations.

A18 – Compliance

ISO 27001 covers Identification of applicable legislation and contractual requirements like Intellectual property rights, Protection of records, Privacy and protection of personally identifiable information, Regulation of cryptographic controls for Cloud Security. And also it take cares of other compliances related to your Cloud.

 

(C) Valency Networks 2008