Application and Product Considerations for HIPAA-Compliant Software Development

hipaa header.png


Recently, our friend, Chris Bowen, Founder and Chief Privacy and Security Officer for ClearDATA, wrote a great article for Network World detailing the 9 Keys to Having a HIPAA-Compliant Cloud. While some of Chris’ “9 Keys” were operational – like disaster recovery and establishing a proper business associate agreement – quite a few fell under the scope of product development.

As a developer of HIPAA-compliant software, we thought we’d expand on the development considerations that Chris introduced in his list. Below we offer our take on five application and product considerations for HIPAA-compliant software development:

  1. Implement audit controls: Under the HITECH Act, the HHS has mandated external audits to ensure that healthcare software remains in compliance with HIPAA standards. This means that one of the key considerations for a HIPAA-compliant product is a logging infrastructure that facilitates regulatory compliance. Tools like as AWS’ CloudTrail and DVmobile's DVblueprint can help log API calls, so if an audit is requested, these tools offer evidence of compliance. However, if any Personal Health Information (PHI) is included, data encryption is recommended (see #4 below). 
  2. Identity and Access Management Controls: HIPAA requires central identity management and necessitates the close control of access to data. Thus, to develop HIPAA-compliant software, product engineers must consider how the software will track users, logins, activity, and changes. The key for product development is to design identity and access controls that are safe but not so onerous that they negatively impact patient care. Developers have to balance the HIPAA requirements against the user personas and real-time needs.
  3. Access Controls: In the same vein as number two, another significant product consideration is how software can help healthcare organizations achieve access control – who has access to information and when access is available. This requirement is part of the first Technical Safeguard Standard of HIPAA’s Administrative Simplification Security Rule, and includes features like:
           - Unique user identification
           - Role-based authorization
           - Emergency access
           - Automatic logoff

    Product developers need to consider the roles of all end users to develop role-based access functionality. For example, a hospital administrator might not have the same access to patient diagnoses as a doctor would. Similarly, a doctor might not have the same access to patient financial information as an administrator might. Navigating these roles and developing infrastructure to accommodate a variety of role-based needs is critical for HIPAA compliant software development.
  4. Encrypt PHI and other sensitive data: Encryption of PHI data is not required by HIPAA. But, while it’s not specifically mandated, implementing a mechanism to encrypt and decrypt PHI data is a best practice for healthcare software development. We agree with Chris Bowen when he says that healthcare software solutions should encrypt PHI and other sensitive data in transit or at rest using a purpose-designed approach. This helps organizations mitigate unauthorized access to sensitive data, thus protecting them from financial risk and liability in the event of a data breach.
  5. Ensure transmission security: Just as with encryption and decryption, transmission security is not a requirement for HIPAA-compliant software. But again, it is a best practice. When developing HIPAA-compliant software, product engineers must consider the technical security measures that need to be implemented within the application to guard against unauthorized access to information as it is being transmitted electronically. Products should be built with SSL and TLS certificates, as well as object keys where feasible.

These are just five of the keys to developing HIPAA-compliant software. Click here for more information about how DVmobile works with healthcare partners to dream up, design, and develop innovative healthcare solution.


2 Factors Driving the Rise of the Multi-Cloud


A recent survey of more than 1,200 global business and IT decision makers revealed that 56% of global organizations now operate with a Cloud-first mentality when it comes to deploying new applications and managing workloads. That’s a complete turnaround from only a few years ago, when on-premises software development was still in the driver’s seat.

The survey also found that more customers are embracing the Multi-Cloud as a key component of their business strategies. Additional research supports this finding:

It’s easy to understand why organizations are increasingly migrating to Cloud-based solutions. Cloud solutions can help organizations act and react quickly to changing environments, better manage IT resources, and better serve clients. But what’s behind the growth of the Multi-Cloud trend? Why are Cloud-aware and connected organizations embracing the Multi-Cloud model?

There are two factors driving this trend:

Flexible Customization –

While Amazon Web Services (AWS) is still the 800-pound-gorilla in the market, its competitors are rolling out changes and specializing in services designed to make the market more competitive and differentiated. This means that there are services and features available on one Cloud that might not be as strong, or even available, on others. For example, ClearDATA offers a HIPAA compliant platform for Healthcare providers, Azure caters to Microsoft heavy organizations, and Google Cloud Services provides artificial intelligence capabilities and data analytics products, like BigQuery, that the competition can’t yet match.

Let the Cloud Wars begin...

Let the Cloud Wars begin...


A Multi-Cloud model frees companies from a one-size-fits-all approach to Cloud services. Rather, companies can evaluate various Cloud provider services against their specific needs and customize their strategy accordingly, using services from different providers suited to particular needs.

Risk Mitigation –  

A Multi-Cloud strategy is also a good way for companies to mitigate risk. Deploying critical systems across multiple Cloud services provides additional fault tolerance, so companies are covered in the event of a service interruption. This insurance strategy can be costly, so it should be based on the business value and criticality of the service being provided. In other words, a company shouldn’t use a Multi-Cloud strategy to deploy its non-mission-critical services or solutions.

Embracing a Multi-Cloud strategy gives companies greater flexibility and reliability. Is your organization embracing Multi-Cloud? We’d love to hear what’s working for you, and help you think through what Multi-Cloud challenges you might be encountering. Click here for more information about our Cloud strategy, development, and migration capabilities.


Jamie Murphy

Guest blogger for DVmobile, busy mama, & strategy wiz.


3 Questions to Ask Before You Hire a Software Engineering Firm


Did you know that roughly 30 percent of IT projects fail?

This is one reason that the traditional model of software development – wherein an organization prescribes the solution, and then hires a development provider to execute it – is on its way out. In fact, poor delivery and the sheer pace of technological advancement are bringing about the rise of a new, much more collaborative software development model.

Today’s organizations are better served by hiring an expert development partner – not merely a development outsourcer – that can:

  • Collaborate with their client to understand unique needs and opportunities
  • Provide strategic advice and solution expertise
  • Dream up an innovative approach to bring the client’s vision to life

But how can you determine if the firm you’re interviewing is a traditional outsourcer or strategic development partner? It can be hard to know how a development team really operates before you hire them. We’ve put together these three questions to help you prod a little deeper and determine if your potential engineering provider will make a good partner:


1.    How do you use design thinking to develop solutions?
Providers who leverage design thinking to plan and develop solutions are inherently better partners than those who don’t. Design thinking requires that the developer empathize with the end user. This means they’re not building based on a list of pre-determined specs and theoretical needs. Rather, their solutions are truly adapted to the experience of the end user and, as a result, often more successful.


2.    Can you provide expertise across multimodal technologies?
A good partner is able to grow with your organization over time. For example, consider an organization that’s just beginning to develop its SaaS solution. As that software is deployed and becomes more successful, the company might want to expand its footprint by offering a mobile app. Or, the organization might need to migrate its solution to the cloud to better manage its IT resources. As the organization continues to mature, it might even consider developing its own smart device to accompany its service.

What began as a SaaS project could easily transform into something much more complex as an organization grows and expands. That’s why it is important to identify from the outset whether or not a potential provider can partner with your organization across a wide spectrum of future needs and technologies.


3.    Can I speak to your references? 
This might seem like a no-brainer, but it’s such an important question to ask that we couldn’t leave it off our list. We’ve found that when you delight your clients, they’re eager to tell others about their experience. As you speak to a provider’s references, ask them:

  • Did the delivery team immerse themselves in the project, deeply understanding your needs and priorities?
  • What process did you undertake to develop the final solution?
  • What ideas or new thinking did the potential provider bring to the table?

These are just a few of the questions that we recommend asking a potential software development provider to make sure that they can act as a partner to your organization, rather than just an outsourced skill set. For more information about how we partner with clients like Nortek, the Dallas Cowboys, or Collective Goods, check out our case studies.


Jamie Murphy

Guest blogger for DVmobile, busy mama, & strategy wiz.