Governments around the world are promoting and standardizing the digitization of patient information in the health care sector - developers need to find an easy solution to implement these new standards and ensure that this information stays private and secure.
Specifically, we will look at how the United States has implemented certain regulations that obligate health care actors to add new features to their applications within a certain time frame; this requires a solution that meets standards across the board and is easy to implement even in existing applications.
Important features required by these regulations include:
Visual Guard is a comprehensive solution for access control in .NET applications from Novalys. It combines authentication, permissions and auditing features in the same tool. A number of Visual Guard clients are public and private health care actors.
This article demonstrates how Visual Guard has been able to help meet the strict criteria of health regulations in the United States. It will look at why two major health care actors have integrated Visual Guard into their applications.
A system developed for the health care industry needs to be flexible, modular and scalable to meet the security policy of multiple public and private actors. It needs to filter patient information into a need to know basis and protect it from any extraneous forces. A custom in-house access control system can be implemented into a health care application; but, such a solution is usually very complex, time consuming and costly to build, maintain and update. With the strict timelines set by government agencies for the implementation of health care regulations, these deadlines can impose heavy constraints on development and testing time.
"I'm not writing an additional user management system. I'm tired of it." is something heard often by developers who have gone on to choose Visual Guard as a solution. Visual Guard is an access control system that combines user account management, permissions and audit for one or multiple applications. It is easily integrated into most application architectures (.NET 2.0 and above, C#, vb.net, asp.net, Winforms, WCF, WPF, Silverlight, MVC3, MVC4) and can be implemented in four easy steps (see below) with no need to do a full development cycle each time the application needs to be maintained. Repetitive actions such as administering permissions throughout the application can be done quickly and easily by non-technical employees.
Visual Guard has a number of clients in the health care industry in the United States and Europe, including Federal and State Departments of Health and private actors such as labs and hospitals that specifically chose Visual Guard as their solution because of the flexibility and ease of implementing and using it within their application.
There are a number of regulations that need to be met by public and private actors in the health care industry. In this article we will focus on the U.S. Health Insurance Portability and Accountability Act of 1996, (HIPAA). It provides advice and guidelines for patient health data, including its encoding, privacy, security, integrity, and availability. It offers a set of principles to be met by any health care industry actor, public or private, that transmits electronic billing or related information to insurance companies (most notably Medicaid and Medicare) no matter how minimal the services provided are. All the data, processes, and systems throughout the organization are subject to HIPAA guidelines.
Starting in 2015, hospitals and doctors will be subject to financial penalties under Medicare if they are not using electronic health records. Recently, HIPAA guidelines have been additionally reinforced through the Health Information Technology for Economic and Clinical Health Act (HITECH). This is meant to promote and expand the adoption of health information technology. HITECH extends the penalties for HIPAA security breaches to private associates of covered entities and has newly updated civil and criminal penalties to business associates.
There are a number of other standards that regulate applications related to health care data. Both federal and state standards exist. Generally, the most stringent standard, whether it is state or federal supersedes less strict security and privacy standards. For HIPAA, state laws take effect where there are no HIPAA provisions or if there is an exception under HIPAA(1).
Health care application standards are regularly updated to meet with changing technological environments. MITA 3.0 (Medicaid Information Technology Architecture) was recently released. It takes into account enacted legislation such as HITECH, the Children's Health Insurance Program Reauthorization Act (CHIPRA), and the Affordable Care Act (ACA); emerging technologies such as cloud computing are now covered.
A list of regulations from the Centers for Medicare and Medicaid Services can be found here.
Fines are far from the only reason meeting these standards is important. It can take months even years to meet the standards required and get accredited by a recognized institution.
Receiving full accreditation status provides assurance to patients, physicians, payers, health plans, employers and regulatory agencies that an organization's practices are consistent with national standards(2).
The State Health Department application that Visual Guard secures is a project that ensures citizens are eligible for health care programs and helps them to enroll. It allows citizens to fill in an application, for that information to be verified and to see whether they are eligible or not. The data is then sent on to the appropriate services. It also allows users to renew/update their Medicaid application. The project deadline is set by Medicaid and CHIP (Children's Health Insurance Program).
Another customer, New Century Health, has a provider portal - a custom online portal that provides mainly pre-authorization for oncology treatment requests through various clinical review and approval processes. It is a collaboration platform that is used by physicians, health insurance organizations and employees within NCH.
We will see in the rest of this article how Visual Guard's modularity allows for simple changes to permission and security structures in applications. Visual Guard helps organizations to easily meet changing standards such as securing applications deployed to the cloud.
(1) http://www.managedcaremag.com/archives/0205/0205.hipaabystate.html
(2) http://www.prnewswire.com/news-releases/new-century-health-receives-urac-health-utilization-management-accreditation-132910328.html
HIPAA requires that data be securely guarded. Systems need to:
Visual Guard has created a system that provides safeguards against the most common types of attacks, some examples are:
To read more about Visual Guard security: How Visual Guard protects against security breaches.
HIPAA requires organizations to define what level of access each employee has to the organization's software, based on the role the employee holds within the organization. This is also applied to any third parties that have been given access to the application.
For example, someone in the accounting department may require information like address and billing procedures for every client the organization charges. But this person does not need, and should not be able to access patient's case information. Therefore, a system that can define very specific roles and access levels in your software package and that allows customization is needed. This can be tedious to develop, and to maintain. As an access control system, Visual Guard allows for easy management of permission sets. Employees can easily and securely be given, edited or have taken away specific access rights to patient information.
Health care actors need to centralize permissions, as they usually use an in-house application that will be accessed by several entities of a large organization, or various organizations/companies. Such is the case of Visual Guard's client, New Century Health - whose online portal allows insurance companies, doctors and patients to only access pertinent information.
The majority of projects write application code to define how to apply user permissions. For example, according to the role of the user, this code will deactivate a menu, hide a control, filter a list of data...
As a result, to change the application security (adding new restrictions, for example), there is no need to perform a full development cycle (design, coding, test, deployment).
Visual Guard has developed an innovative technology to eliminate these inconveniences and completely separate security from business logic:
This solution has the following benefits:
Each client can be assigned to a group, and their internal structure is replicated through the creation of sub-groups. The same security system is used for all clients, but each client will have administration rights for their users only.
Visual Guard allows the giving of privileges to an administrator so that they can manage users and give roles for each application.
Administration privileges can also be limited to a group of users. In this case, the administrator can only see and manage the users in their group.
When working with a multi-tenant application, it is recommended to name at least one administrator per tenant, and to limit their administration rights to that tenant.
Example 1: you can name an administrator for each tenant
However, Visual Guard can do much more: it can limit administration permissions to any level of the group hierarchy. This system offers a great deal of flexibility for the distribution of administration rights in any entities within each tenant.
Example 2: you can limit administration to a sub-group inside a tenant
Combine multiple criteria to limit administration permissions:
Example 3: you can define several administration levels in each tenant
When your application is being accessed by several entities whether inside the organization or outside, such as insurance companies, it is important to be able to see who has accessed what and to ensure that these rights are not being abused. New Century Health has a portal designed to be accessed by employees, patients and insurance related personnel - each group has access to their specific roles.
HIPAA requires that organizations keep an audit log of who did what in the software package. An organization must be able to track when a user accessed each record and if they edited anything within the record. It also specifies that users are only able to access the information that is required for them to do their job.
HITECH requires HIPAA covered entities to report data breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) and the media, in addition to notifying the affected individuals(3).
As most companies that fall under HIPAA standards are using self-hired external auditors, it is important that they are able to access all the information necessary to ensure that the regulations are being met and that the application is HIPAA certified.
Easily seeing who has accessed what part of a patient's information is therefore essential for any application in the health care sector.
"I think I'm saving 50% of time" said one of NCH's developers, as with Visual Guard he has reduced such menial tasks like resetting passwords.
The administration interface is as easily deployable as the application itself, enabling one to distribute administration rights in a way that is very flexible. Each administrator is able to access the administration features, no matter where they are or their technical skill.
Visual Guard will provide you with a user administration console in both winform and webform. As an alternative Visual Guard also offers a Custom Administration User Interface:
See more information on the APIs here.
(3) http://www.natlawreview.com/article/hipaahitech-enforcement-action-alert
A user-friendly access control system ensures that the technical team can concentrate on development.
With Visual Guard:
The time factor is critical for a number of Visual Guard's clients. They have strict deadlines to put an application into production. The State Department of Health using Visual Guard has less than a year to develop the app and implement the corresponding security.
Integrating Visual Guard is a simple process. Below is an example of how easy it can be to integrate Visual Guard in a .NET application in just 4 steps:
These steps are just an example for a .NET application, as Visual Guard can be integrated into any application that can make HTTP requests.
HIPAA requires that organizations ensure patient data is available to only those who need to see it, including the patients themselves. This availability requirement implies that your system is functional on an ongoing basis and that your data is backed up. It is therefore important to have not only a system that is reliable, but also technical support that is there from inception to implementation of the project.
As one of Visual Guard's users mentioned: "it's better to work with a ready-to-use solution as we are not security experts and prefer to focus on our business and core developments, especially when a company has already done the work for us." An all-in-one solution that is very modular and flexible can fit requirements, evolve with the technology and easily adapt to regulations changes or corporate policy updates.
See for yourself how Visual Guard helps meet health care requirements; get a trial version of Visual Guard here.