a stressed man looks at some charts on his desk

Is Your Software System HIPAA Secure?

May 17, 2019 11:00 am

Mobile devices, including smartphones, tablets, and laptops used for EVV with wireless connectivity present a potential security risk regarding client information.

For this reason, the software provider you choose for your EVV platform needs to be fully security aware and have all the necessary security protocols in place. Mobile applications use SaaS, (Software as a Service) platforms that live on the provider’s cloud.

With SaaS systems, security upgrades are automatically available to all users as soon as they are implemented. Having all users on the same version of the same platform facilitates communications between workers, supervisors, and management.

Direct Care Innovations (DCI) creates business management platforms for providers and government agencies in the Medicaid, Medicare, Private Insurance and Managed Care Markets. The security measures incorporated in all of their software applications meet or exceed all industry and government standards.

Security Measures you should look for in any Mobile Application.

When seeking a software provider, the security measures listed below are essential for a maximum security environment.

Notifications on the Mobile App.

Your mobile app needs the ability to receive push notifications on software updates, potential security issues and communications from management. This level of instant communication is essential as you may have agents that do not visit the home basis on a daily basis. Notifications via the app may be the only way to effectively communicate with field agents in a timely manner.

Employee Only Access.

No one outside your organization should ever have access to your app, client information or any information about your scheduling or workplace. The only exception is in an audit scenario where you authorize access to the app and the information in it. This is the main purpose of any security program and any application you consider should have these controls in place.

HIPAA compliance.

The Health Insurance Portability and Accountability Act of 1996 sets the standards of all healthcare providers, insurers, and any organization that deals with client information. These standards also apply to the software and tools that providers use. Many of these measures seem obvious such as password protection, accountability and ability to document who had access to a record and when the record was accessed. Any application used to record client information must meet HIPAA standards.

MITA – Medicaid Information Technology Architecture.

MITA is an organization within the US Government Center for Medicare & Medicaid Services. Their primary role is to ensure that all IT platforms and applications comply with the standards established by the US Government.  

NIST- National Institute for Standards and Technology.

NIST is a government standards organization that establishes information technology standards on how data is collected, stored, protected and shared. These are the Gold standard for security.

MECT- The Medicaid Enterprise Certification Toolkit.

MECT ¬†is a government-sponsored certification organization that provides strict guidelines for information storage, and handling and sharing. The “Toolkit” is a download from the following link. https://www.medicaid.gov/medicaid/data-and-systems/mect/index.html. These tools were developed to assist states plan, develop, test and implement their Medicaid Management Information Systems. Software applications that follow these guidelines are compliant with government security protocols.

Single Tenant Systems VS Multi-Tenant.

While it is possible for multiple clients to share the same software instance, database or application server this multiple sharing by different parties is a basic security risk. More secure systems use platforms that are “Single Tenant” meaning that no other parties share the database and there is no risk of data leakage.

When multiple clients share a common database, it is easier for data to be accidentally accessed by unauthorized parties. Single tenant systems are more expensive to create and maintain but the added security of this type of system is well worth the expense.

Level 2 Penetration Testing.

Any database has varying degrees of security, and level 2 is one of the higher levels of testing a database can be subjected to. This simply means that the system has been subjected to a variety of vulnerability tests; level 2 is one of the higher levels.

Role-Based Security.

This simply means that data is accessed on a need to know basis only. In any organization, various personnel has required access to client data, and a secure system allows only those who are authorized to see certain data have access based on their needs to perform their duties in caring for the individual.

SSL (Secure Socket Layer) Protected.

This means that the system has been tested by a third party and certified as secure. This is a test of the security of the encryption of the system data, and the vulnerability of the system to outside intrusion, or ” Hacking.”

256 Bit Encryption.

This is the most secure type of encryption. When data is transmitted over any network, it is vulnerable to being copied by an unauthorized party. Encryption protects against this by breaking down data into a multitude of components that cannot be read without authorized encrypting software. Encryption levels are 120, 190 and 256. Software that is at the 256 level is the most secure.

Full Event Logging for Auditing Purposes.

This means that the system tracks every time a record is accessed, who accessed the record, and the time. This level of accountability lets the data owner know who has accessed the files. In order for an application to be considered fully secure, full accountability is a must. This documentation is a requirement for any auditing either internal or external, as by Government agencies.

Direct Care Innovations (DCI)  creates business management platforms for providers and government agencies in the Medicaid, Medicare, Private Insurance and Managed Care Markets.

All DCI software solutions comply with the security measures discussed in this article and this is why they are industry leaders in secure mobile applications.

DCI also offers an obligation free analysis of your needs and offers not only software but the expertise you will need to implement the programs successfully.

You can contact DCI at https://www.dcisoftware.com/ or by calling 480-295-3307.

Categorized in: