

Ask HN: HIPAA help. Anyone know a good HIPAA consultant? - fjabre

Working for a startup on a web app that stores patient information online for later retrieval by healthcare professionals via the web. Anyone know a good HIPAA consultant we can talk to that has a good understanding and familiarity with network security/encryption/web frameworks?<p>I've done several google searches but many of the results look like they pander to enterprise software suites and large companies.
======
tom_b
I'm not a HIPAA consultant (nor do I know someone to recommend), but do work
with PHI and research data as well.

HIPPAA is mainly about having and following a reasonable process for
protecting patient data, both at rest and in-flight on the network. I work
with clinical research data, specifically providing clinical data integrated
with research data. Mainly, I make sure PHI doesn't get shared with
inappropriate readers. This can be a grey area when researchers are in clinic
with a patient one day and the next are in the lab with their research hat on.
Technically, all my work is covered by IRB approvals, which kick up HIPPAA
requirements several notches.

Amazon put out a whitepaper on HIPPAA - skim it over, it's short and gives the
high-level picture:

[http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Fi...](http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Final.pdf)

I think you can tell a compelling story if you make all your web app access
available over SSL, follow the normal warnings from tptacek and crew on how to
encrypt passwords and then harden access to the raw back-end servers. I'd
recommend hiring a devops/sysadmin who has done this before.

If the security of the back-end is what your startup's selling point is, look
into encryption options for your data store (e.g., encrypted by the RDBMS, or
something similar).

Those are the types of concerns we try to make sure are checked off here as we
work with patient clinical data and research data.

I guess the other thing to mention is that we use disk encryption tools as
well - if a laptop walks off one day, we need to be able to say that (a) there
is no PHI on it and (b) even if there was, you couldn't get it off (well,
assuming that the NSA or equivalent isn't involved).

If you're funded/generating revenue already, maybe hiring someone like
Matasano for a penetration test or process review would be prudent.

I'll ask around the research center higher-ups and update if I can track down
a recommendation . . .

~~~
xauronx
Very nice comment. I've worked with HIPAA a bit, and although I'm far from an
expert, what you've said is a good summary of what I've done. Secure in
flight, secure on disk, secure physical access and hope for the best. We're
encrypting our health data in the database as well, for what it's worth.

------
rbijou
I've worked with various privacy consulting groups on DLP and other security
issues a lot. I can vouch for Minnesota Privacy Consultants and Navigate LLC
as firms with a solid technical understanding.

The former works with some of the largest healthcare companies, and the latter
is involved in the tech sector including network and encryption security
companies like CipherCloud.

