

Show HN: TrueVault (YC W14) SDK for iOS – HIPAA compliance made easy for iOS apps - jason_wang
http://go.truevault.com/ios-sdk/

======
superuser2
HIPAA doesn't regulate code or even infrastructure. It regulates
organizational policy and behavior. HIPAA consists of things like: have a
security policy. Enforce that security policy. Update it periodically. Update
a change tracking document every time you do something to your infrastructure.
Read your logs periodically and be able to prove that you do so. Have an
appropriately empowered person in your organization designated as the HIPAA
compliance officer. Do periodic mandatory security training for your
employees. Perform periodic risk assessments. Control access to your facility.
(It doesn't actually require that you do so in a particularly secure way, just
that you do so.) Have and enforce a policy for disposal of media. Write it
down every time a device containing PHI is moved.

These things are organizational behavior. I don't understand how you can claim
to sell this as a SaaS solution.

~~~
jason_wang
Actually HIPAA is pretty strict on application and infrastructure security.
HIPAA's Security Rule has 3 main sections: Administrative Safeguards,
Technical Safeguards and Physical Safeguards.

Administrative Safeguards = basically encompasses what you described.
Technical Safeguards = encryption, authentication, authorization, audit
control, etc. Physical Safeguards = media (e.g., HD) disposal/reuse, data
backup/restore, access control and validation procedures, etc.

TrueVault handles Technical and Physical Safeguards. Companies like
AccountableHQ.com does a great job taking care of Administrative Safeguards
for their customers.

Check out the Developers Guide to HIPAA Compliance here:
[https://github.com/truevault/hipaa-compliance-developers-
gui...](https://github.com/truevault/hipaa-compliance-developers-guide)

~~~
superuser2
I'm not buying the assertion that theses things are too difficult to build in-
house. While I would want a lawyer's approval for peace of mind, and the
administrative safeguards are actually nontrivial, I'm pretty sure Wikipedia
meets the technical safeguards.

The Access Control requirements: Everyone should have an individual user
account protected by some kind of authentication, limited to the permissions
its user actually needs, and should log off (and/or be automatically logged
off) when they're not actively using that account.

Duh? Every multiuser system designed by a remotely competent solo developer
does this. Your local Starbucks's POS implements this. So does my small-town
public library. And Wikipedia.

Transmission integrity: as far as I know, you have to explicitly go out of
your way to not get this for free from TCP. If you're using HTTPS, even
better.

Audit controls: Wikipedia seems to nail this one, since Mediawiki is built
around versioned storage with nice visualizations of diffs and reporting on
changes. Even without considering security, the natural paradigm for a
clinical EHR system is read-and-append-only since you are documenting
interactions and the past doesn't change. (Sure, mistakes happen, but that's
probably worth acknowledging with an explicit correction.) Otherwise, what's
so hard about throwing in a logger.log() describing what's happening when a
user does something interesting?

I've skipped encryption, but encryption is "addressable" so you don't have to
encrypt anything if it would be too difficult. (So long as you document that
choice.) Use HTTPs where feasible, like you should be doing anyway? Encryption
of database servers doesn't make much sense since they key would be in memory
all the time anyway, but maybe pick "encrypted LLVM" when you install the OS?
And that's the technical safeguards.

The guide claims that my line of thinking is a trap people fall into, but you
don't making a compelling case as to _why_ the technical safeguards are too
hard to do yourself or even a burden.

HIPAA isn't talking about static analysis, formal verification, vulnerability
research, strong cryptography, hardened kernels, airgaps, side channels,
timing attacks, HSMs, 2-factor authentication, etc. It isn't about secure
code, nor any of the interesting/"real" security that HN likes to talk about.
A HIPAA security audit is a checklist and a very expensive Nessus scan. This
isn't Bruce Schneier-level stuff. I'd be surprised if any HIPAA violation was
even interesting enough for DEFCON. HIPAA isn't like the FIPS rules. On the
technical/software side, it's more like an idiot-check. At least, that was my
conclusion after doing a bunch of research for one of my employers.

If I were running a business involving PHI, the thing I'd want most is a
lawyer to tell me what I actually need to change based on what the law
actually is. It doesn't really seem like help is necessary to implement the
technical safeguards.

------
morganb180
Just in time for iOS8 and Healthkit. Makes it super-easy to call and write to
the TrueVault API natively within Xcode.

