Blog

Taras Filatov

HIPPA compliant mobile chat / video calling and messaging infrastructure

Posted by Taras Filatov on June 12, 2015

Most of QuickBlox clients coming from Healthcare sector require HIPPA compliance.

How a cloud-based messaging infrastructure can be HIPPA compliant?

hippa compliant messaging infrastructure

 

Key factors:

1. HIPPA compliant web hosting

In order to store your patients’ and customers’ information securely first of all you need to choose an appropriate hosting provider.

Note that when you choose a well-known hosting provider such as AWS or Rackspace you still need to make sure you choose the package that corresponds specifically to HIPPA requirements.

On AWS for example, you need to choose AWS dedicated instanced vs standard AWS instances. Dedicated instances may be 1.5x times more expensive.

Read more about HIPPA compliant AWS packages and conditions here:

http://aws.amazon.com/compliance/aws-compliance-case-study-pegasystems/

http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/

There are also alternative hosting options that specialise in HIPPA compliant infrastructure hosting – some of them work on top of Amazon Web Services but can still provide better pricing compared to AWS dedicated. One of the providers we worked with is Atlas Health and usually our clients choose between AWS dedicated, on-premises and specialised HIPPA hosters such as Atlas.

 

2. Your own hosting account + limited access for external staff

Most of QuickBlox enterprise clients choose to host the infrastructure within their own AWS account. While still fully covered by QuickBlox SLA (support agreement) and monitored by our SiteOps team, it gives our clients peace of mind they remain in control of their infrastructure including all users data. All users data stays at your servers and doesn’t go to any 3rd parties. Sometimes our clients choose to host on premises or within our cloud. Main thing here is it is paramount that you have your own application / chat / database server instances and your applications don’t share data with any other customers. To summarise, make sure your communication infrastructure is not in a shared cloud but you have your own dedicated servers and instances where your users’ data is stored.

 

3. Proper legal coverage

What you should look into doing is sign a Business Associate Agreement (BAA) with your hosting provider as well as NAA (Network Access Agreement) with your software/infrastructure provider (QuickBlox) specifying the names of technical support staff who have access to your instances.

This provides you with required legal protection and accountability from all sides in order to maintain HIPPA compliance at hosting, software, data and sysops level.

 

4. Encryption (server-side, client-side, transport)

QuickBlox infrastructure and client-side SDK libraries ensure to use latest industry encryption standards as well as secure HTTPS / TLS connection for client-server transport. Enterprise clients have the option of enabling additional SSE (server-side encryption) as well as extra layers of protection on the client such as integration with MDM whitelisting for sensitive data self-destruct in case device is stolen or build copied to unauthorised device, storing chat history cache in encrypted SQLite database etc. Contact us to find out more about encryption and security options available.

 

5. Minimise sensitive data exposure

Last but not least – remember you don’t actually have to pass sensitive data around every time. Some of our clients assume as we have QuickBlox Users API they have to duplicate all users profiles into QB Users entities. That is not the case – QB Users is only needed to identify users as device owners when you create chat sessions as well as for audio/video calling and push notifications. This doesn’t require however to store any personal information about users such as their names or phone numbers. You can keep it to random IDs and user external_ID property of QB Users API to link with your internal users database. Moreover, QB Users API allows operating user entities using external_ID. So you don’t have to store sensitive user profiles information within QB and you can use your own ID numbering to manipulate QB users when you interact with chat SDK.

Chat history is another question. You have choices here too, from choosing not to store any server-side history at all, to applying server-side encryption or exporting via Apache Kafka to your secure storage and removing it from your QuickBlox infrastructure. Default option however server-side chat history is enabled as it enables better experience for end users allowing seamless history sync between multiple devices. You and your technical staff have direct access to chat history storage via dashboard and database enabling you to wipe that data whenever required. All history is stored separate from user accounts and if you need to do automatic or manual moderation or search queries, for example in compliance with government body or police inquiry, you can ensure users privacy isn’t compromised unnecessarily.

To summarise, QuickBlox software and infrastructure is fully HIPPA compliant provided the required hosting, legal and configuration conditions are met as described above. We have an extensive experience in setting up HIPPA compliant communication infrastructures enabling doctor-patient, doctor-doctor and patient-patient communication with users data stored in secure and compliant way.

Get in touch to discuss your project requirement and benefit from our existing experience in this area – e-mail or call using numbers from our Contact page.

Igor Khomenko

Brand-new Javascript Users code sample

Posted by Igor Khomenko on May 18, 2015

Hello all!
We receive a lot of interest in our JavaScript SDK last couple of months and ready to release some exciting updates!

We are ready to show brand-new Users code sample.

Demo: http://quickblox.github.io/quickblox-javascript-sdk/samples/users

We completely rewrote it and it should be much easier and clearer to work with User API now.

800px-Javascript_users_sample1

We also started reviewing and completely updating QuickBlox JavaScript documentation section and will be ready to release it soon, also with updated Chat and WebRTC samples!

Be with QuickBlox to receive more excited updates!

 

 

Igor Khomenko

Group Chat blocks via Privacy Lists API for iOS and Android developers

Posted by Igor Khomenko on April 6, 2015

Hey to all QuickBlox developers,

recently we released another cool feature for iOS and Android developers – Group Chat blocks via Privacy Lists API.
This is a feature for enabling or disabling communication with other users in a group chat. It can be used to block communication with unknown or undesirable users.

Previously we had this only for 1-1 chat and today it’s possible to use the same experience in group chats.

Privacy lists API for iOS: http://quickblox.com/developers/SimpleSample-chat_users-ios#Privacy_lists

Privacy lists API for Android: http://quickblox.com/developers/Android_XMPP_Chat_Sample#Privacy_lists

Download new SDKs:
quickblox.com/developers/IOS
quickblox.com/developers/Android