Health Insurance Portability and Accountability Act, or HIPAA, came into effect in 1996 with the main purpose of setting the standards of managing health-related information and protecting it from compromise. The requirements of HIPAA apply both to health care providers that the Act refers to as “covered entities” and to vendors of health care services that are referred to as “business associates”.
One of the central entities of HIPAA is Protected Health Information, or PHI. PHI covers any health-related data that can be used to identify the patient, such as name, address, age, diagnosis, and a lot more. Under HIPAA, both covered entities and business associates must protect any PHI that they gather, capture, store, and transmit.
Among other things, HIPAA sets certain rules and standards to websites and their functional components aimed at ensuring the security of PHI both at rest and in transit. Websites are included in the category of “business associates” and are required to comply. Any website that stores, collects or transmits PHI is subject to HIPAA rules.
Quickblox communication products are an excellent solution for all online customer services and communities, including those operating in the healthcare industry. Therefore, we have adapted our practices to the HIPAA requirements to make sure that our products are HIPAA-compliant and that any information that can be described as PHI is properly protected.
In this document, we have put together a summary of measures that Quickblox takes to ensure HIPAA compliance.
Use of HIPAA-compliant cloud services
Quickblox services can be hosted in AWS cloud. AWS has brought the entire line of its cloud services in compliance with the HIPAA requirements and has officially confirmed such compliance on its website. All AWS instances that we use to run Quickblox applications fully comply with the requirements to PHI protection both at rest and in transit.
Use of dedicated AWS hosts
For the cases when additional protection measures are required, we offer dedicated hosts – separate physical servers that will be used solely for the client’s application. While AWS no longer requires the use of dedicated hosts for the purposes of HIPAA compliance, we still offer this option for extremely sensitive data management.
Encryption of EC2 and RDS volumes
To ensure HIPAA compliance in respect of protecting data at rest, Quickblox uses encryption of the storage volumes used in building its cloud infrastructures. We encrypt both the storages attached to EC2 instances hosting the application and the RDS instances storing the database.
We use AWS encryption protocols created with the focus on HIPAA compliance and capable of protecting data during its entire lifecycle.
Use of HIPAA-compliant MongoDB database
With the aim of using the tools that implement own HIPAA compliance measures, we selected MongoDB as one of our database providers. MongoDB has adapted its database services to ensure the protection of PHI as required by HIPAA. Particularly, the database meets the requirements to user authentication and authorization, system security audit, and encryption of data at rest.
Data encryption in transit
For data traffic between AWS EC2 instances, we use the Amazon VPC with its integrated encryption mechanisms. For data exchange between the MongoDB database and external sources, we implement TLS/SSL encryption mechanisms with the help of stunnel TLS Proxy ensuring secure data traffic to and from the database.
For data caching, we use Redis database that encrypts its data traffic with the help of Spiped utility.
High availability/Disaster recovery support
HIPAA requires the HA/DR support for RDS instances to ensure the availability of the database during any system failures or planned maintenance. We use the Multi-AZ deployment option provided by AWS where RDS instance replicas are automatically launched in other Availability Zones. With Multi-AZ, data is constantly synchronized between the main RDS instance and its replicas to make sure that the replicated database is always up-to-date and can be used to retrieve the data should the main one fail or be otherwise unavailable.
We follow closely both the updates to the data protection regulations and the news on advanced security tools and discovered threats. With the aim of maintaining the maximum protection of our customers’ sensitive data, we use the most secure tools and adjust our policies and procedures when necessary.
Should you need more information on the security measures implemented in Quickblox products or on HIPAA compliance, in particular, contact us for a detailed discussion.