HIPAA, Django and User Authentication/Security
Glen Jarvis
Mario
If you are looking for a 'Stamp of Approval', you may be looking at
the wrong place. Django is an "Open Source" web framework which hasn't
been formally certified and accredited by the US Government. You speak
of HIPAA which translates to FISMA requirements. I assume your web
application i.e MYSQL will be storing Personal Identifiable
Information (PII) such SSN, etc... In this case, you may have tough
battle getting your web application approved. Nevertheless, there are
sites our there which may help you get started.
Check out the following websites:
http://www.commoncriteriaportal.org/
http://www.mitre.org/
Good luck! Let me know I can further assist you.
Cheers.
> g...@glenjarvis.comhttp://www.glenjarvis.com
Peter Herndon
I am not a lawyer, so please bear that in mind. However, I do work
for a major hospital, and have some experience with making IT systems
compliant with HIPAA regulations. That said, it's been a few years
since I was involved in that directly. So my experience may well be
out of date.
On Thu, Mar 12, 2009 at 3:45 PM, Glen Jarvis <gl...@glenjarvis.com> wrote:
> The customer wants to take this software in a more public arena. He has to
> get HIPAA approval.
The above is incorrect. HIPAA itself does not provide anything like a
pre-approval process. Instead, the health care organization is
subject to audit by FDA/HHS auditors. These auditors will require the
organization to provide policy manuals that state how the application
complies with HIPAA regulations regarding privacy of Protected Health
Information, access control and security. The auditors will then
require the organization to provide any and all logs from the
application in order to check said compliance. If the organization
fails to provide either the written policies or the logs, or if the
logs contradict the policies, then monetary penalties can be assessed.
If I remember correctly, there are regulations about what must be
logged, also. If the application provides insufficient logging, that
too can be problematic. If an audit occurs while a system is in the
process of being developed, the auditor will make a note of it (and
not expect any policies/logs/etc.) and on the next visit, you can
expect them to ask about that system specifically.
> The data is stored in a MySQL database and the standard
> Django User Authentication model is used (out of the box with no changes).
> Since security is a concern for the customer, I wanted to find all
> information from HIPAA regarding the Django User Authentication/Sessions
> security model before I did more work.
I doubt you will find much information regarding Django's auth
framework and its HIPAA compliance, or lack thereof. The auth
framework in its own right makes no claims to HIPAA compliance, and
Django out-of-the-box doesn't implement sufficient logging (in my
I'm-not-an-auditor opinion). You would need to add the necessary
logging. Not a hard task. But you will need to acquire a fairly
substantial knowledge of HIPAA requirements in order to figure out
what's necessary and what goes too far.
The point is that any organization using Django in a HIPAA-compliant
situation is going to have done their own assessment of the resulting
app (or have hired HIPAA consultants to assess). They will have had
to build into the app certain policies, certain ways of approaching
the information they manage. And they'll have done it themselves.
Django itself isn't billed as being HIPAA-compliant. Technologies or
products that do sell themselves as HIPAA-compliant put themselves in
legal jeopardy if a health organization purchases that product, uses
it per the documentation, and is found not to be in compliance. So
don't expect any open source technology to advertise compliance.
Instead, expect at most a pointer to "our technology was implemented
in a compliant fashion by X".
> I expected to see documents that they
> have approved this model in the past.
As per above, HIPAA doesn't approve individual technologies. They
audit and approve sets of policies and the implementation of those
policies in a given organization.
> Does anyone know where to find such "stamp of approval" or "denial" from
> HIPAA's point of view?
I doubt you'll find such.
> I can find no specific links to Django from
> hippa.org.
For the benefit of non-healthcare folks, the site is http://www.hipaa.org/.
> Which governmental agency site should I be searching for with
> regard to Open Source and security?
None that I know. I am perhaps out of date, though.
> Thanks in advance for any direction you can lead me in (where to go or who
> to talk to),
Based on my previous experience, I don't believe there is an easy
answer. If you have lots of time, and little money, one way to solve
the issue is to read HIPAA and the various recommendations for
implementation, and do-it-yourself. The other option, if you have
money but less time, is to hire a consulting group that specializes in
HIPAA, and have them distill things for you. You'll still have to do
the implementation, but they'll give you a plan and check your
results.
If you can afford the time to learn it yourself, expertise in HIPAA
implementations can be a very lucrative specialty. $75k on a short
consulting engagement, versus $20,000,000 in fines. Hospitals will
always pick the former, assuming they choose to do the project at all.
For what it's worth, I believe a system built with Django could be
implemented in a way that complies with HIPAA privacy and security
regulations. I don't even think it would be that hard to do. HIPAA
is more about the organization having in place policies that comply,
and that the system expresses those policies. A lot of compliance is
subject to interpretation, there's some leeway as to what is and what
isn't compliance.
Also for what it's worth, I have a suspicion that if your customer is
already using that Django application to store production patient
information, that system is already subject to HIPAA regulations,
regardless of whether it is public or not. As a hint, test data
should absolutely NOT be real patient info. Use obviously fake
patients, e.g. "Daffy Duck, MRN 123456789". Disclosure of real
patient data from a test system is still disclosure, and subject to
penalties. And since security policy enforcement is usually less on a
test system ("Oh, sure, I'll show you how it works on test, no
problem!"), the chances of disclosure are higher.
---Peter Herndon
http://spookypony.com
Peter Herndon
> of HIPAA which translates to FISMA requirements.
I suspect they are complementary, not equivalent.
> I assume your web
> application i.e MYSQL will be storing Personal Identifiable
> Information (PII) such SSN, etc... In this case, you may have tough
> battle getting your web application approved.
Hmm, I was assuming Glen's customer was a healthcare organization. If
you are looking for approval for use by a government agency, in
addition to HIPAA compliance, that's well beyond my experience.
> Nevertheless, there are
> sites our there which may help you get started.
>
> Check out the following websites:
>
> http://www.commoncriteriaportal.org/
> http://www.mitre.org/
On quick perusal, MITRE seems to have an open source tool LAIKA that
checks electronic health records for interoperability compliance.
Good stuff, if interoperability is a requirement. My experience with
HIPAA pretty much predates interoperability, and was focused on the
privacy and security regulations.
---Peter
Mario
I don't disagree with you. However, based on Glen's security report
( I suspect they are using Nessus/Retina to produce the scan result
i.e. CVE - Common vulnerabilities and exposure ),his question was:
Does anyone know where to find such "stamp of approval" or "denial"
from HIPAA's point of view? I can find no specific links to Django
from hippa.org. Which governmental agency site should I be searching
for with regard to Open Source and security?
can certainly write a wrapper to secure the transaction such as
implementing SSL in addition to encrypting the transactions during and
at rest using FIPS-140 or AES. Or you can simply hire Security
Engineers/Consultants. Either way there is no way around it because
this is an Compliance issue which is federally mandated.