The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
15 WWW.ILTANET.ORG BEST PRACTICES Securing Apps for Regulatory Compliance charges. You aren't going to see anyone going to jail for not being PCI compliant." Selection and Risk Assessment Now that you know more about the differences in regulations, let's assume the business has identified a legitimate business need for an app. For compliance, a risk assessment and analysis are required. See HIPAA - 45 C.F.R. § 164.308(a)(1)(ii)(A), FDIC - 12 C.F.R. § 364 App. B (III)(B) and GLBA - 16 C.F.R. § 314.4(b) for specifics. The risk assessment should be revised and updated on a regular and ongoing basis. Any planned implementation or change also should be considered in this context. In a risk assessment, the focus is all the "bad" things that could happen, the likelihood of them happening and the assigned severity of harm if they happened. From those calculations, you establish the risk level. All identified risks must be addressed and mitigation strategies identified. The selection process should help you identify the app features that accomplish the business need, and, if not already on your features checklist, the security of the app. Resources to assist developers of HIPAA apps can be found at hp://tinyurl.com/z6yyntn and hps://github. com/truevault/hipaa-compliance-developers-guide. The security requirements of the regulation must be compared against the soware and put through the risk assessment process. The selection and risk assessment should be documented because it is too difficult to scrutinize otherwise, and you must have something to show if audited. Documentation is mandatory for HIPAA compliance. A senior partner once told me, compliance is like fih-grade math, you do not get credit without showing your work. Implementation The implementation phase is very important. Although you might have selected the most secure app, if you do not put it in place correctly, all the protection and security might be for naught. Not only does the app need to be secured, but how the app connects and passes data back and forth with the other IT systems and platforms also needs to remain secure. A common way to oversee the connections of these different IT HIPAA Sub-part C of 45 C.F.R. §164 addresses Security Standards for the Protection of Electronic Protected Health Information (ePHI), including 45 C.F.R. §164.306, the General Rules regarding the Security standards, and the three subsections of HIPAA regulations that specify administrative, technical and physical controls and standards for addressing security. See 45 C.F.R. §§164.308, 164.310 and 164.312. Comparable standards and controls also exist for developing and implementing administrative, technical and physical safeguards within the financial industry. See 16 C.F.R. 314, Standards for Safeguarding Customer Information, the Interagency Guidelines Establishing Information Security Standards found in 12 C.F.R. § 364 App. B. REGULATION REFERENCES environments is through mobile device management and encryption. These solutions can provide IT practitioners with great tools to set up and manage the solution and address compliance concerns. Management It is not enough to just properly select and implement a secure app. Policies must be developed and adopted in conjunction with the implementation. The policies should reflect the regulations and procedures developed for achieving compliance with a specific regulatory standard. There are also training requirements in the federal regulations that necessitate communicating the policies and procedures to the workforce. We cannot expect our personnel to know how to use our properly selected and well-implemented app if we do not train them on how to use it. Training should be documented and tracked as proof of compliance. The asynchronous training delivery of e-learning and its reporting capabilities are making an effective learning management system a good part of a compliance solution. Review Aer the implementation and management phases, continually make sure the policies and procedures put in place are being followed. This could be in an internal or external (third party) review, or you can do both. Remember that the regulatory requirement states that a risk assessment must be reviewed regularly or when operational or environmental changes arise that affect the company and/or the technology utilized. Keeping It Secure When we talk about whether an app is "secure" for either the health care or financial industries, it is a much broader question of compliance in general. Compliance requires addressing the technical aspects of the app's security and the implementation and organizational development aspects of keeping it secure. Technology and security risks can change in the blink of an eye, which requires us to treat compliance as an ongoing and moving target. Continuous monitoring and response are necessary to keep an app secure and compliant. P2P