Open Source Risk in HITECH and HIPAA Compliance

You Need to Care About Open Source Risk in HIPAA and HITECH Compliance

Black Duck offers solutions that cut across a range of industries - lately I've seen growing interest from a new sector. These are healthcare technology (HealthTech) companies developing innovative cloud-based platforms that connect physicians, patients, payers and providers. What’s creating a sense of urgency for these new and fast-growing companies (including those with “unicorn” valuations) is their desire to be thorough in their Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) compliance as they grow in maturity and visibility.

Because these companies offer access to sensitive electronic health information from their web applications, for them, HIPAA compliance is not just an onerous regulation, but can impact the very existence of the organization. This leads to the question: Why do they come to Black Duck for help with HIPAA and HITECH?

HIPAA Compliance

Title II of HIPAA contains the HIPAA Security Rule. I’ll highlight in italics and comment on some of the relevant language:

Sec 164.308 (a)(1)(ii)(A): A covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

New HealthTech companies can grow from startup to billion-dollar valuations in under three years. They cannot do so without using open source components extensively to build their platform. We see open source powering their databases storing health records and protected health information ePHI, open source in their web application servers and open source in their web clients. If their codebase is over 50% open source, and they rely only on penetration testing and network security scanners to detect vulnerabilities, they are in fact, NOT “conducting an accurate and thorough assessment […] of the potential risks and vulnerabilities…” In fact, these tools do not even have rules for many of the known vulnerabilities in open source code.

Companies were using twice as much open source as they reported prior to the auditBlack Duck helps them do this by creating an accurate inventory of all open source code (almost all Black Duck code scans uncover open source unknown to the organization) and mapping this to the tens of thousands of disclosed vulnerabilities on open source (and we find these nearly all the time as well).

Sec 164.308 (a)(1)(ii)(B): A covered entity must Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).

These companies integrate Black Duck into their agile software development practices to ensure that during all stages of software development, from coding to testing to deployment in a production environment, they are fully aware of all vulnerabilities and can remediate them as soon as possible. Furthermore, they are covered by Black Duck’s “continuous monitoring” of newly disclosed vulnerabilities, so they are notified of new vulnerabilities without having to rescan their applications. This helps security teams head off potential breaches.

HITECH Implications

The HITECH Act, seen as complementary to HIPAA, broadens HIPAA’s rules to affect more organizations, and imposes harsher penalties on non-compliance. It extends HIPAA rules and penalties beyond “covered entities” such as hospitals and insurance companies to “business associates” such as health information exchanges and software companies. These business associates must now follow the same breach disclosure requirements as well.

To cap it all off, there is the 563-page HIPAA Omnibus Rule released Jan. 17, 2013, which extends the definition of “Business Associate” to:

(IV)(A)(3)(ii). Inclusion of Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as Well as Vendors of Personal Health Records.

Get Ready for HIPAA Audits

This year, 2016, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched Phase 2 of the HIPAA Audit Program to audit all “business associates” to make sure appropriate security and risk management practices are in place.  Specifically:

Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?

Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?

To determine which security measures the entity implements, the covered entity or business associate should take into account the following factors:

  1. Its size, complexity, and capabilities.
  2. Its technical infrastructure, hardware, and software security capabilities.
  3. The costs of security measures.
  4. The probability and criticality of potential risks to ePHI.

Bottom line? If you are part of the explosion of innovative HealthTech companies, you owe it to your company to make sure broad use of open source code does not compromise the trust of the patients and partners you serve, and when the HHS shows up with an audit request, you are ready.

Ask Black Duck how we can help.

What's missing in PCI & Vulnerability Assessments?

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Medical Device Manufacturers & Open Source Security Vulnerabilities

| Feb 13, 2017

On December 28, 2016, the US Food and Drug Administration (FDA) finalized its guidance on the “Postmarket Management of Cybersecurity in Medical Devices.” The release of the guidance was accompanied by an official blog post, which points out that as medical devices become increasingly

| MORE >

3 Risks of Relying on Parsing Manifest Files Alone

| Jul 14, 2016

A number of tools have appeared on the market that identify open source by parsing declarations and manifest files, such as POM files for Java or packages.config files for .NET applications. Such files contain metadata used by package managers to identify content and dependencies. Choosing a tool

| MORE >