Visible to the public Compliance Checking of Open Source EHR Applications for HIPAA and ONC Security and Privacy Requirements

TitleCompliance Checking of Open Source EHR Applications for HIPAA and ONC Security and Privacy Requirements
Publication TypeConference Paper
Year of Publication2019
AuthorsFarhadi, M., Haddad, H., Shahriar, H.
Conference Name2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
Keywordsadopted EHR application, certification, certification compliance, clinic visits, compliance checking, compositionality, convenient access, data privacy, digital versions, EHR applications, Electronic Health Record applications, electronic health records, Health Care, Health Information Technology certification criteria, Health Insurance Portability, HIPAA Compliance, HIPAA technical requirements, Information Reuse and Security, Medical services, ONC certification, ONC criteria, open source EHR applications, open source tools, OpenEMR, paper-based patient, patient medication, patient treatment plans, precise medical decision-making process, privacy, privacy criteria, Privacy Requirements, pubcrawl, regulatory requirements, Resiliency, security, security issues, security of data, security risks, security vulnerabilities, Servers, static analysis, static code analysis-based vulnerability, Tools
AbstractElectronic Health Record (EHR) applications are digital versions of paper-based patient's health information. They are increasingly adopted to improved quality in healthcare, such as convenient access to histories of patient medication and clinic visits, easier follow up of patient treatment plans, and precise medical decision-making process. EHR applications are guided by measures of the Health Insurance Portability and Accountability Act (HIPAA) to ensure confidentiality, integrity, and availability. Furthermore, Office of the National Coordinator (ONC) for Health Information Technology (HIT) certification criteria for usability of EHRs. A compliance checking approach attempts to identify whether or not an adopted EHR application meets the security and privacy criteria. There is no study in the literature to understand whether traditional static code analysis-based vulnerability discovered can assist in compliance checking of regulatory requirements of HIPAA and ONC. This paper attempts to address this issue. We identify security and privacy requirements for HIPAA technical requirements, and identify a subset of ONC criteria related to security and privacy, and then evaluate EHR applications for security vulnerabilities. Finally propose mitigation of security issues towards better compliance and to help practitioners reuse open source tools towards certification compliance.
Citation Keyfarhadi_compliance_2019