building hippa compliant websites using joomla

1

2

Company History And Project Background

3

HistoryTechnology-OrientedJoomla DiscoveryPresent And Future

4

The ClientMental health providerRecent growth + expansionNetworkingProject funded with a grant

5

Basic Project GoalOnline method to share patient information

6

General ProcessListeningReadingNotesPractice

7

HIPAA Introduction

8

Healthcare In The Digital AgeTitle I - Health Care Access, Portability, and Renewability

Title II - Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

9

HITECH = Building On HIPAAIncreased enforcement, penaltiesBreach notificationsPatient access rightsIncentives for ePHI adoption

10

What is HIPAA Compliance?There is no ‘certification’HIPAA != PCI ComplianceProactive and Reactive

11

What Triggers HIPAA Compliance?ePHI -

“Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.”

12

Cost ProhibitiveHostingExtra Security PrecautionsTraining and Implementation

13

General Tech CostsAWS = ~$1,500 min, + ~$50+Joomla Plugins/Software = ~ $120/yrLabor = ?Security = ?SSL = $70+ (letsencrypt.org)

14

Areas of Compliance

15

Pillars of HIPAASecurityPrivacyEnforcementNotification

16

Required vs. AddressableRequired = RequiredAddressable =

1. Implement2. Implement equivalent alternative3. Not Implement

17

Security Rule pt. 1Technical Safeguards

EncryptionBackup

Physical SafeguardsServer / WorkstationTransmission

18

Security Rule pt. 2Administrative

AccessContingency

19

Privacy RuleUACPatient Access Rights

20

EnforcementPenalties

$100 min to $1.5mil max civil$50k to $250k ea + up to 10yrs criminal

21

NotificationWho is responsible?Requires most providers send notice

22

HIPAA Compliance pt. 1 - Organizational Process

23

The Other Side of HIPAAChange the way you thinkAppoint responsible peopleReview policies regularlyTraining for ePHI

24

HIPAA Compliance pt. 2 - Server And Site Security

25

Security Part 1 - AWSEncrypted storage

EC2 - EBSS3 - SSE

FirewallKeyfile-based

26

Security Part 2 - WebminAutomatic loggingAnti-malwarePCI-compliance almost out-of-box

27

28

29

30

PHP Lockdownallow_url_fopenallow_url_includeoutput_bufferingdisable_functionsopen_basedir

31

Security Part 3 - JoomlaFine-grained UACField-tested APIPlugins

Akeeba Backup (audit)Akeeba Admin Tools

32

User Access ControlUsersUser GroupsViewing Access Levels

33

Joomla APIThis:$mysqli = new mysqli("localhost", "databasename", "databasepassword");if (mysqli_connect_errno()) {

printf("Connect failed: %s\n", mysqli_connect_error());exit();

}

Into This:$db = JFactory::getDbo();

34

Akeeba Admin Tools

35

36

37

38

Assembling The Tools

39

PlatformsAWS (Amazon Web Services)Webmin / VirtualminJoomla

Fabrik

40

Other ToolsVirtualBoxFileZillaTextPadArtisteerPuTTY

41

Setting Up An EC2 Instance

42

AWS ProcessResearch needed infrastructure

Web Server (dedicated)What specs do I need?

Backup (S3)How much space do I need?

43

AWS ServicesEC2

Free TierM3 For Encrypted Storage

1 CPU, 3.75 RAM, 10GB/10GBS3

44

45

46

47

48

49

50

51

Setting Up Virtualmin/Webmin

52

Let It Do The WorkDownload the install script (wget/curl)Run the install scriptGrab a drink

53

Virtualmin ProcessProvision the siteSSLS3 BackupsPHP

54

55

Setting Up Joomla

56

57

Joomla ProcessCreate a theme w/ ArtisteerInstall and configure basic utility components

Akeeba BackupAkeeba Admin Tools

Install application toolFabrik

58

Artisteer ThemesMakes the process more aesthetic-focused, rather than programmaticAllows for painless experimentationMay not get you to 100%, but gets it to at least 90%.

59

FabrikWeb app creation toolExisting plugins (file upload)Lots of code samples online

60

61

62

63

64

65

66