Identity theft is a growing problem in the US. Every organization coming into contact with personally identifiable information, or special confidential information as is covered in HIPAA, must make a greater effort to protect this data or risk being held legally liable. Security is an absolute requirement for any multi-employer website that delivers HIPAA compliant information. At the same time, limited administrative budgets and participant expectations are driving demand for access to such information through web portals or mobile apps. While providing member access is increasingly a core fund function, to the imperative to keep member and fund information secure remains.
Taft-Hartley portals, which often communicate complex concepts such as eligibility, are particularly challenged. Just as every fund offers unique benefits, each fund needs to communicate benefit information to its participants in a manner that is tailored to their particular needs and expectations. A smart technology solution syndicates best practices in interface design with a robust security architecture, while optimizing long-term total solution cost.
Multi-employer benefit fund websites built on a core MVC software “frameworks” that features a series of reusable, tested software modules reduce upfront development time and cost. At the same time, by virtue of such frameworks structure, they allow for cost effective customizations and help your chosen solution remain “future” proof.
MVC frameworks should support increasingly commonplace architecture features such as APIs and other types of integration by allow portals to be developed with Software Oriented Architecture (SOA) principles. API connectivity should utilize best practices in security such as bi-directional SSL authentication and encryption, as well as network level filtering such as IP filtering.
Portals should also employ the following security standards at the software, database, and infrastructure layers to protect Funds’ websites from security breaches and its data from being access by unauthorized individuals:
- Only allowed characters in input forms will be accepted. All other characters will be stripped.
- In HTML “form action” scripts, before working with variables, un-taint the input values using “allowed characters” list. That means allowed character white-listing, not un-allowed character black-listing.
- Use CAPTCHA for registration and any non-secure forms
- Allow user to only select, insert, update, delete (not all privileges, like drop, execute, etc.)
- Avoid use of free 3rd party libraries and, if used, isolate from direct access to the database storing PHI
- Configure website session timeouts to occur after 10 minutes for web site users
- Error messages to be coded so when returned back to the site in case of any error, no information about installed software is displayed in Error 404 Page not found messages.
- Redirect user to custom made error page using htaccess
- Do not display information about the system setup, sql, apache and other software
- Use of SSL certificates during user login and while access secure portions of the site
- Use of SSL encryption during data transfers, ideally with bi-directional authentication
- Encryption of sensitive / PHI data at rest, preferably on a server separated from the web serve
- Implementation of monitoring on any web and database servers to detect unusual server activity
Security is an absolute requirement for any multi-employer website that delivers HIPAA compliant information. Learn more about our secure portal solutions here.