HIPPA as it Relates to the World Wide Web Consortium

World Wide Web consortium as it applies to HIPPA
Abstract
The government of the U.S.A. enacted the HIPAA in 1966. In the Information and Technology sector, the World Wide Web Consortium (W3C) is one of the standards. W3C has to ensure that, software, applications, and other web tools that are meant for use in the healthcare industry adhere to the set HIPAA guidelines. W3C standards have been able to strongly support the individualization of web tools through firm design guidelines and principles and solid web architecture. The HIPAA requires 128-bit encryption therefore; the W3C requires that this be the minimum encryption level. The W3C recommends that healthcare providers integrate security protocols that are effective to their network systems as required by the HIPAA. The W3C is a crucial party in the implementation of HIPAA policies and for healthcare providers to ensure effectively with HIPAA privacy policies
Introduction
In the modern marketplace, security standards and the compliance of the same has become an important issue for the success of an enterprise and it has become a stepping stone for attracting clients globally. In the Information and Technology sector, the World Wide Web Consortium (W3C) is one of the standards and its role includes development and interpolation of tools, guidelines, software, and specification that are crucial in facilitating the web realize its full potential (World Wide Web Consortium, 2017). Towards this role, and in particular, ensuring that clinical health-related data is handled securely, the W3C has to comply with the Health Information Portability and Accountability Act (HIPAA) of 1996 (Luxton, Kayl & Mishkind, 2012). This paper therefore will seek to establish how the W3C complies with the specifications laid down by the HIPAA. This will be done through a review of the responsibilities, duties, and work of the W3C in furthering the stipulations of the HIPAA.
The HIPAA – background and application
The government of the U.S.A. enacted the HIPAA in 1966 with the aim of giving mandate for the creation of national standards for the transaction of healthcare electronically. The objective of the HIPAA is to regulate through its privacy rule, the electronic transmission of data contained in healthcare records which are used by healthcare professionals, hospitals, and third parties e.g. insurance companies. In addition, the Act forbids the transmission of information on a patient’s health status to third parties, except those that are performing certain functions on behalf of the patient (Luxton et al., 2012). The Act, under Title II, provides policies, procedures, and guidelines for the maintenance of privacy and security of personal healthcare information. This section also sets out the punitive, both civil and criminal, measures for the violation of the rules governing health information of a patient.
However, the Acts allows for entities to disclose protected healthcare information to law enforcement authorities when required by law. In addition, patient’s health information can be disclosed to healthcare providers for purposes of treatment, payment, or other healthcare operations (Alshugran & Dichter, 2014). Any other authorizations for disclosure that are beyond the two provisions should be made in a written form.
In the modern day healthcare marketplace, as a result of advancement in IT, there is an increased transfer of health-related information, especially through doctor-patient Apps. Moreover, information in the network systems is vulnerable and hackers typically take advantage of their knowledge of web technology and access the protected data without the prerequisite authorization. According to statistics, persons today take advantage of web technology to access or transmit patient’s protected information for instance, web technology accounts for sox percent of HIPAA violations (Alshugran & Dichter, 2014; Luxton et al., 2012). It is to this end that, W3C has a critical role in the furtherance of HIPAA rules.
W3C and application of HIPAA
The mission of W3C is to assist individuals in the creation of technologies for humanity. To achieve this goal, W3C provides a platform for communication, business, and general understanding through the creation of standards and guidelines. Other activities W3C engages in include education, outreach, software development, and an open discussion forum (World Wide Web Consortium, 2017). W3C basic principles are to improve communication among persons through the development and maintenance of the World Wide Web regardless of location, language, and culture. Towards the realization its mission, W3C has to ensure that, software, applications, and other web tools that are meant for use in the healthcare industry adhere to the set HIPAA guidelines (Reay et al., 2012). As a result, W3C has to audit these web tools before they are published or lunched for use with the aim of ensure that patient information and health-related data is not compromised.
In the modern day IT environment, access to web tools has immensely grown as every person with a Smartphone, a tablet, interactive television, and some domestic appliances can access the web. W3C standards have been able to strongly support the individualization of web tools through firm design guidelines and principles and solid web architecture. Even though the increased access to web tools is an advantage, it also raises a concern on security and integrity of data (Wimalasiri, Ray & Wilson, 2005). Additionally, this threat is exacerbated by the fact that more healthcare facilities are today using the web for communication with patients and information is transferred across networks. Towards this end, W3C points out that, data security is essential towards ensuring the security of patient’s information.
In the field of telehealth platform, the protection of data and information on the patient is a primary concern. However, Luxton et al. (2012) acknowledges that the integrity of data can be compromised through the network system. In telehealth, some protected information is stored on the mobile device, and the patient can use the device to transmit this data to healthcare providers through the network systems. As a result, security bleaches can occur during the transmission through the network and the protected data exposed compromising not only the protected information, but also the entire network (Lautenschläger et al., 2015). To help healthcare providers observe the set guidelines, the American Telemedicine Association (ATA) has developed a guidance standard that healthcare providers required to adhere to so as to be in line with HIPAA.
Principle
Threat
Countermeasure implemented

Authentic
Spoofing
Username/password requirement, two-factor authentication, limited login attempts, IP-based request filtering, automatic logout on inactivity.

Integrity
Tampering
Penetration testing input validation, policies for installing software, systems to detect intrusion.

Accountable
Repudiation
Logging and auditing

Confidential
Information disclosure
Validation of input, site-based view, user training, TLS using server certificates, database encryption, encrypted backups.

Available
Service denial
Input validation, firewalls and virus scanners, detection of intrusion, sandboxing, backups, secure server room and fire extinguishers.

Authorization
Privilege elevation
Role-based controlled access, user account management, penetration testing.


Table 1. Common threats and possible control measures (adapted from Lautenschläger et al., 2015)
The W3C recommends that healthcare providers integrate security protocols that are effective to their network systems as required by the HIPAA. Some of the security measures recommended are summarized in table 1 above, with the common being encryption technology, and authentication tools. These tools protect data during transfer and prevent unauthorized access of patient’s information respectively (Lien et al., 2013). In particular, the HIPAA requires 128-bit encryption therefore; the W3C requires that this be the minimum encryption level. With the increased use of healthcare Apps, software encryption is used and allows for safe doctor-patient interaction through any network system. To further enhance security, it is required that these systems are transparent, seamless, and simple to the users and the healthcare provider should undertake the requisite measures to ensure privacy and data security.
The emergence of wireless technology created a security concern for healthcare providers for persons could share their health data over these networks. Patient information for example, credit card number, social security details, and other protected patient data can be transmitted through network system (Kim & Solomon, 2016). HIPAA requires that such information be protected. However, it is easier to monitor such information when transmitted through wireless networks e.g. Wi-Fi. As a result W3C required that HIPAA privacy rules be applied through the use of protected access Wi-Fi (World Wide Web Consortium, 2017). With the continued advancement in information technology, it is with no doubt that new privacy challenges are expected. As a result, the W3C has an established procedure to address an emerging privacy concerns, represented as an infograph in figure 1 below.

Figure 1. W3C working life cycle (adopted from Cheng & Hung, 2005)
According to Kim & Solomon (2016) and Cheng & Hung (2005), healthcare providers that use or plan to use web based tool need to comply with HIPAA privacy tool and the best way to adhere to the rule is by keeping to the primary concepts of data security – the CIA (Confidential, Integrity, and Available). In addition to keeping to these concepts, it is essential that the integrity of the network system is maintained high. W3C recommends that, the best way to maintain integrity of the network system is by adoption of applications that enhance controlled access and awareness of the security status of the system, and the data.
In the US, the American National Standards Institute (ANSI) is crucial in the promotion of patient data through the protection of the healthcare IT environment. It is the responsibility of the ANSI to ensure patients, the healthcare providers, and their information remains safe. It can therefore be argued that, the ANSI is the body tasked with the role of enforcing W3C and HIPAA privacy policies.
Conclusion
Healthcare providers are requires to adhere to the set privacy policies which includes HIPAA and W3C laws. W3C is critical in the protection of patient data for it lays down the standards that are to be used for web technology. Among the standards set by W3C are the HIPAA standards which are meant specifically for the healthcare sector. It is therefore suggested that, the W3C is a crucial party in the implementation of HIPAA policies and for healthcare providers to ensure effectively with HIPAA privacy policies, it is important that during the use of web based tools effective security systems are integrated with the aim of protecting patient’s information.


References
Alshugran, T., & Dichter, J. (2014, June). Toward a privacy preserving HIPAA-compliant access control model for web services. In Electro/Information Technology (EIT), 2014 IEEE International Conference on (pp. 163-167). IEEE.
Cheng, V. S., & Hung, P. C. (2005, July). Towards an integrated privacy framework for HIPAA-compliant web services. In E-Commerce Technology, 2005. CEC 2005. Seventh IEEE International Conference on (pp. 480-483). IEEE.
Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Learning.
Lautenschläger, R., Kohlmayer, F., Prasser, F., & Kuhn, K. A. (2015). A generic solution for web-based management of pseudonymized data. BMC medical informatics and decision making, 15(1), 100.
Lien, C. Y., Yang, T. L., Hsiao, C. H., & Kao, T. (2013). Realizing digital signatures for medical imaging and reporting in a PACS environment. Journal of medical systems, 37(1), 9924.
Luxton, D. D., Kayl, R. A., & Mishkind, M. C. (2012). mHealth data security: The need for HIPAA-compliant standardization. Telemedicine and e-Health, 18(4), 284-288.
Reay, I., Beatty, P., Dick, S., & Miller, J. (2012). Do You Know Where Your Data Is? A study of the effects of enforcement strategies on privacy policies. IGI Global.
Wimalasiri, J. S., Ray, P., & Wilson, C. S. (2005, June). Security of electronic health records based on Web services. In Enterprise networking and Computing in Healthcare Industry, 2005. HEALTHCOM 2005. Proceedings of 7th International Workshop on (pp. 91-95). IEEE.
World Wide Web Consortium. (2017) World wide web standards. Retrieved from http://www.w3.org/ on 22 August 2017