Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

HIPAA

HIPAA Compliance and Software Security

Benchmark your software security program

Table of Contents

What is HIPAA?
HIPAA compliance and software security
What problems does HIPAA compliance solve?
How can an organization become HIPAA compliant?
What to read next

Definition

The Health Insurance Portability and Accountability Act (HIPAA) was established by Congress in 1996. The legislation was passed to improve the efficiency of the United States healthcare system. It does so by standardizing best practices for maintaining the security and privacy of healthcare data. HIPAA required the United States Department of Health and Human Services (HHS) to create new regulations addressing this data. Thus far, the HHS has released two documents, the Privacy Rule and the Security Rule.

The Privacy and Security Rules define requirements for handling all electronic personal health information (e-PHI). Personal health information (PHI) represents any health data that includes identifying information (e.g., name, address, health conditions). Further, under HIPAA, healthcare organizations can no longer request Social Security numbers (SSN) as part of their data collection.

In 2009, the U.S. Congress also passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This legislation creates definitions for the meaningful use of electronic health records (EHR) that contain PHI. The HITECH Act requires healthcare organizations to report suspected breaches. Increasing awareness around healthcare-related data breaches also prompted Congress to pass the HIPAA Omnibus Rule in 2013. This rule defines required security controls. These controls aim to strengthen the original protections within the HIPAA Privacy and Security Rules.

Covered Entities. HIPAA defines rules for all healthcare organizations (also known as covered entities) that store or transmit PHI data. Covered entities can include health plans, healthcare providers, or individuals assisting with healthcare. HIPAA also acknowledges that covered entities occasionally need to disclose PHI to business associates that support health services.

With the passing of the HITECH Act and HIPAA Omnibus Rule, business associates must adhere to HIPAA requirements in the same fashion as a covered entity. As such, covered entities must get written assurances from business associates that appropriate controls are in place.

What does HIPAA compliance have to do with software security?

The HIPAA Security Rule defines controls that must be implemented to protect PHI. This requires the implementation and documentation of administrative, physical, and technical safeguards. The technical safeguards require appropriate access, audit, and encryption controls. Software handling PHI must have these controls in place and they must be documented.

Conducting tests to ensure an implementation is performed appropriately in software that stores or transmits e-PHI demonstrates that HIPAA-required controls are successfully in place. Provision 164.308(a)(8) of the HIPAA Security Rule requires organizations that transmit and store PHI to regularly perform technical and non-technical evaluations of these systems.

Synopsys can help organizations meet the software security-related regulations set by HIPAA. We can assist in evaluating an organization's overall control environment to determine if the various HIPAA Security Rule requirements are met.

What problems does HIPAA compliance solve?

Any organization handling healthcare data or PHI must ensure that their security program and software controls address the requirements of the HIPAA Security and Privacy Rules. Covered entities that meet these rules are able to process, store, and transmit PHI without fear of civil or criminal penalties.

Note that HIPAA rules establish a minimum standard for the implementation of IT and software security controls. Without these rules, organizations processing PHI have no specific requirements protecting their healthcare data (i.e., for maintaining the confidentiality, integrity, and availability of the data).

The enforcement of HIPAA standards by the U.S. federal government ensures that organizations take the implementation of PHI controls seriously. It also ensures that consumers of healthcare in the U.S. have an outlet if their PHI is mishandled.

How can an organization become HIPAA compliant?

Get started by establishing whether or not your organization is a covered entity. Once PHI is identified within an organization’s software or systems, a review of the covered entity’s security policies and procedures is the next step to identify gaps and implement controls.

The Health Information Trust Alliance (HITRUST) offers a common security framework (CSF) to help organizations implement HIPAA-required controls necessary for compliance. The HITRUST CSF allows for self-assessment to implement appropriate controls. However, some organizations may require a validated assessment that is performed by a HITRUST assessor. This assessment must then be submitted to the HITRUST organization for review and approval. Failure to achieve a HITRUST certification may prevent certain HIPAA-regulated organizations from receiving PHI from organizations requiring HITRUST compliance in their documented security requirements for third parties.

If a violation is reported to the OCR, your organization must be responsive to requests for evidence of HIPAA-required controls. Perform external reviews of your security program and implement technical assessments to demonstrate adherence.

Implement at least the minimum required testing and controls defined by HIPAA. Risks to PHI and the covered entity extend beyond checking a compliance box. As threats to privacy and security evolve and expand, expectations for implementing reasonable controls required by HIPAA will also continue to expand. The easiest way to handle evolving expectations is to be one step ahead.

Continue reading

Solution

Application Security Solutions for Healthcare

Ensure your medical devices and applications meet patient expectations and comply with regulations.

Learn more

Research Paper

Securing Connected Medical Devices for FDA Submissions

Explore the security and regulatory landscape of medical devices and best practices for meeting FDA guidelines

Learn more

Blog

Medical Device Security Best Practices

Learn about the latest trends, compliance requirements, and tools and services to ensure that you’re delivering the highest-quality medical device software.

Learn more

HIPAA

Definition

What does HIPAA compliance have to do with software security?

What problems does HIPAA compliance solve?

How can an organization become HIPAA compliant?

Continue reading

Application Security Solutions for Healthcare

Securing Connected Medical Devices for FDA Submissions

Medical Device Security Best Practices

Questions about application security?

Corporate Headquarters

Customer Support

Worldwide Location

Legal