Features
By accessing our website, you are agreeing to be bound by these terms of service, all applicable laws and regulations.
HipaaChecker Features
UNIQUE USER ID TRACKING
PHI EMERGENCY ACCESS
SESSION MANAGEMENT
ENCRYPTION AND DECRYPTION
PREVENT UNAUTHORIZED PHI ALTERATION AND DESTRUCTION
INTEGRITY CONTROLS OVER TRANSMISSION
PHI ENCRYPTION
ACCESS CONTROL
AUTOMATIC LOGOFF (Addressable) - § 164.312(a)(2)(iii)
Sample session management questions for a software system to consider:
Do current information systems have an automatic logoff capability?
Is the automatic logoff feature activated on all workstations with access to ePHI?
HIPAAChecker to validate your session management
When choosing a session management method, factors such as security requirements, scalability needs, compatibility with client technologies, and performance considerations should be taken into account. HIPAAChecker identifies the following methods for managing sessions in your codebase and whether it is appropriate or not:
Session data is stored on the server side, typically in memory or a server-side storage system like a database or a cache. It can be more resource-intensive for the server, especially in scenarios with a large number of concurrent sessions.
This method involves using secure tokens, such as JSON Web Tokens (JWT) or opaque tokens generated by the server. If the token is signed and encrypted, token-based session management improves security and flexibility
HIPAAChecker Identifies whether session cookies (which expire when the browser is closed) are present in the front-end web-based application. The client’s browser includes the session cookie in the request headers, allowing the server to identify the user’s session.
Sometimes, HTML forms-based web applications store session IDs in a hidden form field and submit them with each form submission. This method is computationally expensive and insecure.