This is a secure, encrypted, HIPAA compliant Web Browser designed specifically for Healthcare requirements. It is capable of reading and writing into active Web Sessions using only the front-end technologies. The application utilizes its multi-view interface to allow users a compliant and secured registration into multiple sessions and run macro-commands across any number of Web Applications, at the same time. Using these methods, Shadowbox can transfer data between applications through their front-end interface and automate their inner operations based on a user generated, or application triggered events.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, is a US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Specifically, the privacy rule sets standards for electronic patient health information (ePHI) data protection as follows:
- Access Control: Unique User Identification, Emergency Access Procedures, Automatic Logoff, Encryption and Decryption
- Audit Control: Software and procedural mechanisms to record and examine activity for whenever ePHI is accessed
- Integrity: Prohibit improper modification of ePHI during transmission
- Authentication: Procedures to ensure user access to ePHI is by validated user
- Transmission Security: Ensure a mechanism to encrypt ePHI whenever appropriate
However, there is no controlling government or government-delegated authority setting specific standards, protocols, or accreditation as to whether or not compliance is achieved. There is a cottage industry of HIPAA auditors, who charge medical practices many thousands of dollars for a security review, training, and compliance implementation programs, but even these have no set standards.
Therefore, software providers - primarily electronic health records, billing systems, laboratory information systems, etc. each independently create systems that they validate as being compliant. While many of these systems do meet all of the requirements listed above, we have found that many of them do not. Additionally, as soon as any one of these otherwise compliant systems are accessed from a commercial browser such as Chrome, Explorer, or Firefox - they are no longer compliant.
Thus, the idea of creating the first secure, encrypted, HIPAA compliant browser with built in intelligent features that sets a higher standard for electronic privacy and protection, ensures that accessing web applications utilizing ePHI are consistently compliant, and adding features that reduce the ability for users to inadvertently (and in many cases intentionally) disclosing ePHI. Due to the existing security architecture and atypical platform upon which Shadowbox is built, we can accomplish these objectives with relatively small modifications to current development plans.
Currently, any Web Application declared HIPAA Compliant by software vendors becomes non-compliant or vulnerable as soon as its displayed in a web browser. All currently available Web Browsers allow saving, downloading, printing or viewing any secured content or source. Some web applications attempt to address these issues by making it more difficult for users to perform “Save Page as…” functions, as one example. They do so by using client side scripts, but because it is expensive, difficult, and not subject to an enforcement action, very few opt to do so. More broadly speaking, HIPAA compliance rules prohibit the local storage of ePHI in any readable format. Therefore, the “Save Page as…” feature of ALL available web browsers is by definition a violation. In fact, anyone can save a web page with any ePHI data as easily as pressing "Ctrl + S” and that data becomes stored on a file on the device and subject to further disclosure or distribution - even when the user is offline and no longer has reason to access that data.
Additional features with the same compliance concerns include “Print”, “Print to PDF”, “View Source”, and others yet to be defined.
Because these are standard features in all commercial web browsers, there is no way to disable them from the browser menus or stop browsers from accessing HTML content. Because browsers are designed for mass market appeal, there is limited incentive for browser companies to address these issues. Therefore, no matter how HIPAA compliant your web application or website, it is impossible to disable a feature of a web browser from a web server, unless you also built the web browser.
We will introduce a freemium multiview web browser built on the Shadowbox platform for download through our website. The free version will offer a minimum viable product of HIPAA compliant feature sets as described further below. Additionally, our current customers (laboratories) can advise Shadowbox Browser-using practices that their EMR-Lab Ordering Services may be easily accessed through Shadowbox (this generates a push marketing opportunity for our current customers).
Billions have been spent on government incentives, healthcare provider compliance efforts, fines for exposures, and yet there are still thousands of complaints every year. In fact, according to the US Department of Health and Human Services (HHS) in a 2015 report, “HIPAA compliance issues don't just happen to ‘the big guys’. In fact, private practices are the most frequent offenders ‘that have been required to take corrective action to achieve voluntary compliance,’ coming in ahead of hospitals, outpatient facilities, pharmacies, and health plans.”
Compliance “audits” cost as much as $50,000, and are no guarantee that practice employees will comply. The Shadowbox Browser is an elegant and low cost solution for these concerns with significant additional upside benefits such as lab ordering, and other features/functions available only on the Shadowbox platform.
The freemium product would be provided as described for single practitioners/small offices, and sold as a SaaS platform licensed on a per/seat basis to enterprise level institutions such as hospitals, clinical research organizations, or other larger entities seeking to suppress incidental/accidental/intentional exposure of ePHI. As new features are developed and released, customers will be upsold on this new functionality.. Additionally, each practice that decides to use one of our laboratory customer “Acts” will generate new revenue for Shadowbox through existing laboratory contracts.
The concept of a secure encrypted browser designed specifically for healthcare due to compliance concerns may eventually be developed into new use cases/verticals for other highly regulated industries such as finance, government, insurance, etc. Ultimately, Shadowbox becomes the browser for business.
SECURE BROWSER FEATURE CONCEPTS:
Disable non-compliant features of regular Web Browsers
We will disable all standard options of web browsers for any website thats opening in Shadowbox. Users will not be able to execute any of the features that make websites non-compliant with HIPAA standards; such as:
- Save Website As
- Firebug module
- View Source
We will disable these features and will make it a simple web browser, straight and clean from other browsers history and their settings.
Show multiple Websites in Multiview instead of Tabs
Shadowbox uses multiview display technology along with Tabs of a regular web browser to simultaneously display multiple “active” sites. This allows the secure and compliant exchange of data between multiple sites, while preventing the exchange of data between compliant and non-compliant applications..
Encrypt any media/data before saving if its not encrypted
Downloadable files and any local data will be encrypted or prevented from being saved locally.
Distinguish between HIPAA compliant and non compliant websites
The Shadowbox browser will offer feature that distinguishes between HIPAA secured and non-secured sites. In that regard we would add a warning feature, such as a yellow color bar around a “Pod” attempting to access/open non-compliant website. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected ePHI be treated as follows:
- Transport Encryption: Is always encrypted as it is transmitted over the Internet
- Backup: Is never lost, i.e. should be backed up and can be recovered
- Authorization: Is only accessible by authorized personnel using unique, audited access controls
- Integrity: Is not tampered with or altered
- Storage Encryption: Should be encrypted when it is being stored or archived
- Disposal: Can be permanently disposed of when no longer needed
- Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).
For example a “basic non-compliant” website, would be one hosted by any typical commercial web hosting provider (e.g. GoDaddy) and written using off the shelf software or by someone without training in web site security best practices. A quick security audit script would run on every site upon opening, with typical results indicating non-compliance being:
- Transport Encryption – Fail. Data is not encrypted during transmission
- Backups – Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
- Authorization – Maybe. Depends on your implementation.
- Integrity – Fail. No way to be sure that data is not tampered with or to tell if it has been.
- Storage Encryption – Fail. Data is never encrypted
- Disposal – Maybe. Depends on your implementation. However, some web hosts and IT departments keep data backups indefinitely — and that is not “disposal”.
- Ombibus – Fail. Most of web hosting providers do not even know what a HIPAA BAA would require them to do…. and most of the rest know that they cannot both sign such an agreement and live up to its requirements without completely changing how their business works and their prices.
NOTE: Millions of websites are accessible by healthcare service providers from the very same devices they use for accessing ePHI, and yet the vast majority of them are not designed with HIPAA in mind, and if they touch at all on protected patient data, are unlikely to be compliant. If a website plans to expand services to now include protected patient data, they must be congnizant of these requirements and many times must entirely re-architect their site to meet these requirements..
Redact/Block-out or Encrypt any sensitive ePHI data, or fields
Shadowbox also could recognize and encrypt any e-PHI data, whether saved or being exchanged or simply passing through Pods inside Shadowbox. If any Patient data has a requirement to be shared (such as passing MRI images to another clinician for a second opinion), then any unnecessary ePHI data for that purpose can be redacted to stay compliant with HIPAA’s minimum disclosure requirement.
Encrypt and Secure transactions in Shadowbox
We would also give the ability to create custom connections, like in the below video example and we’ll do that in a HIPAA compliant way. And of course all other advantages of Shadowbox over Web Browsers also will be there.
That feature is demonstrated in the following link as an example of an EMR to the CA Prescription Database data form connection/automation:
Secure transactions between HIPAA compliant and noncompliant websites
The browser would intelligently secure ePHI data if medical practices are accessing two or more web applications and exchanging PHI information where any one of them is not HIPAA Compliant. We would first warn the user and than give them options to stop the transaction or strip-off ePHI data being transferred. Also in that direction we can add a toggle button like the one QuickBooks online uses (example from contract developers QB file). When toggled On Shadowbox would redact all ePHI data from the view, preparing the data (form or report) for demo or for printing, or for sharing outside of Shadowbox.