HIPAA Compliance for Meteor Apps. Meta package containing audit log, user accounts, and ssl security.
==================================
- Installation
- Packages
- HIPAA Compliance Self-Assessment Checklist
- Hosting Providers Willing to Sign Business Associate Agreements (BAA)
- HIPAA Compliant Scale Out Using Meteor
- Policies and Procedures
- Roles API
- Crypto API
- Hipaa API
- HipaaPolicies API
==================================
meteor add clinical:hipaa
================================================
https://catalyze.io/hipaa-self-assessment-checklist
==================================
This is a meta package, and includes the following sub-packages:
accounts-base
accounts-password
alanning:roles
clinical:hipaa-audit-log
clinical:hipaa-policies
clinical:hipaa-routes
force-ssl
jparker:crypto-aes
================================================
https://catalyze.io/hipaa-self-assessment-checklist
================================================
================================================
Phase 1 - Development (1 server)
sudo meteor
Phase 2 - Platform as a Service (2 to 10 servers)
modulus.io - Node/Meteor App Hosting on AWS
compose.io - Mongo Hosting on AWS
Phase 3 - Infrastructure as a Service (11+ servers)
Amazon Web Services
Deploying a Meteor App on Elastic Beanstalk
Phase 4 - Federal HIPAA
Amazon Web Services - HIPAA/Federal Tier
Amazon Web Services - HIPAA Whitepaper
==================================
The Roles API has two primary method:
Roles.addUsersToRoles(userId, rolesArray, group)
Roles.userIsInRole(userId, rolesArray, group)You can see their use in the following code example:
if(Meteor.isServer){
var userId = Accounts.createUser({
email: user.email,
password: "apple1",
profile: { name: user.name }
});
Roles.addUsersToRoles(userId, ['admin', 'manage-users', 'view-secrets']);
Meteor.publish('secrets', function (group) {
if (Roles.userIsInRole(this.userId, ['view-secrets','admin'], group)) {
return Meteor.secrets.find({group: group});
} else {
// user not authorized. do not publish secrets
this.stop();
return;
}
});
}There is also an isInRole convenience helper for client side.
<template name="header">
<header>
{{#if isInRole 'admin'}}
{{> admin_nav}}
{{/if}}
</header>
</template>==================================
There's technically nothing in HIPAA that specifically says that an organization has to encrypt their data at rest; but many people prefer to do so. Of those who do, there's also differing opinions on whether the default encryption is sufficient that comes with the operating system or database. For those who are particularly paranoid, and don't trust the operating system or database, the clinical:hipaa package comes with an AES encryption algorithm, so you can do in-app encryption and ensure that your data-at-rest is secure.
encrypted = CryptoJS.AES.encrypt("Message", "Passphrase");
console.log(encrypted.toString());
// 53616c7465645f5fe5b50dc580ac44b9be85d240abc5ff8b66ca327950f4ade5
decrypted = CryptoJS.AES.decrypt(encrypted, "Passphrase");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
// Message================================================
==================================
All code is MIT. Use as you will. Disrupt the system. It needs all the help it can get.
Policy and Procedures and Creative Commons.