HIPAA Compliance for Meteor apps. Meta package that includes clinical:hipaa-audit-log and other packages.
HIPAA Compliance for Meteor Apps. Meta package containing audit log, user accounts, and ssl security.
==================================
==================================
meteor add clinical:hipaa
================================================
https://catalyze.io/hipaa-self-assessment-checklist
==================================
This is a meta package, and includes the following sub-packages:
accounts-base accounts-password alanning:roles clinical:hipaa-audit-log clinical:hipaa-policies clinical:hipaa-routes force-ssl jparker:crypto-aes
================================================
https://catalyze.io/hipaa-self-assessment-checklist
================================================
================================================
Phase 1 - Development (1 server)
sudo meteor
Phase 2 - Platform as a Service (2 to 10 servers) modulus.io - Node/Meteor App Hosting on AWS compose.io - Mongo Hosting on AWS
Phase 3 - Infrastructure as a Service (11+ servers) Amazon Web Services Deploying a Meteor App on Elastic Beanstalk
Phase 4 - Federal HIPAA Amazon Web Services - HIPAA/Federal Tier Amazon Web Services - HIPAA Whitepaper
==================================
The Roles API has two primary method:
Roles.addUsersToRoles(userId, rolesArray, group)
Roles.userIsInRole(userId, rolesArray, group)
You can see their use in the following code example:
if(Meteor.isServer){
var userId = Accounts.createUser({
email: user.email,
password: "apple1",
profile: { name: user.name }
});
Roles.addUsersToRoles(userId, ['admin', 'manage-users', 'view-secrets']);
Meteor.publish('secrets', function (group) {
if (Roles.userIsInRole(this.userId, ['view-secrets','admin'], group)) {
return Meteor.secrets.find({group: group});
} else {
// user not authorized. do not publish secrets
this.stop();
return;
}
});
}
There is also an isInRole
convenience helper for client side.
<template name="header">
<header>
{{#if isInRole 'admin'}}
{{> admin_nav}}
{{/if}}
</header>
</template>
==================================
There's technically nothing in HIPAA that specifically says that an organization has to encrypt their data at rest; but many people prefer to do so. Of those who do, there's also differing opinions on whether the default encryption is sufficient that comes with the operating system or database. For those who are particularly paranoid, and don't trust the operating system or database, the clinical:hipaa
package comes with an AES encryption algorithm, so you can do in-app encryption and ensure that your data-at-rest is secure.
encrypted = CryptoJS.AES.encrypt("Message", "Passphrase");
console.log(encrypted.toString());
// 53616c7465645f5fe5b50dc580ac44b9be85d240abc5ff8b66ca327950f4ade5
decrypted = CryptoJS.AES.decrypt(encrypted, "Passphrase");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
// Message
================================================
==================================
All code is MIT. Use as you will. Disrupt the system. It needs all the help it can get.
Policy and Procedures and Creative Commons.