Announcing the Official TrueVault JavaScript SDK

  • by Dan Cleary
  • June 21, 2017

Attention JavaScript developers! Today we are releasing the official TrueVault JavaScript SDK. The SDK abstracts away the details of making requests to our API. This will significantly reduce the time it takes to build a new project on top of TrueVault, or to add TrueVault to an existing project. To see how the SDK is used in a real project, check out the TrueVault JavaScript Sample Application. This is a full-featured React app that uses the SDK to interact with TrueVault.

Read More


Multi-Factor Authentication for Users

  • by Dan Cleary
  • May 24, 2017

Earlier this year we released Multi-Factor Authentication for Accounts. This has helped our customers stave off Social Engineering attacks by requiring more than just a username and password when logging in to the TrueVault Management Console. Today we are extending MFA functionality to the end users of TrueVault applications. Now, applications that integrate with TrueVault will be able to implement MFA enrollment, authentication, and unenrollment by taking advantage of our User MFA API.

Read More


Protect Your Organization From Ransomware, Social Engineering, and Other Attack Vectors

  • by Jason Wang
  • March 15, 2017

Compliance with HIPAA, although vital, is not enough to ensure that customer data will be genuinely secure: Anthem was HIPAA-compliant, and yet they still suffered one of the biggest data security breaches in history. Often, the weakest link in a system is the people operating it. Whether by accident or design, it can be all too easy for them to allow threat actors access to your systems, giving them the opportunity to do what they want with patient data.

In this post, the first of a series, we’ll look at three data security threat vectors, against which HIPAA compliance provides little or no protection. Later in the series we’ll look at the measures which can be taken to minimize these threats and ensure genuine security for healthcare data.

Read More


Multi-Factor Authentication for Accounts

  • by Andrew Mitchell
  • March 10, 2017

Today we're happy to announce Multi-Factor Authentication for the TrueVault Management Console Many of the threats our customers face are the result of human, not technical, errors. Social Engineering encompasses a broad range of attacks that are especially difficult to defend against because they exploit human mistakes: clicking on a phishing link, typing a password in public, running dubious software, joining an untrusted network, etc. TrueVault is working hard to keep your data safe even when authenticated users aren't necessarily trustworthy.

Read More


Better Access Control with Less Configuration: Ownership

  • by Andrew Mitchell
  • January 26, 2017

A major pillar of security is access control. It doesn't matter how strong your encryption is if your access control rules are too broad and you unintentionally give the wrong user access to too much information. At TrueVault, we strive to make it easy for you to build a secure product from top to bottom. This means that it's not enough for us to put your data in an iron-clad vault; we also need to help you precisely control access to each record.

Read More


Why Friday's Massive DDoS Attack Should be Terrifying

  • by Andrew Mitchell
  • October 22, 2016

Friday's massive DDoS attack made a number of hugely popular websites unavailable for much of the country for large parts of the day. Our service wasn't directly affected by this incident, but the nature and scope of this attack is tremendously worrisome. DDoS In a Denial of Service (DoS) attack, the perpetrator overwhelms a target company by flooding their service with so much phony traffic that their service is unable to serve authentic requests.

Read More


Data De-Identification - An Easier Way to HIPAA-Compliance

  • by JoAnna R. Nicholson, Jason Wang, Andrew Mitchell
  • September 27, 2016

Creating a HIPAA-compliant product doesn’t have to be a harrowing experience, but most teams unwittingly choose the slowest, riskiest, and most challenging path to compliance. This post seeks to shed some light on a faster and simpler approach: Data De-Identification. If you take the hard path, retrofitting an existing application to become HIPAA-compliant can be a huge undertaking: You’ll need to start with a massive effort to refactor your codebase to satisfy all of the mandated Technical Safeguards.

Read More


Sending Personalized Email with TrueVault

  • by Andrew Mitchell
  • September 15, 2016

TrueVault has partnered with SendGrid to send personalized emails to your customers using the TrueVault API. This post walks you through the integration process and shouldn't take more than fifteen minutes to complete. Setup in SendGrid The first thing to do is setup a new SendGrid Account. If you just want to try this out, you can take advantage of SendGrid's generous free plan, which lets you send 12k emails per month.

Read More


Keep Your Data Out Of The Wrong Hands

  • by Andrew Mitchell
  • June 9, 2016

We approach security from two angles: prevention and mitigation. Of course we do everything we can to prevent a breach, but we know that isn't enough. History has proven that the software we all depend on has vulnerabilities. We design systems with this reality in mind, and do everything we can to mitigate the damage if a breach occurs. Today we're asking for feedback on a product our R&D department is exploring, which will drastically reduce your exposure if your system is compromised.

Read More


Understanding the EU/US Privacy Shield and Its Impact on Business

  • by Jason Wang
  • May 11, 2016

The US/EU Safe Harbor framework has been invalidated, but a new agreement known as the EU/US Privacy Shield is in the process of being implemented. The new agreement introduces a series of limitations on the processing of European data that will have serious implications for U.S. companies handling European citizen data. Here is what this new agreement entails, what it will mean in practice, and what you should know going forward.

Read More


7 Tips for a Successful mHealth Strategy

  • by Jason Wang
  • April 6, 2016

TrueVault works with healthcare organizations and channel partners to deliver foundational technologies to power their mHealth strategies. Doing so has given us plenty of opportunity to develop a deep understanding of what works (and what doesn’t) as healthcare organizations proceed on this journey. Here we’ll share some of our key insights, to help you successfully drive forward your organization’s mHealth strategy and avoid some of the potential pitfalls. 1. Start small, with a one-month deliverable.

Read More


Driving business value through mobile in the health insurance industry

  • by Jason Wang
  • March 10, 2016

This is the first in a series of posts. Our health insurance customers tell us that they face intense business challenges. Government mandates are pushing costs up and reducing profitability. Health insurance leaders are consolidating (e.g., Aetna’s $37 billion acquisition of Humana) into fewer, larger companies, in an effort to leverage economies of scale and scope to drive down their cost structures. Indeed, some industry executives and CFOs predict, “Big is going to be better.

Read More


TrueVault Unaffected In UCLA Health Breach

  • by Jason Wang
  • July 23, 2015

Recently, UCLA Health experienced a data breach. UCLA Health is a TrueVault customer, however, data stored in TrueVault was not affected by the breach. TrueVault continues to maintain the highest level of security and protection of our customer’s sensitive data. If you have any questions, please contact our security team at security@truevault.com.

Read More


Introducing TrueVault Connect

  • by Jason Wang
  • May 28, 2015

Today we’re excited to announce the general availability release of TrueVault Connect, an identity management solution empowering businesses to share sensitive data with third party applications securely. TrueVault Connect allows authorized applications to access enterprise data in standards-compliant fashion. With TrueVault Connect, end users can grant third party applications the access to their own data, while enterprises maintain control of how data is being accessed. With sophisticated access control and identity management features, enterprises can design and implement detailed data strategies that allow them to acquire, exchange, and retire data via third party applications—all while maintaining ownership of the data.

Read More


What is Protected Health Information?

  • by Morgan Brown
  • January 11, 2015

Protected Health Information, or PHI, is the personally identifiable health information that HIPAA regulates and protects. But HIPAA was written nearly 20 years ago for a mostly analog world of paper files and physical x-rays—the iPhone wasn't even a dream. In today's world of wearables, health apps, genetic sequencing and more, getting a precise definition of PHI can be confusing for developers trying to parse whether they need to be HIPAA compliant or not.

Read More


Top mHealth Apps for September

  • by Morgan Brown
  • October 20, 2014

Apps continue to grow in importance for smartphone users, as more people spend more time in apps and less time on the mobile web. With the recent launches of HealthKit, Apple Watch and more, health and wellness is no exception to the trend. September’s most in-demand mhealth and medical apps for iOS and Android offer everything from tracking medical information, getting or staying in shape, consulting with physicians, and even helping others.

Read More


POODLE Security Update

  • by Jason Wang
  • October 16, 2014

Yesterday, an embargo on a major vulnerability with SSL named POODLE ended [0]. This vulnerability POODLE (Padding Oracle On Downgraded Legacy Encryption) is caused by downgrading of SSL connection from TLS to to SSLv3 and then exploiting SSLv3's weak ciphers to steal "secure" HTTP cookies/tokens/headers. More details about the vulnerability can be found in the release drafted by Google on the OpenSSL website[1]. This vulnerability did not affect TrueVault. In fact, TrueVault removed support for SSLv3 some time ago.

Read More


Apple’s HealthKit vs. Google Fit [Infographic]

  • by Morgan Brown
  • October 14, 2014

The field of mHealth has never been hotter as more people add wearables to their list of must-have devices. With the release of the iPhone 6 and HealthKit, Apple is now one of the largest digital health platforms in the world. It’s clear that we’re at the very beginning of a megatrend in personal health technology. Apple’s not the only one jumping on the mHealth bandwagon, however. Google released Google Fit and Android Wear, and Samsung threw their hat into the ring with SAMI (Samsung Architecture Multimodal Interaction).

Read More


HIPAA Compliance Checklist [Download]

  • by Morgan Brown
  • October 6, 2014

Establishing and maintaining HIPAA compliance for healthcare applications can be a time consuming and frustrating ordeal for developers. From the administrative safeguards that the business needs to implement, to the technical and physical safeguards that require software architecture and custom development, the process can add months to a development timeline and expensive technical debt that requires ongoing attention and refactoring. Unfortunately, using HIPAA-ready hosting like Amazon’s AWS and securing your databases isn’t enough to be compliant.

Read More


What is HIPAA Compliant Hosting?

  • by Morgan Brown
  • October 6, 2014

According to security guidelines established by HIPAA (the Health Insurance Portability & Accountability Act), it’s not only covered entities—that’s those who provide treatment, payment, and operations in healthcare—but also their business associates—that’s anyone who develops mHealth, eHealth, or wearable applications that deal with Protected Health Information (PHI)—who are required to meet national standards for Physical, Administrative, and Technical security of health information. When it comes to keeping protected data secure, there’s no denying that apps that will be transmitting, storing, or managing PHI should be using HIPAA compliant hosting.

Read More


Shellshock Bash Bug and TrueVault

  • by Jameson Lee
  • September 25, 2014

Yesterday, a critical exploit was announced that affects Linux servers through bash, aka the Bourne Again SHell. The vulnerability involves how Bash processes environmental variables. With specifically crafted variables, intruders could invoke shell commands, making the system vulnerable to even greater assault. TrueVault was notified of the bug via the publication of the issue and patch information on Seclists.org, the leading security mailing list. Upon notification of the threat TrueVault immediately took the following actions:

Read More


Introducing the TrueVault Partner Program

  • by Morgan Brown
  • August 26, 2014

Today we’re excited to introduce the TrueVault Developer Partner program. The Developer Partner program is designed to make it easier for application developers and agencies to work with TrueVault to build the next generation of healthcare applications for their clients. If you build mobile and web-based applications for hospitals, doctors or other healthcare providers, or if you’re an agency or development shop who specializes in building for the healthcare vertical, we want you to be a part of this program.

Read More


5 Things CIOs Should Do in Light of the 4.5 Million Community Health Systems Patient Records Theft

  • by Morgan Brown
  • August 19, 2014

Community Health Systems, which manages 206 hospitals in 29 states, reported this week that they were victims of Chinese hackers who infiltrated and stole more than 4.5 million patient records. The hackers made out with names, addresses and social security numbers for patients across the network during attacks in April and June. While the hackers did not get access to the highly-valued protected health information in patient medical records, the hack represents the second largest healthcare-related heist in the last few years.

Read More


What’s Next for Wearable Technology and What it Means for Health Data

  • by Morgan Brown
  • July 28, 2014

Wearable technology has rapidly moved from fantasy to geeky fad, and is now shaping up to become the next big wave after tablets. Many scoff at Google’s Glass but, judging from this year’s string of product and platform announcements at Consumer Electronics Show (CES) and from Apple, Google and Samsung, wearable technology is set to be the next major wave of consumer electronics. Indeed, research firm ABI predicts that by 2017 the market for wearables in the sports and health sectors will grow to nearly 170 million units.

Read More


Introducing the TrueVault Badge

  • by Morgan Brown
  • July 21, 2014

Today we're excited to announce the launch of the TrueVault Badge Program for applications that use our HIPAA compliant API and data store to keep user data compliant and secure. The TrueVault Badge Program allows any TrueVault customer who has signed a Business Associate Agreement with us to display the badge on their website to show their customers they care deeply about keeping protected health information safe and secure. Why a TrueVault Badge?

Read More


HIPAA Violations are on the Rise (Infographic)

  • by Morgan Brown
  • July 8, 2014

Over the past year, consumer complaints to the Office of Civil Rights regarding HIPAA violations has skyrocketed. The number of complaints rose nearly 10x between 2013 and 2003. While 2013 was a record year for complaints, 2014 is setting up to easily shatter the previous mark. Complaint volume is up 45.7% year-over-year through the month of May (the most recent month with data available). Enforcement of the new Omnibus Final Rule that was published in January of 2013 and effective as of September requiring all Business Associates to be HIPAA compliant will likely exacerbate these numbers further as audits being in earnest this year.

Read More


Should App Developers Get HIPAA Certified?

  • by Morgan Brown
  • June 17, 2014

If you are a developer and you create apps, software, or other technologies that are connected to healthcare information, you are likely dealing with the question of HIPAA compliance and whether the laws around compliance apply to you and your app. One of the first things that probably come to mind is whether you need to get HIPAA certified. It’s a reasonable question. Especially if you’ve built applications that use sensitive data like payment information, you’re used to the notion of required certifications.

Read More


Introducing the Developers Guide to HIPAA Compliance

  • by Morgan Brown
  • June 2, 2014

With the news today of Apple’s HealthKit and the Health app, we’re fairly certain that interest in mobile health (mHealth) applications is only going to rise. But building a healthcare-based application has particular challenges that other consumer applications don’t face—mainly the regulation and compliance with HIPAA, the Health Insurance Portability and Accessibility Act. The HIPAA Security Rule lays out the requirements for the privacy of user data, called protected health information (PHI) for both covered entities (like doctors) and business associates (like application developers, hosting providers, etc.

Read More


5 Pitfalls Mobile App Developers Face When it Comes to HIPAA Compliance

  • by Morgan Brown
  • May 27, 2014

The Health Insurance Portability and Accountability Act was signed into law by Bill Clinton on August 21st, 1996. To put this in its technological context, HIPAA predates the first iPhone by 10 years, the first iPad by nearly 14 years, and came into effect just 1 year after commercial ISPs started providing broader access to the consumer Internet. At this point in time, anything close to mobile apps was still beyond the imaginations of even the most outlandish sci fi writers.

Read More


Eight Things We Are Looking for From Apple’s Healthbook and iOS 8

  • by Morgan Brown
  • May 19, 2014

With the rise of popular wearables like the Nike Fuel band and Jawbone Up, and health-based applications for smartphones, personal health is shaping up to be the next major area of innovation for consumer device makers—smartphone manufacturers included. So it’s no surprise that both Samsung and Apple are planning—or reportedly planning—forays into health with its upcoming devices. Samsung is a mere week away from a major health-based press event, and there’s plenty of speculation around Apple’s Healthbook initiative and iOS 8, both of which are expected to be announced in one form or another at their Worldwide Developers Conference in June.

Read More


What Developers Need to Know about HIPAA Compliance in Wearable Tech

  • by Morgan Brown
  • May 14, 2014

With dozens of products already on the market and more on the way, it’s clear that wearable tech is only going to grow in popularity with consumers. From Fitbit to Jawbone Up, Nike Fuel Band and more, these devices are tracking more consumer health data than ever. While popular wearables are tracking steps and calories today, it’s likely that they will track things like hydration, heart rate and more in the next few months—especially if rumors about Apple’s Healthbook are true.

Read More


Meet us at HxRefactored

  • by Morgan Brown
  • May 8, 2014

TrueVault will be at HxRefactored in Brooklyn, New York on May 14-15. Our CEO Jason will be speaking on Wednesday in the HIPAA and Data Security for developers track. His talk, “Decoding HIPAA for Developers” is focused on helping application developers and hardware engineers understand the ins-and-outs of HIPAA compliance for mobile apps, wearable technology and more. If you’re building a new mobile or web app, or software for new wearable devices you’ll want to put this session on your must-attend list.

Read More


Need a Hand with TrueVault? AirPair Can Help!

  • by Morgan Brown
  • March 1, 2014

TrueVault is excited to participate in AirPair's premium support program, which allows our customers to work with trusted TrueVault experts on complex API integrations and similar engagements. Airpair gives developers instant access to the world's best software engineering experts via online screensharing and video chat. There are lots of places that let non-engineers hire engineers one-off for low quality projects like oDesk, but Airpair is one of the few and the best that let developers connect with experts right at the moment they need help.

Read More


Here's How to Keep Your Mobile Data Secure

  • by Morgan Brown
  • January 15, 2014

More than 4.4 million phones were stolen or lost in 2013, according to Consumer Reports. With 70.4% of missing phones the result of theft, there is a lot of personal data floating around in the wrong hands. So how can you keep your phone data safe? Follow these nine tips to keep your personal data safe and secure, even if your phone is stolen. Keeping Mobile Data Safe Set a lock screen password.

Read More


What is the penalty for a HIPAA violation?

  • by Morgan Brown
  • January 9, 2014

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time. Fines will increase with the number of patients and the amount of neglect. Starting with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision.

Read More


HIPAA Compliant File Storage for Healthcare

  • by Jason Wang
  • January 8, 2014

TrueVault can offer you HIPAA compliant storage for any file format. This is not just a file backup or cloud storage solution. Our BLOB Store was designed from the ground up to integrate with mobile applications, web apps, and wearable devices. File uploads, downloads, updates, and deletes are all accessible via a REST(ful) API. When TrueVault launched in September of 2013 we released HIPAA compliant storage for JSON Documents. In December 2013 we launched our BLOB Store.

Read More


Who Certifies HIPAA Compliance?

  • by Jason Wang
  • January 4, 2014

The short answer is no one. Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body here. And, HHS does not endorse or recognize the “certifications” made by private organizations. There is an evaluation standard in the Security Rule § 164.308(a)(8), and it requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies and procedures meet the security requirements.

Read More


How do I become HIPAA compliant? (a checklist)

  • by Jason Wang
  • October 30, 2013

A little housekeeping before we answer the question. This article is not a definitive list of what is required for HIPAA compliance; you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction. So you have determined that you are handling protected health information (PHI) and that you need to be HIPAA compliant. What’s next? What steps need to be taken in order to become HIPAA compliant?

Read More


HIPAA Physical Safeguards Explained, Part 2

  • by Jason Wang
  • October 27, 2013

In a previous blog post titled, HIPAA Physical Safeguards Explained, Part 1, we covered the basics of the Physical Safeguards and the first of four standards. In this post, we’ll cover the remaining three standards: Workstation Use, Workstation Security and Device and Media Controls. If you skipped part 1 of the series, you should read that first. Otherwise, Let’s dive right in. The Workstation Use standard states your entity must define what each workstation can be used for, how the work on the workstation is performed and the environment surrounding the workstations when they are used to access electronic protected health information (ePHI).

Read More


Do I Need To Be HIPAA Compliant?

  • by Jason Wang
  • October 13, 2013

If you handle what’s called protected health information (PHI), then this is an important question to be asking because HIPAA violations can result in some serious penalties. What is PHI you ask? Good question. PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Read More


HIPAA Physical Safeguards Explained, Part 1

  • by Jason Wang
  • October 10, 2013

Update 10/27/2013: You can read part 2 of this series here Physical Safeguards are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on the physical access to Protected Health Information (PHI). In contrast, Administrative Safeguards focus on policy and procedures, while Technical Safeguards focus on data protection. When we think about PHI, we typically think about the digital form of PHI: database records, PDF patient files, and MRI scan images.

Read More


Latest Posts

Mailing List

Subscribe to our mailing list