Is anyone using the HIPAA compliant version of Knack?
Hi Dean - Happy to answer questions if you want to reach out to us. Visit HIPAA Compliant Application and Database Builder/Development and complete the form
Hey Steve thanks for the response but I have spoken to someone in your group before about HIPAA but at some point I may need to do a quick update but I think I understand the basic aspects. I have a multi-tenant app on Knack that I am looking at using in a specific area of the health industry and my question here was more for users that may have insights of areas that may need to be addressed as to security risks. I found one related to the Details view that I discussed with support. We figured out a hack to close the potential for PHI to be leaked albeit the risk was remote but possible. Just looking to see if anyone has had any other similar experiences.
Hello! I’m using it. The only potential risk our team has faced is that we wanted to use file attachments to save test results, but at the last minute we realized this would have been risky, since files are technically public (if you guess the link).
I would interested to know more about what you are doing on the app and share my experience, speaking of “guessing links” and see how you may be handling it if you are. I don’t want to expose weaknesses in the HIPAA app on a public forum but would prefer a direct message or email if possible. Thanks - Dean
Also sent you a DM here about our issue - Dean
Yes, Files are public but you can make that file private as knack gives an option to make files private .
It looks to me that even with the secure setting there is the possibility of public access if the link is exposed. It is only secure in the app.
- Required: If checked, this field must have a value before a record can be added or updated.
- Secure: Setting to Yes after your users have already uploaded files via this field means that any links they were using to access those files will no longer work. Every time a user accesses a secured file via one of the new Live App Knack URL links, a check is run to make sure that the Page, View, and field on which the user found the link to the file still exists; this way, for example, if you accidentally show a link to a file on a certain view and remove it later, users who saved that link will no longer be able to access the file through it.
Files uploaded to a field with Secure set to yes will still be accessible if the direct URL to the file is used. This allows the file to be shared in emails or as needed without requiring someone to log into the Live App. Only the URLs to the file displayed in a Live App page will follow the rules that are in place for that page.
yes, exactly that’s what worried us. Our “solution” was to never use file fields xD
@Kara I know you can’t read years of posts and react to all of them but I wanted to bring to your attention that the app has issues when it comes to HIPAA compliance which Knack offers at a premium price along with a signed BAA which implies assumption of liability in a HIPAA compliant environment. Essentially the medical provider depends on all the contractors to take liability for their product along the way in case of a breach of client information. The problem is that the HIPAA compliant server essentially uses the same software app which has leaks that increase everyone’s potential for breach and liability and no way to change settings to stop them. We have looked into moving to a HIPAA compliant server environment but the unknown places where data leaks are a liability for everyone.
To close the loop here, we resolved the issue Dean brought up about 2 weeks ago (unrelated to secure file fields).
Cheers,
Kara
@Kara Thanks Kara I appreciate how your team made this a priority to work through. I have not had a chance to test yet, but I plan to. As we coded around it, I need to test in an environment without our hack to the issue. With the expectation that this is fixed, we are back in the planning stages for some projects that will require a HIPAA environment. I just sent a message to inquire about some tactical questions to implement such a strategy, so hopefully, I will start some dialogue with support tomorrow when they see it. - Dean