Healthcare applications require strict HIPAA compliance to protect patient data. Django's security features provide a solid foundation, but additional measures are essential. At ZIRA Software, we've built HIPAA-compliant systems serving major healthcare providers.
HIPAA Requirements Overview
HIPAA Technical Safeguards
├── Access Controls
│ ├── Unique user identification
│ ├── Emergency access procedure
│ └── Automatic logoff
├── Audit Controls
│ ├── Hardware/software activity logging
│ └── Access audit trails
├── Integrity Controls
│ ├── Data validation
│ └── Transmission security
├── Transmission Security
│ ├── Encryption in transit
│ └── Integrity controls
└── Authentication
├── Verify user identity
└── Multi-factor authenticationEncryption at Rest
# Encrypted model fields
from django.db import models
from cryptography.fernet import Fernet
from django.conf import settings
class EncryptedTextField(models.TextField):
def __init__(self, *args, **kwargs):
self.fernet = Fernet(settings.ENCRYPTION_KEY)
super().__init__(*args, **kwargs)
def from_db_value(self, value, expression, connection):
if value is None:
return value
return self.fernet.decrypt(value.encode()).decode()
def get_prep_value(self, value):
if value is None:
return value
return self.fernet.encrypt(value.encode()).decode()
# Usage in models
class PatientRecord(models.Model):
patient_id = models.CharField(max_length=50)
ssn = EncryptedTextField() # PHI - encrypted
diagnosis = EncryptedTextField() # PHI - encrypted
created_at = models.DateTimeField(auto_now_add=True)
class Meta:
permissions = [
('view_phi', 'Can view protected health information'),
]Comprehensive Audit Logging
# audit/models.py
class AuditLog(models.Model):
ACTION_CHOICES = [
('CREATE', 'Create'),
('READ', 'Read'),
('UPDATE', 'Update'),
('DELETE', 'Delete'),
('LOGIN', 'Login'),
('LOGOUT', 'Logout'),
('EXPORT', 'Export'),
]
user = models.ForeignKey(User, on_delete=models.SET_NULL, null=True)
action = models.CharField(max_length=20, choices=ACTION_CHOICES)
model_name = models.CharField(max_length=100)
object_id = models.CharField(max_length=100, null=True)
ip_address = models.GenericIPAddressField()
user_agent = models.TextField()
timestamp = models.DateTimeField(auto_now_add=True)
details = models.JSONField(default=dict)
phi_accessed = models.BooleanField(default=False)
class Meta:
indexes = [
models.Index(fields=['user', 'timestamp']),
models.Index(fields=['model_name', 'object_id']),
]
# Audit middleware
class AuditMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
response = self.get_response(request)
if hasattr(request, 'audit_log'):
AuditLog.objects.create(
user=request.user if request.user.is_authenticated else None,
action=request.audit_log.get('action', 'READ'),
model_name=request.audit_log.get('model', ''),
object_id=request.audit_log.get('object_id'),
ip_address=self.get_client_ip(request),
user_agent=request.META.get('HTTP_USER_AGENT', ''),
details=request.audit_log.get('details', {}),
phi_accessed=request.audit_log.get('phi_accessed', False),
)
return responseSession Security
# settings.py
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Strict'
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_COOKIE_AGE = 900 # 15 minutes
# Auto-logout middleware
class SessionTimeoutMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
if request.user.is_authenticated:
last_activity = request.session.get('last_activity')
if last_activity:
elapsed = time.time() - last_activity
if elapsed > settings.SESSION_TIMEOUT:
logout(request)
messages.warning(request, 'Session expired for security.')
return redirect('login')
request.session['last_activity'] = time.time()
return self.get_response(request)Role-Based Access Control
# Custom permission backend
class HIPAAPermissionBackend:
def has_perm(self, user_obj, perm, obj=None):
if not user_obj.is_active:
return False
# Check role-based permissions
user_permissions = set()
for role in user_obj.roles.all():
user_permissions.update(role.permissions.values_list('codename', flat=True))
return perm in user_permissions
# View decorator
def phi_access_required(view_func):
@wraps(view_func)
def wrapper(request, *args, **kwargs):
if not request.user.has_perm('view_phi'):
AuditLog.objects.create(
user=request.user,
action='ACCESS_DENIED',
details={'attempted_view': view_func.__name__},
)
raise PermissionDenied('PHI access not authorized')
return view_func(request, *args, **kwargs)
return wrapperSecure Data Transmission
# Force HTTPS
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
# API encryption headers
class SecureAPIView(APIView):
def dispatch(self, request, *args, **kwargs):
if not request.is_secure():
return Response(
{'error': 'HTTPS required'},
status=400
)
return super().dispatch(request, *args, **kwargs)Conclusion
HIPAA compliance requires encryption, audit trails, access controls, and secure transmission. Django provides the foundation—proper implementation ensures patient data protection and regulatory compliance.
Building healthcare applications? Contact ZIRA Software for HIPAA-compliant development.