Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the database requirements for HIPAA compliance?

I'm using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application and I need to know the technical database requirements for this application.

do we really need to encrypt all the database values such as patient name etc?

like image 305
Nitesh Avatar asked Apr 19 '16 08:04

Nitesh


People also ask

What is a HIPAA compliant database?

HIPAA compliant database hosting services allow healthcare providers to create an efficient, digital data environment that helps them meet their precision medicine and population health goals, while ensuring all patient data is kept totally secure.

Does HIPAA require database encryption?

Does HIPAA require encryption? Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI) of patients when the data is at rest, meaning the data is stored on a disk, USB drive, etc.

What is required for software to be HIPAA compliant?

Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted. HIPAA-compliant software keeps sensitive health data encrypted during transmissions and the first step is to make it secure with SSL and HTTPS protocols.

Is MySQL HIPAA compliant?

MySQL Enterprise Encryption provides encryption, key generation, digital signatures and other cryptographic features to help organizations protect confidential data and comply with regulatory requirements including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard.


2 Answers

The HIPAA requirements not nearly strong enough. In short it states that you must encrypt medical records at rest and you cannot use a broken primitive, which is obvious. Whoever audits your system probably like to see AES. This is trivial to support, and an Amazon RDS MySQL instance already supports this out of the box with the aes_encrypt() and aes_decrypt() functions.

Where HIPAA and PCI-DSS fall short is that they don't state what mode of operation should be used. In fact MySQL's aes_encrypt() uses ECB mode, which is horrific. Further more, there are problems with enforcing security when using encryption at this layer. aes_encrypt() is easy to break by configuring mysql to log all queries. The AES key must be embedded in your application so if it is compromised, the attacker could read the value out of a configuration file and access the records. This is two points of failure that can be avoided by encrypting the data within your application and then transmitting cipher text to the database. But HIPAA doesn't care about this problem. HIPAA's other requirements, such as requiring a CISSP to analyze your application is more important.

I urge you to implement a secure system, but HIPAA wasn't designed well enough to care.

like image 155
Bharat soni Avatar answered Oct 23 '22 12:10

Bharat soni


Yes You have to encrypt all the details(name, email, phone, address) related to patient and doctors if you want your Rails application to be HIPAA Compliance.

Here below 2 Ruby gems are very helpful for you.

attr_encrypted: https://github.com/shuber/attr_encrypted

paper_trail: https://github.com/airblade/paper_trail

HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant.This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI) below:

Transport Encryption: Is always encrypted as it is transmitted over the Internet

Backup: Is never lost, i.e. should be backed up and can be recovered

Authorization: Is only accessible by authorized personnel using unique, audited access controls

Integrity: Is not tampered with or altered

Storage Encryption: Should be encrypted when it is being stored or archived

Disposal: Can be permanently disposed of when no longer needed

Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).

like image 40
Anil Kumar Avatar answered Oct 23 '22 10:10

Anil Kumar