Menu
I'm using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application and I need to know the technical database requirements for this application.
do we really need to encrypt all the database values such as patient name etc?
305
HIPAA compliant database hosting services allow healthcare providers to create an efficient, digital data environment that helps them meet their precision medicine and population health goals, while ensuring all patient data is kept totally secure.
Does HIPAA require encryption? Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI) of patients when the data is at rest, meaning the data is stored on a disk, USB drive, etc.
Any ePHI (electronic Protected Health Information) must be encrypted before being transmitted. HIPAA-compliant software keeps sensitive health data encrypted during transmissions and the first step is to make it secure with SSL and HTTPS protocols.
MySQL Enterprise Encryption provides encryption, key generation, digital signatures and other cryptographic features to help organizations protect confidential data and comply with regulatory requirements including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard.
The HIPAA requirements not nearly strong enough. In short it states that you must encrypt medical records at rest and you cannot use a broken primitive, which is obvious. Whoever audits your system probably like to see AES. This is trivial to support, and an Amazon RDS MySQL instance already supports this out of the box with the aes_encrypt() and aes_decrypt() functions.
Where HIPAA and PCI-DSS fall short is that they don't state what mode of operation should be used. In fact MySQL's aes_encrypt() uses ECB mode, which is horrific. Further more, there are problems with enforcing security when using encryption at this layer. aes_encrypt() is easy to break by configuring mysql to log all queries. The AES key must be embedded in your application so if it is compromised, the attacker could read the value out of a configuration file and access the records. This is two points of failure that can be avoided by encrypting the data within your application and then transmitting cipher text to the database. But HIPAA doesn't care about this problem. HIPAA's other requirements, such as requiring a CISSP to analyze your application is more important.
I urge you to implement a secure system, but HIPAA wasn't designed well enough to care.
155
Yes You have to encrypt all the details(name, email, phone, address) related to patient and doctors if you want your Rails application to be HIPAA Compliance.
Here below 2 Ruby gems are very helpful for you.
attr_encrypted: https://github.com/shuber/attr_encrypted
paper_trail: https://github.com/airblade/paper_trail
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant.This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI) below:
Transport Encryption: Is always encrypted as it is transmitted over the Internet
Backup: Is never lost, i.e. should be backed up and can be recovered
Authorization: Is only accessible by authorized personnel using unique, audited access controls
Integrity: Is not tampered with or altered
Storage Encryption: Should be encrypted when it is being stored or archived
Disposal: Can be permanently disposed of when no longer needed
Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
