Hipaa Compliant Server

Question

I have an instance in Amazon EC2 and need to be Hipaa compliant. I have two doubts,

1. Should I need to do a block level encryption of the database storage.
2. Should I need to encrypt sensitive data before storing in the database.
3. Best database software to handle with the encryption

Any help will be highly appreciable,

Thank You.

Answer 1

The problem with HIPAA is that it's relatively subjective and has been interpreted differently by individuals to suit their purposes - see here for a quick primer on HIPAA.

The general approach you should take is one of trying to maximize the security of your user's PHI (protected health information). Generally HIPAA recommends / requires that you encrypt PHI data at rest and in-transit covered under 164.312 of the HIPAA Omnibus act.

So you are free to interpret that ruling for:

• At-rest encryption: by encrypting the disk/block on which the data is stored. or encrypting the data before it is stored on disk. The latter will obviously be very expensive CPU wise. Any encryption / decryption process will be more CPU intensive so you should expect to take a performance hit anyway. We overcame this by using SSDs everywhere. The approach we also took was to encrypt the block rather than the database read write ops. That is more than sufficient to address HIPAA's needs. If you encrypt the block, you don't need to use any DB specific tools for encryption etc. That will definitely simplify your life.
• In transit encryption: Covered under 164.312(e)(1) of the Act. Generally this applies to any movement of PHI. So if you're to and from your app and to and from your db, you must at a very minimum encrypt the data (SSL/https). So ensure any data over the web is done over https. Transmissions between your app and db technically still fall into the "in-transit" requirement. However, you can easily make the argument that this is within your VPC and thus not required. We chose to encrypt this as well to simplify our audit process.

Hope all this helps.

I'm sure you know this already but this only covers a small subset of things that HIPAA needs. There's a whole lot involved in terms in documentation, training etc. See here for documenting how you comply with HIPAA, here for how you have set up the actual policies within your organization and here re your HIPAA training as starting points you could use. Also check out Accountable HQ to perhaps help you get a quick head start.

Answer 2

AWS HIPAA center is a good start: HIPAA in AWS.

As mentioned on that page:

You can use any AWS service in your HIPAA-compliant applications. However, only the HIPAA-eligible services defined in our BAA can be used to process, store, and transmit personally-identifiable patient data.

Read the two AWS HIPAA FAQs: Part 1 and Part 2. You will also need to understand the shared responsibility model.

EC2, EBS are HIPAA-eligible services. However you need turn on EBS encryption, and run them on dedicated instance. The price tag for that is not small, may be overkill for a single instance/small system.

Regarding your questions:

1. Should I need to do a block level encryption of the database storage.

If you run database on EC2 + EBS, then yes; and this is just one click on AWS.

If you use RDS (a managed service) then this is handled for you by AWS. Note: only MySQL and Oracle are HIPAA-eligible RDS at the time of writing (Sept/2016). However you can run MS SQL Server on your HIPAA-eligible EC2 & EBS.

2. Should I need to encrypt sensitive data before storing in the database.

Not really needed. I would say Yes only if you need this as an extra security layer, but it doesn't improve your HIPAA-compliance status.

3. Best database software to handle with the encryption

It depends on your specific architecture. If you use encrypted EBS or RDS, then the encryption is already handled for you.

I would suggest to contact AWS support and get a BAA, then do a TCO calculation for entire solution before moving forward.