3

I'm looking for ways to make the Mongo storage used by Spark.Net HIPAA compliant. Does using MongoDB SSL Transport to encrypt data on wire and using Gazzang for data at rest good enough? Are there other options for data at rest while still allowing for indexing certain properties in JSON?

John Saunders
  • 157,405
  • 24
  • 229
  • 388
frosty
  • 1,341
  • 4
  • 16
  • 36

1 Answers1

3

Given HIPAA compliance has a number of privacy and security requirements, I would assume you are also getting some professional advice on how to comply. There are physical and technical requirements that extend beyond the database software, but encryption of data in motion and at rest will tick some of the boxes.

I will add the disclaimer that "I am not a lawyer or a HIPAA expert", so you'll have to research/confirm the specific compliance details for your use case.

Encryption of data in motion

Encryption of data at rest

MongoDB (as at 2.6) does not have built-in support for encryption of data at rest, however there are a number of third party partner solutions which currently include:

The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you still have full access to query and indexing functionality.

It's likely that some of the data you store may have more stringent requirements (eg. around privacy or redaction of specific fields) so there may be some additional application logic to implement.

Related information

  • The MongoDB Security Architecture white paper goes into more detail on security & auditing options.
  • The Security section of the MongoDB manual includes some specifics on best practices and configuration.
Stennie
  • 57,971
  • 14
  • 135
  • 165
  • I should note that [Gazzang zNcrypt](http://gazzang.com/products/zncrypt/mongodb) may also be a possible solution for encryption at rest, but after acquisition by Cloudera earlier this year I gather they are focusing more on Hadoop solutions. – Stennie Aug 13 '14 at 14:36
  • I also have a requirement to prevent administrators from seeing user data. How can I use one of the above transparently encrypted product while meeting the above requirement? Bitlocker is poor in performance and ruling it out. – frosty Aug 14 '14 at 15:25
  • Are you referring to administrators via your application, or those with access to the server? You could add some extra field-level security to encrypt/obfuscate extremely sensitive data, but would have to handle this in your application code. MongoDB also supports [field-level redaction](http://docs.mongodb.org/manual/tutorial/implement-field-level-redaction/) in aggregation pipelines. By "transparent encryption" I mean that the MongoDB and your application do not have to be modified. The encryption at rest solution can either be at a per-process level on the server or per-volume. – Stennie Aug 14 '14 at 19:36
  • You'll have to look into specific encryption solutions to see how they handle key management and auditing for administrators. I would expect all of them to have information addressing HIPAA / HITECH compliance. As far as performance goes, most products also support hardware acceleration for encryption. You could also limit your data to an encrypted partition/volume to minimise the impact of full disk encryption. As mentioned, I don't know the full extent of compliance requirements .. but hopefully this addresses the original question. – Stennie Aug 14 '14 at 19:52
  • There's also a relevant post on the MongoDB blog (Jan 2015): [Making HIPAA Compliant Applications with MongoDB](http://www.mongodb.com/blog/post/making-hipaa-compliant-applications-mongodb). – Stennie Feb 26 '15 at 01:33
  • Looks like MongoDB v3.2 will have a native encryption option (for the WiredTiger storage only) and support for integration with 3rd party key management. https://docs.mongodb.org/v3.0/release-notes/3.2-configure-encryption/ – Gene Nov 20 '15 at 17:36