All geek questions in one place

What are the database requirements for HIPAA compliance?

I am using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application, and I need to know the technical database requirements for this application.

Do we really need to encrypt all database values, such as patient name, etc.?

+5
source share
2 answers

Yes, you need to encrypt all the data (name, email address, phone number, address) associated with the patient and doctors if you want your Rails application to comply with HIPAA requirements.

Here below 2 Ruby gems are very useful for you.

attr_encrypted: https://github.com/shuber/attr_encrypted

paper_trail: https://github.com/airblade/paper_trail

HIPAA is an unusual law in which it contains many recommendations (address elements) and several statements (required elements), but in the end, each organization must determine what they need to do in order to be. This creates more flexibility, as well as great uncertainty. In general, in order to be compatible with HIPAA, a website should at a minimum ensure that all protected health information (ePHI) is lower:

Transport Encryption: Always encrypted as it is transmitted over the Internet

Backup: Never lost, i.e. must be copied and can be restored

Authorization: Available only to authorized personnel using unique, trusted access controls

Integrity: Not Forged or Not Modified

Storage Encryption: Must be encrypted when it is stored or archived

Disposal: Can be permanently removed when no longer required

Omnibus / HITECH: Hosted on the web servers of the company with which you have a HIPAA Associated Business Agreement (or it is hosted in the home and these servers are properly protected in accordance with the HIPAA security rule requirements).

+9
source

HIPAA requirements are not strong enough. It is briefly said that you must encrypt medical records alone, and you cannot use a broken primitive, which is obvious. Anyone who checks your system probably likes to see AES. This is trivial to support, and the Amazon RDS MySQL instance already supports this out of the box with the aes_encrypt () and aes_decrypt () functions.

If HIPAA and PCI-DSS are weakening, they do not indicate which mode of operation should be used. Actually MySQL aes_encrypt () uses ECB mode, which is terrible. In addition, there are security issues when using encryption at this level. aes_encrypt () is easy to break by configuring mysql to log all requests. The AES key must be embedded in your application, so if it is cracked, an attacker can read the value from the configuration file and gain access to the records. These are two points of failure that can be avoided by encrypting the data in your application and then transferring the encrypted text to the database. But HIPAA does not care about this problem. Other HIPAA requirements, such as the CISSP requirement for analyzing your application, are more important.

I urge you to implement a secure system, but HIPAA was not designed well enough to take care.

+2
source

Source: https://habr.com/ru/post/1247407/

More articles:


All Articles