If the database has a built in encryption possible such as Azure SQL Server's, Transparent Data Encryption (TDE) would this be enough for getting the HIPAA compliance ? Or even before storing any data that could be PHI like dates, names has to be encrypted and then written to database ?
Asked
Active
Viewed 594 times
2 Answers
0
For HIPAA, there are two types of encryption you want to consider:
Transport Encryption - This is where communications that contain sensitive data is encrypted so the raw data cannot be intercepted. A popular example of this is SSL and HTTPS.
At-Rest Encryption - This is where your sensitive information is encrypted on a storage device. Your example with encrypted databases counts as this.
Your Transparent Data Encryption should suffice for at-rest data, but it does nothing to encrypt your communications - make sure you have something in place for that too. Merely sending the data encrypted over unencrypted communications (such as HTTP or FTP) isn't enough, as the structure of these communications can still be read, the encrypted data can still be pulled out, and if the attacker extracts a competed set of data, they can begin cracking it with their own local resources. Encrypted transport sending encrypted data will make this task much harder.
520
- 723
- 3
- 5
0
If the database has a built in encryption possible such as Azure SQL Server's, Transparent Data Encryption (TDE) would this be enough for getting the HIPAA compliance ?
It depends upon couple of factors, lets say you are storing files, in that case TDE does not protect filestream data, so encryption before storing is a wise decision.
Reference to above statement of mine is absorbed from the Microsoft's documentation page you linked in question. exactly this part of the html page
Some other factors you may want to consider in favour of encrypting the data before storing are:
replication doesn't automatically replicate data from a TDE-enabled database in an encrypted form and snapshot replication can store data in unencrypted intermediate files like BCP file, initial data distribution for transactional and merge replication can too. During such replication, you can enable encryption to protect the communication channel.
TDE surely is protecting data at rest, but my interpretation of document is that TDE is focused to protect data when a malicious party who steals physical media like drives or backup tapes can restore or attach the database and browse its data . There are other ways the data can be stolen, SQL Server Encryption fills the gap.
Also documentation from Azure which is focused guide of HIPPA implementation mentions on page 5, states that Customers can enable SQL Server Encryption, including ('including' not 'OR')Transparent Data Encryption with Azure SQL Database,or externally encrypt the data prior to uploading to Azure SQL Database for database security since Microsoft Azure does not automatically encrypt customer data at rest.
Arpit Rohela
- 573
- 2
- 12