I have an instance in Amazon EC2 and need to be HIPAA compliant. I have two questions,
- Should I need to do a block level encryption of the database storage.
- Should I need to encrypt sensitive data before storing in the database.
Asked
Active
Viewed 326 times
2
Rory Alsop
- 61,367
- 12
- 115
- 320
user49158
- 21
- 1
-
I have removed the 3rd question as it is not on topic here. – Rory Alsop Jun 11 '14 at 11:42
-
1May be of use: https://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/ – cutrightjm Jun 11 '14 at 15:45
1 Answers
2
The paper mentioned is more of a marketing message than anything substantial.
While I am not an expert on HIPAA, it is pretty similar to the UK requirements on sensitive (patient) data. Ideally, you will always try to encrypt data "at rest", eg when on a permanent storage device. However, this is not always easy and to do it well requires very careful execution. No point, for example, in encrypting your drives if the key is in vulnerable memory.
In the UK, government data is classified according to sensitivity levels and then risk assessed against a standard set of Business Impact Levels (IL for short). Patient data for example would be classified as OFFICIAL-SENSITIVE and IL3 is advised. IL3 would recommend encryption at rest but this is not mandated if the data centre and any staff with access are appropriately certified and security cleared.
In your case, the use of AWS means that you have to rely on Amazon to maintain their claims about the data centres. For the UK market, Microsoft have certified their Azure platform (in the EU) to IL2 making it suitable for OFFICIAL classifications (most government documents). To obtain a higher level of classification on a shared platform would be prohibitively expensive. However, there are higher level certified systems though they are effectively private clouds.
So to answer your direct questions (sorry about the extended background):
- Ideally you should, it gives you a higher level of assurance and reduces risk (when done correctly)
- If you can then key assets are best encrypted. Again assuming you do it right. It may not be possible though depending on how you need to use the data. Probably not sensible to do both on the same data though.
Putting sensitive data onto an open cloud platform is fraught with issues and risks. You need to do a good risk analysis on each part of your service, document the risk and the impact if the risk is realised. Then weigh that against the costs of additional security. If this is patient data, you should also consider the impact on the patients, this wont (shouldn't) just be a simple matter of corporate economics.
There is no absolute right or wrong answer here.
Julian Knight
- 7,092
- 17
- 23