locked
HIPAA Compliant Architecture RRS feed

  • Question

  • User-698041618 posted

    Hi,

    I am developing a Medical Billing Software and should be HIPAA complaint. My current architecture is using seperate database for each tenant. But I need to change it to a Multi tenant architecture. So Is there any problem for HIPAA with Multi tenant architecture ?  Is it possible to get any Document/Proof related to this topic ?

    Any help will be highly appreciable,

    Thank You.

    Monday, April 21, 2014 6:35 AM

Answers

  • User465171450 posted

    Also, don't forget that when you deploy the software you need a HIPAA compliant host. I've seen a lot of application developers miss that fact.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 21, 2014 11:32 AM
  • User-718146471 posted

    Shared database server yes, shared database however would not be the best idea and the reason aside from security goes further into a managability point of view.  Say we start with ten tables per customer, how sustainable would this model be if we were to add another 100-200 customers?  Can you imagine how massive the one database would be?  So therefore create one database per customer and secure the data using the encryption model mentioned in my first response to you.  Having a private key pair (at least 128 bit encryption) ensures that no one other than an approved user by the client accesses the data.  This way you cover your bases so during an audit as Illeris mentions you can prove there is no way you would have access to the consumer's data.  Also, another important thing to do is get yourself a certified ethical hacker to perform penetration testing to ensure your system is a less desirable target for attack.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 23, 2014 6:48 AM
  • User-488622176 posted

    MS Dynamics NAV uses the same dbase for multiple companies. Not exactly the best multi-tenancy example you can find on the market :-). 

    The HIPAA (and others such as Sox, ...) test on data isolation. In practice this means they check if ever customer has it's own data, separated from the others. Then they check if the security model applied over all data sources assures isolation. This can be done by using dbase specific accounts (at dbase level, but also from connection strings in your application), and by checking how & if encryption is applied.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 23, 2014 8:24 AM

All replies

  • User-718146471 posted

    According to Asigra, the answer to your question is Multi-Tenancy is indeed HIPAA compliant.  Here is the link to the article. http://www.asigra.com/blog/what-multi-tenancy-how-secure-it

    Asigra (n.d.). What is multi-tenancy? How secure is it? Retrieved from http://www.asigra.com/blog/what-multi-tenancy-how-secure-it.  

    Monday, April 21, 2014 10:27 AM
  • User465171450 posted

    Also, don't forget that when you deploy the software you need a HIPAA compliant host. I've seen a lot of application developers miss that fact.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 21, 2014 11:32 AM
  • User-718146471 posted

    Duly noted Mark, if security is a concern, don't cheap out on your hosting package.  Make sure it is one that guarantees 99.999% uptime because HIPAA requires no more than 5 minutes of unscheduled downtime per year.  Also, this will be critical because many of these tenants will want Service Level Agreements in place that offer a guarantee of reliable service.

    Monday, April 21, 2014 11:37 AM
  • User-488622176 posted

    HIPAA requires you separate the data per client/tenant. This means a shared database itself is not acceptable. Separating the databases itself is a good way to start. A next thing to do is assure the security per database & tenant is sufficient to reduct/minimize the risk a user having access to one dbase can access data in another dbase. From your application you'll need to be sure (proof : in the design) there is no mixture of sessions possible between instances. From a management perspective : you need to be sure separate security is used per dbase, and generic accounts are reduced to the maximum. Meaning : is one sql server account is used for all connections with all dbases, you're in trouble.

    Also, require your hosting provider to be HIPAA compliant.  

    Best way to be sure : pay for an audit. The remarks I gave you are from an audit point of view ;-)

    Wednesday, April 23, 2014 3:00 AM
  • User-718146471 posted

    Shared database server yes, shared database however would not be the best idea and the reason aside from security goes further into a managability point of view.  Say we start with ten tables per customer, how sustainable would this model be if we were to add another 100-200 customers?  Can you imagine how massive the one database would be?  So therefore create one database per customer and secure the data using the encryption model mentioned in my first response to you.  Having a private key pair (at least 128 bit encryption) ensures that no one other than an approved user by the client accesses the data.  This way you cover your bases so during an audit as Illeris mentions you can prove there is no way you would have access to the consumer's data.  Also, another important thing to do is get yourself a certified ethical hacker to perform penetration testing to ensure your system is a less desirable target for attack.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 23, 2014 6:48 AM
  • User-718146471 posted

    And the multi-tenancy I was referring to was same database server, not a shared DB for the record.  That is one of the ways that place keeps the consumer secure and maintains HIPAA compliance.

    Wednesday, April 23, 2014 6:49 AM
  • User-488622176 posted

    MS Dynamics NAV uses the same dbase for multiple companies. Not exactly the best multi-tenancy example you can find on the market :-). 

    The HIPAA (and others such as Sox, ...) test on data isolation. In practice this means they check if ever customer has it's own data, separated from the others. Then they check if the security model applied over all data sources assures isolation. This can be done by using dbase specific accounts (at dbase level, but also from connection strings in your application), and by checking how & if encryption is applied.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 23, 2014 8:24 AM