locked
HIPAA compliant RRS feed

  • Question

  • User2041742203 posted

    In this thread:

    http://forums.asp.net/t/1982675.aspx?HIPAA+Compliant+Architecture

    It was mentioned that data isolation is a requirement.  I have not seen a CFR or NIST document that states that multi-tenancy can not be accomplished at the application layer.  IE, all patient data in the same SQL tables in one SQL database.

    If someone from this thread above who says that it should be can point to the guidance on that it would be great.  To me it's silent.

    Tuesday, June 17, 2014 3:11 PM

Answers

  • User-718146471 posted

    I am aware of the fact the article did not reference NIST or CFR.  I was only trying to give you an overview of what multi-tenancy looked like.  According to Zeb (security.stackexchange.com, 2014) HIPAA does not elicitly prohibit a shared infrastructure as such.  He asserts that the key issue is your logical security has to be in tip top shape to ensure one client cannot access anothers data.

    Reference

    Zeb (2014, April 3). Multi Tenant Database - HIPAA - Information Security Stack Exchange. Retrieved June 18, 2014, from

            http://security.stackexchange.com/questions/54693/multi-tenant-database-hipaa

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 18, 2014 12:15 PM
  • User-718146471 posted

    In my experience, any time you are going to assert your application is HIPAA compliant, you must be certain it can stand up to an Sarbanes-Oxley Audit and penetration testing.  For the penetration testing, I would recommend hiring a certified ethical hacker who has the SANS institute certificate to test your application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 18, 2014 12:20 PM

All replies

  • User-718146471 posted

    I can speak to it as I was the security officer for a medical record retrieval service back a couple years.  In the case of HIPAA compliance, you can have one database server however each client should have their own database.  I reference my own answer to your question:

    Shared database server yes, shared database however would not be the best idea and the reason aside from security goes further into a managability point of view.  Say we start with ten tables per customer, how sustainable would this model be if we were to add another 100-200 customers?  Can you imagine how massive the one database would be?  So therefore create one database per customer and secure the data using the encryption model mentioned in my first response to you.  Having a private key pair (at least 128 bit encryption) ensures that no one other than an approved user by the client accesses the data.  This way you cover your bases so during an audit as Illeris mentions you can prove there is no way you would have access to the consumer's data.  Also, another important thing to do is get yourself a certified ethical hacker to perform penetration testing to ensure your system is a less desirable target for attack.

    Tuesday, June 17, 2014 3:34 PM
  • User-718146471 posted

    This link actually gives a really solid explanation of how MT works and the different options available to you.

    http://msdn.microsoft.com/en-us/library/aa479086.aspx

    Tuesday, June 17, 2014 3:37 PM
  • User2041742203 posted

    I find no reference to any part of the CFR or NIST guidance that says that the data can not be isolated at the application layer.

    I am going to read the MSDN article, but I skimmed it and did not see it cite any references to CFR or NIST resources either.

    Wednesday, June 18, 2014 9:10 AM
  • User-718146471 posted

    I am aware of the fact the article did not reference NIST or CFR.  I was only trying to give you an overview of what multi-tenancy looked like.  According to Zeb (security.stackexchange.com, 2014) HIPAA does not elicitly prohibit a shared infrastructure as such.  He asserts that the key issue is your logical security has to be in tip top shape to ensure one client cannot access anothers data.

    Reference

    Zeb (2014, April 3). Multi Tenant Database - HIPAA - Information Security Stack Exchange. Retrieved June 18, 2014, from

            http://security.stackexchange.com/questions/54693/multi-tenant-database-hipaa

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 18, 2014 12:15 PM
  • User-718146471 posted

    In my experience, any time you are going to assert your application is HIPAA compliant, you must be certain it can stand up to an Sarbanes-Oxley Audit and penetration testing.  For the penetration testing, I would recommend hiring a certified ethical hacker who has the SANS institute certificate to test your application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 18, 2014 12:20 PM