locked
Azure Blob Storage - HIPAA Compliance Question.. RRS feed

  • Question

  • I understand that Azure Blob storage is HIPAA compliant. however, I am looking for some additional guidance. basically, we store PDFs and images in Blob storage that may contain PHI information within them. our blobs are private only and the only way our users can access them is via short-lived, timed URIs (read-only shared access signatures) that are generated when they need to view the blob. we do NOT currently encrypt these files within Blob storage (we assumed they were secure enough being private only). is this correct? or do we need to also encrypt the files in blob storage? does Azure support encryption at rest? and is this necessary for HIPAA compliance given the other security measures we have taken available to use from Azure Blob storage?

    if we do need to also encrypt these files within Blob store, then what is the recommended strategy for encrypting/decrypting them? this seems to open up a can of worms regarding performance and scale. should encryption/decryption be handled on the client or server-side? wont this add a bunch of overhead? I really hope this is not necessary.

    your comments and advise is greatly appreciated in advance. thanks!


    Ben

    Monday, November 25, 2013 7:16 PM

Answers

  • Hi Ben,

    Thanks for posting!

    >>I need to better understand the HIPAA requirements regarding Blob storage more specifically and will likely need someone from MS to chime in here to give me an official response on whether or not it is a requirement for HIPAA compliance (and MS' BAA) that we encrypt our files at rest within blob storage, even if we are utilizing the service's other security features as mentioned above?

    I suggest you should read the Windows Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Windows Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details (http://www.windowsazure.com/en-us/support/trust-center/compliance/ ). Also, the document included the encrypt/decrypt data policy.

    Hope it helps.

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, November 28, 2013 3:37 AM

All replies

  • hi Ben,

    Thanks for posting!

    Base on my experience, Blob content is not encrypting. But we could use blob access which is strictly controlled by access key (and there are two keys: primary and secondary, both working equally). You could refer to this document(http://cm-bloggers.blogspot.in/2011/07/encrypting-data-in-windows-azure.html) and threads (http://social.msdn.microsoft.com/Forums/windowsazure/en-us/2102c7bb-6d3b-4fef-bca5-0bfdfcc801cc/encrypting-content-in-blob-storage?forum=windowsazuredevelopment )&& (http://stackoverflow.com/questions/17069691/are-azure-blobs-encrypted-when-they-are-stored-in-microsoft) .

    Also, I personally could encrypt my file and then upload to blob. When I need use it, I will download file and decrypt it. In other words, we could encrypt our file before we upload it to blob.

    Hope it helps.

    Thanks.

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, November 26, 2013 7:55 AM
  • hi Will-

    thanks for the response. unfortunately, I need to better understand the HIPAA requirements regarding Blob storage more specifically and will likely need someone from MS to chime in here to give me an official response on whether or not it is a requirement for HIPAA compliance (and MS' BAA) that we encrypt our files at rest within blob storage, even if we are utilizing the service's other security features as mentioned above?

    if that is the case, this makes things more difficult because:

    1) there is a performance penalty to encrypt/decrypt these files
    2) these records are accessible from multiple devices (i.e. PC, tablet, phone), so we do not want to push that overhead onto these devices, if possible.
    3) if we handle the encrypt/decrypt on the server-side, then that presents possible scalability issues.

    thanks for your response nonetheless. cheers!


    Ben

    Tuesday, November 26, 2013 5:40 PM
  • Hi Ben,

    Thanks for posting!

    >>I need to better understand the HIPAA requirements regarding Blob storage more specifically and will likely need someone from MS to chime in here to give me an official response on whether or not it is a requirement for HIPAA compliance (and MS' BAA) that we encrypt our files at rest within blob storage, even if we are utilizing the service's other security features as mentioned above?

    I suggest you should read the Windows Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Windows Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details (http://www.windowsazure.com/en-us/support/trust-center/compliance/ ). Also, the document included the encrypt/decrypt data policy.

    Hope it helps.

    Regards,

    Will


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, November 28, 2013 3:37 AM