HIPAA Use Case

Introduction

Businesses use open-source databases for a variety of reasons but the underlying reason remains the same – freedom – freedom from restrictive licensing. We, at Server General, share the same philosophy and that’s why we use open-source technologies to deliver our data security solutions to protect the sensitive information stored in a database or a file server. Our CTO wrote the file system that is embedded inside the Linux kernel and is now being used by many major Linux distributions to provide encryption functionality. We now offer ready-to-deploy instances on Google Cloud Platform that are designed to provide maximum security. SG-TDE-MySQL is a secure MySQL instance that provides the intended database server functionality in a manner that helps customers to lower their operational cost and easily comply with regulations like HIPAA, GDPR and the PCI DSS mandates.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of American Recovery and Reinvestment Act (ARRA). The HIPAA legislation requires that covered entities implement technical safeguards to protect all Electronic Personal Healthcare Information or ePHI whereas the HITECH Act mandates that a successful breach of “unprotected” ePHI must be publicly disclosed. Furthermore, the HIPAA Omnibus Rule holds business associates liable for non-compliance.

At Server General, we have the experience and the depth of knowledge to solve your in-scope data security problems and make it easy for you to comply with the HIPAA/HITECH Act. We package our security solutions with a key management service so you are not alone when you are fighting these battles.

Business Challenges

How to preserve brand equity and mitigate risk?

The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of ePHI (unsecured Electronic Patient Health Information) involving more than 500 records. Businesses spend money, time, resources on developing their brand equity. Loss of ePHI can result in significant erosion in brand equity. 

How to use the same security solution across hybrid environments?

Cloud vendors provide data-at-rest encryption solution for instances deployed within their cloud. This forces businesses to use other encryption solutions for their servers deployed within their own data center or on other cloud platforms. Businesses want to avoid such a scenario and want to standardize their security solution across all deployment environments in order to lower their operating costs and enhance their security posture.

How to lower compliance cost? 

Securing a server, implementing controlled access, encrypting data-at-rest, managing encryption keys and generating irrevocable records can easily become an expensive proposition. Businesses want to keep their compliance cost in check.

Technical Challenges

There are three fundamental technical requirements in order to adequately protect data – confidentiality, integrity and availability. Confidentiality can be achieved by making sure that ePHI is stored in a secure manner, all accesses are authenticated and only users who need access to fulfil their duties can access the sensitive information. A covered entity faces many other challenges while attempting to comply with the HIPAA/HITECH Act but we will narrowly focus here on issues related to data security.

How to secure the host server?

Protecting information stored in a cloud server is not an easy task. Simple misconfiguration can lead to disastrous results as we have seen in a recent well-publicized CapitalOne/AWS incident. Unauthorized access can result in data theft, compromise or tampering. Only a secure system can ensure the confidentiality of ePHI. However, commercial off-the-shelf (COTS) operating systems, which are used by most cloud providers to offer virtual server instances are designed to cater to the widest possible range of applications and users. Thus running a mission-critical database/file server on top of the Commercial-off-the-Shelf (COTS) operating system (OS) is like playing Russian Roulette with your sensitive information. Reducing the attack surface of a server becomes a significant issue for the IT department.  

How to manage the encryption keys in a compliant manner?

The security of any cryptography-enabled system ultimately depends on the security of the cryptographic material used. Key generation, storage, distribution, rotation and revocation are all critical aspects of any distributed key management system. HIPAA section 164.312 (a)(2)(iv)164.312 (e)(2)(i) states that “to avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”

How to protect ePHI against a malicious or compromised ‘root’ user?

Unauthorized ‘root’ or privileged insider access to ePHI server can expose sensitive health information. Such malicious users can read file data directly. This technique can be used by untrustworthy systems administrators, or by an attacker who has gained “root” access. It remains a hard problem to solve as most operating systems give unfettered access to system administrators.

How to generate immutable logs?

An attacker tries to cover their tracks by altering or deleting log files. An easy way to get around this issue is to store logging information at multiple locations that are under different administrative control. Having multiple copies of the log files makes it challenging for an attacker to successfully alter them but how do you go about it?

Solution

SG-TDE-MySQL is a secure and CIS-Benchmark compliant MySQL server instance that is just 750MB in size. The instance has binaries that are absolutely necessary to run the MySQL server. We have added our own a full-featured security package that includes transparent data encryption, key management, and protection against a malicious “root” user. To avoid log tampering, we store the logging information at four different locations. Three out of the four locations are outside of the administrative control of our customers. 

The SG-TDE family of products use the Advanced Encryption Standard (AES) algorithm to encrypt ePHI at the file system layer thereby meeting or exceeding the encryption standard requirement defined as “AES-compatible” by the IETF/IRTF Cipher Catalog and by the National Institute of Standards and Technology (NIST) publication FIPS 140-2.

It is very difficult to restrict the privileged user’s access in a manner that does not impede their ability to do their job while preventing them from accessing the ePHI. Most network, system and cloud administrators are granted access to system resources that far exceeds any rational notion of data security. A malicious privileged insider can easily abuse their powers and gain access to ePHI thereby exposing the covered entity to a HIPAA violation. The SG-TDE family of products protect ePHI data directories by adding an additional layer of controls that prevent privileged users from gaining access to the sensitive data sets in cleartext. We follow the principle of least privilege – what is not expressly permitted is denied. It should be noted that SG-TDE-MySQL is designed not to interfere with normal access control mechanisms that are provided by the application server (MySQL).

Lastly, it is imperative for covered entities to be able to prove to their auditors that they are in full control of their ePHI when it comes to access. This task is accomplished through extensive logging of all access grants and their usage. However, these log files can be easily tampered with by a malicious insider or an outsider. The SG-TDE family prevents this from happening by storing each log event at four locations – three remote logging servers and the local instance. Since the covered entity has no control over the remote logging servers which are deployed in our cloud they are able to claim that they have untainted access logs.

SG-TDE-MySQL will help you secure your ePHI while making it easy for you to comply with the HIPAA/HITECH Act.