Server General TDE and HIPAA Compliance

Go to Server General TDE’s Use Cases

Introduction

Businesses use open-source databases for a variety of reasons but the underlying reason remains the same – freedom – schema freedom or freedom from restrictive licensing. We, at Server General, share the same philosophy and that is why we use open-source encryption technology to provide our transparent data encryption and key management service. Our CTO wrote the file system that is used by the open-source encryption technology now supported by all major Linux distributions.

The US Health insurance Portability and Accountability Act or (HIPAA) was passed in 1996 and Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of American Recovery and Reinvestment Act(ARRA). The HIPAA legislation requires that covered entities implement technical safeguards to protect all Electronic Personal Healthcare Information or ePHI whereas the HITECH Act mandates that a successful breach of “unprotected” ePHI must be publicly disclosed. Furthermore, the HIPAA Omnibus Rule holds business associates liable for non-compliance.

At Server General, we have the experience and the depth of knowledge to solve your in-scope data security problems and make it easy for you to comply with the HIPAA/HITECH Act. We package our data encryption and key management solutions as a service so you are not alone when you are fighting these battles.

Business Challenge

  • How to preserve brand equity and mitigate risk?

    The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of ePHI (unsecured Electronic Patient Health Information) involving more than 500 records. Businesses spend money, time, resources on developing their brand equity. Loss of ePHI can result in significant erosion in brand equity.

  • How to avoid vendor lock-in?

    When a cloud vendor provides compute resources along with data-at-rest encryption and key management, it is virtually impossible to switch vendors without spending a significant amount of time and effort. Businesses want to avoid such a scenario.

  • How to lower compliance cost?

    Implementing controlled access, encrypting data-at-rest, managing encryption keys and generating irrevocable records of events impacting security of ePHI can easily become an expensive proposition. Businesses want to keep their compliance cost in check.

Technical Challenge

Network isolation, access control and centralized management/monitoring are some of the challenges that a covered entity faces while attempting to comply with the HIPAA/HITECH Act but we will narrowly focus here on issues related to data security.

  • How to encrypt ePHI?

    There are several different ways to solve data-at-rest encryption problem. One can use full-disk encryption or use database level encryption or use application level encryption or use filesystem level encryption. There are pros and cons attached to each approach and perhaps more than one technique can be used to achieve the best result.

  • How to manage the encryption keys in a compliant manner?

    The security of any cryptography-enabled system ultimately depends on the security of the cryptographic material used. Key generation, storage, distribution, rotation and revocation are all critical aspects of any distributed key management system. HIPAA section 164.312(a)(2)(iv)164.312 (e)(2)(i) states that “to avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”

  • How to protect ePHI against a malicious or compromised ‘root’ user?

    Unauthorized ‘root’ or privileged insider access to ePHI server can expose sensitive health information. Such malicious users can read files containing health information directly. This technique can be used by untrustworthy systems administrators, or by an attacker who has gained root access. It remains a hard problem to solve as most operating systems give unfettered access to system administrators.

Solution

Server General TDE is a data encryption service that makes it easy to set-up, maintain, manage and administer data-at-rest encryption of your ePHI stored in a database or file server deployed anywhere – public, private or a hybrid cloud. The service allows you to offload your data encryption and key management responsibilities to proven experts while taking a concrete step towards complying with the HIPAA/HITECH Act. Server General TDE has been certified to protect ePHI stored in a MySQL, PostgreSQL, MongoDB, CouchDB or a file server. The service includes a full featured key management system that provides key generation, storage, rotation and revocation. It usually takes less than 30 minutes to install and configure our service. The service is geared towards small to medium sized businesses who want to cut their data security and compliance costs.

Server General TDE uses the Advanced Encryption Standard (AES) algorithm to encrypt PHI at the file system layer thereby meeting or exceeding the encryption standard requirement defined as “AES-compatible” by the IETF/IRTF Cipher Catalog and by the National Institute of Standards and Technology (NIST) publication FIPS 140-2.

Moreover, servers are not designed with data security in mind. It is very difficult to restrict system administrator’s access in a manner that does not impede their ability to do their job while disallowing them from accessing ePHI stored on the server. Most network, system and cloud administrators are granted access to system resources that far exceeds any rational notion of data security. A malicious privileged insider can easily abuse their powers and gain access to PHI thereby exposing the covered entity to a HIPAA violation. Server General TDE protects ePHI data directories by adding an additional layer of controls that prevent system administrators from gaining access to ePHI in cleartext. We follow the principle of least privilege – what is not expressly permitted is denied. It should be noted that Server General TDE is designed not to interfere with normal access control mechanisms that are provided by the application server.

Lastly it is imperative for covered entities to be able to prove to their auditors that they are in full control of their ePHI when it comes to access. This task is accomplished through extensive logging of all access grants and their usage. However, these log files can be easily tampered with by a malicious insider or an outsider. Server General TDE prevents this from happening by storing each log event at two locations – a remote logging server and a local server. Since the covered entity has no control over the remote logging server, they are able to claim to their auditors that they have untainted access logs.

Server General TDE will help you secure your ePHI while making it easy for you to comply with the HIPAA/HITECH Act.