ACHIEVING HIPAA COMPLIANCE WITH POSTGRES PLUS CLOUD DATABASE

Similar documents
Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

HIPAA Privacy & Security White Paper

Postgres Plus Cloud Database!

The Essential Security Checklist. for Enterprise Endpoint Backup

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Alliance Key Manager Solution Brief

EDB Postgres Cloud Management 2.0 Beta

CHIS, Inc. Privacy General Guidelines

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA and Cloud IT: What You Need to Know

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

How Managed File Transfer Addresses HIPAA Requirements for ephi

Security Considerations

CallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

HIPAA and HITECH Compliance for Cloud Applications

IBM Software Information Management Creating an Integrated, Optimized, and Secure Enterprise Data Platform:

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

HIPAA/HITECH Compliance Using VMware vcloud Air

Complying with PCI Data Security

HIPAA COMPLIANCE AND

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

EMC Virtual Infrastructure for Microsoft Applications Data Center Solution

Oracle Database 11g: Security. What you will learn:

BANKING SECURITY and COMPLIANCE

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Encryption Key Management for Microsoft SQL Server 2008/2014

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

PCI Compliance Considerations

BMC s Security Strategy for ITSM in the SaaS Environment

Nine Network Considerations in the New HIPAA Landscape

stacktools.io Services Device Account and Profile Information

MySQL Security: Best Practices

Unless otherwise stated, our SaaS Products and our Downloadable Products are treated the same for the purposes of this document.

HIPAA PRIVACY AND SECURITY AWARENESS

Your Cloud, Your Data, Your Way! owncloud Overview. Club IT - Private and Hybrid Cloud. Austrian Chambers of Commerce Vienna, January 28th, 2014

Learning Management Redefined. Acadox Infrastructure & Architecture

AVLOR SERVER CLOUD RECOVERY

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

HIPAA Compliance: The Health Insurance Portability and Accountability Act (HIPAA)

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Security Architecture Whitepaper

cloud functionality: advantages and Disadvantages

The Impact of HIPAA and HITECH

Security Information & Policies

Case Studies: Protecting Sensitive Data in

Using AWS in the context of Australian Privacy Considerations October 2015

GoToAssist Remote Support HIPAA compliance guide

5 Questions to ask a 3 rd Party Cloud Provider

Safeguard Protected Health Information With Citrix ShareFile

efolder White Paper: HIPAA Compliance

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

How Our Cloud Backup Solution Protects Your Network

SureDrop Secure collaboration. Without compromise.

CONVERGED DATA PROTECTION. ITSA Nürnberg

HIPAA and HITECH Compliance Simplification. Sol Cates

Helping Customers Move Workloads into the Cloud. A Guide for Providers of vcloud Powered Services

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Oracle Database 11g: Security

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Compliance White Paper

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

Logentries Insights: The State of Log Management & Analytics for AWS

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Big Data, Big Risk, Big Rewards. Hussein Syed

SafeNet DataSecure vs. Native Oracle Encryption

White paper FUJITSU Software Enterprise Postgres

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

GoodData Corporation Security White Paper

The EVault Portfolio

Compliance and Industry Regulations

Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Memeo C1 Secure File Transfer and Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

References. Introduction to Database Systems CSE 444. Motivation. Basic Features. Outline: Database in the Cloud. Outline

Introduction to Database Systems CSE 444

Top 7 Tips for Better Business Continuity

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

Vormetric Encryption Architecture Overview

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise

Transcription:

ACHIEVING HIPAA COMPLIANCE WITH POSTGRES PLUS CLOUD DATABASE

TABLE OF CONTENTS 03 04 04 05 08 INTRODUCTION FUNDAMENTALS OF HIPAA AND HITECH HIPAA-COMPLIANT DATA MANAGEMENT IN THE CLOUD POSTGRES PLUS CLOUD DATABASE SUMMARY 2 2015 EnterpriseDB Corporation. All rights reserved.

INTRODUCTION The health care industry is in the midst of a massive transformation aimed at improving patient care and reducing costs. In the U.S., the Affordable Care Act, in concert with regulations such as HIPAA and HITECH, are accelerating the transition to automated processes. Over 80 countries and unions across Europe, Asia, Africa and North America have adopted data privacy and protection laws similar to those in the U.S. However, the information that drives these processes patient records, clinical test results, medical images, claims data is highly sensitive. Healthcare and life science stakeholders, therefore, must automate internal and crossorganization workflows while maintaining patient privacy and protecting intellectual property. HEALTH CARE DATA AT RISK RESEARCH REVEALS THAT DATA BREACHES COST THE HEALTH CARE INDUSTRY ABOUT $5.6B/YR 1. ANOTHER STUDY PREDICTS THE HEALTHCARE INDUSTRY, BY FAR, WILL BE THE MOST SUSCEPTIBLE TO PUBLICLY DISCLOSED AND WIDELY SCRUTINIZED DATA BREACHES 2. The HIPAA Final Omnibus Rule, published in January, 2013, mandates that any person or organization which creates, receives, maintains or transmits electronic protected health information (PHI) must comply with the HIPAA Security Rule. From a computing perspective, the Final Omnibus Rule effectively requires cloud service providers to share legal responsibility for the privacy of electronically-transmitted PHI. In the presence of broad health care privacy statutes, organizations are challenged to leverage the economic and scaling benefits of cloud computing while complying with multi-level privacy requirements. EnterpriseDB s Postgres Plus Cloud Database (PPCD), in combination with popular cloud platforms such as Amazon Web Services (AWS), offers a secure, scalable database foundation for a wide range of health care applications. This paper explores PPCD s advanced security and auditing features. Our goal is to clarify cloud data management and auditing requirements in the context of HIPAA, and discuss how PPCD meets those requirements when deployed on an AWS infrastructure. 3 2015 EnterpriseDB Corporation. All rights reserved.

FUNDAMENTALS OF HIPAA AND HITECH The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI, and impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For the purposes of this paper, we ll refer to HIPAA and HITECH collectively as HIPAA. Among its extensive regulatory provisions, HIPAA defines two primary stakeholders: Covered Entities including hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies Business Associates a person or entity performing activities on behalf of, or providing certain services to, a covered entity while not employed by the covered entity. The HIPAA Final Omnibus Rule clarifies that any company maintaining PHI on behalf of a covered entity is considered a business associate. Cloud service providers such as AWS are considered HIPAA business associates. Thus, AWS must enter into a business associate agreement with any covered entity on behalf of which AWS stores and transmits PHI. HIPAA-COMPLIANT DATA MANAGEMENT IN THE CLOUD To safeguard PHI adequately, organizations must provide a range of operational, technical and environmental controls. Organizations must create compliant business processes; database systems must provide security and auditability; and cloud service providers must deliver secure, controllable execution environments. HIPAA Security Rule Compliance ADMINISTRATIVE SAFEGAURDS PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS Policies and processes Security awareness and training Business Associate agreements Physical storage controls Environment audit logs Workplace security controls Data transmission security Data storage security Audit logs and systems monitoring 4 2015 EnterpriseDB Corporation. All rights reserved.

As part of its HIPAA business associate agreement, Amazon defines a twopart shared responsibility model for implementing secure, compliant cloud environments: Security measures that AWS implements and operates security of the cloud. Security measures that a covered entity implements and operates that relate to content and applications that use AWS services security in the cloud. Health care organizations that have business associate agreements with AWS use the cloud services available in specially-designated HIPAA accounts, ensuring that those services are aligned with HIPAA s security rules (i.e., by supporting the guidelines defined in NIST 800-66). More information about AWS HIPAA compliance is available here. POSTGRES PLUS CLOUD DATABASE While AWS provides a HIPAA-compliant cloud platform, health care applications also require a database management foundation for processing transactions, storing structured and unstructured information, and supporting a variety of reporting/analytical requirements. To safeguard PHI adequately, the database manager must complement the capabilities of the platform (AWS, in this case) with a comprehensive suite of security and auditing features. PPCD is an enterprise class database solution that powers some of the world s most demanding applications. PPCD includes a rich set of database features, elastically scalable performance and built-in high availability all accessible from an integrated management dashboard. PPCD deploys on AWS EC2 to deliver a secure, compliant data management foundation for a wide range of health care applications. EC2 provides a secure cloud operating environment within which PPCD provides additional PHI security, transaction processing, auditing and database fault tolerance. Among PPCD s many enterprise features that relate to security-sensitive health care applications include: PRIVATE INSTANCES WITH CLOSED PORTS All PPCD databases are deployed using private AWS instances. AT-REST DATA ENCRYPTION IN-TRANSIT DATA ENCRYPTION PPCD uses AES 512 bit cryptography to protect stored data. AES is among the strongest ciphers available in modern computing, and is the cipher standard recommended by NIST. PPCD generates SSL certificates for every database. Client-side certificates can be generated based on the database certificates and used in client applications. 5 2015 EnterpriseDB Corporation. All rights reserved.

PASSWORD STORAGE ENCRYPTION By default, database user passwords are stored as MD5 hashes, so administrators cannot determine user passwords. If MD5 encryption is used for client authentication, the unencrypted password is never present on the server. CLIENT-SIDE ENCRYPTION For applications that process highly sensitive data requiring an extra level of security, data can be encrypted and decrypted by the client. Thus, unencrypted data never appears in the database. ROW-LEVEL SECURITY Allows an application to authenticate users and set the context for which rows in the database become visible to specific user sessions. SQL INJECTION PROTECTION Screens incoming queries for common SQL injection profiles. In addition, PPCD can be configured to accept known queries and reject unfamiliar data request patterns. DATABASE AUDITING Allows security administrators and auditors to track and analyze a variety of activities including database access, usage, creation, change and deletion. Audit reports can be viewed using PPCD s DBA Management Server. PPCD runs as a database cluster on private AWS instances, ensuring that all PHI remains under complete control at all times. The master database, all replica instances, and Amazon storage for the database are managed resources of the AWS HIPAA account. GUI Cloud Console Cluster Manager Auto-provisioning, Health Check, Auto Fallover, Scaling, Backup AUTOMATICALLY CREATED Connection Pooler & Load Balancer Writes Master Server Reads Client Apps/Users Streaming Replication Admin App or Terminal Cloud Resources Network, Elastic IP, Elastic Storage, VMs, Security, Hardware Replica Servers Auto Elastic Scale-Out 6 2015 EnterpriseDB Corporation. All rights reserved.

Each database cluster includes a load balancer,which receives incoming requests from applications and distributes read requests across all read-only replicas within the cluster (unless there are no replicas, in which case the master handles all requests). Write requests are passed directly to the master database. Applications connect to PPCD databases though defined ports using chosen encryption options. All IDE and development tools can connect to the database by using the address and port information provided when the cluster was created. A Logical Volume Manager (LVM) aggregates storage for the cluster, allowing transparent scaling of cloud storage without adversely affecting running databases. In addition to the security and compliancerelated capabilities described above, PPCD provides other powerful features that are often critical to health care applications, including: ACID compliance PPCD is a 100% ACID compliant relational DBMS. Its proven, high performance transaction engine powers many of the world s most advanced mission-critical applications. Integration PPCD s foreign data wrappers (FDW) provide a simple and powerful way to interoperate with external data sources. Health care application developers and DBAs can use FDWs to easily aggregate data from companion systems to create a single, integrated database. FDWs save significant time and costs for applications requiring database interoperability. Portability Postgres is available from multiple vendors on-premise, in virtualized environments and in the cloud. Freedom of choice eliminates vendor lock-in and stimulates a vibrant, competitive market for Postgres products and services. Compatibility PPCD delivers comprehensive Oracle compatibility, allowing health care organizations to leverage their Oracle database investments while transitioning to the cloud. Oracle DBAs and application developers can use their existing skills, tools and practices to implement new systems using PPCD. In addition, EnterpriseDB offers Oracle Migration Services to assist organizations to migrate existing Oracle applications to PPCD. Rich data types Postgres is renowned for supporting a wide variety of structured, semi-structured and unstructured data. Unlike NoSQL datastores, which operate under eventual consistency semantics, all PPCD data is managed transactionally to ensure it is consistent and accurate at all times. Using PPCD, applications leverage the simplicity and power of a single, flexible data management infrastructure. 7 2015 EnterpriseDB Corporation. All rights reserved.

SUMMARY HIPAA s privacy protections require sensitive health care data to be stored and transmitted in a highly secure manner. PHI must be encrypted in transit and at rest, and stakeholders must provide comprehensive governance and auditing in every aspect of PHI data management. To leverage the financial and scaling benefits of cloud computing, health care organizations require a HIPAAcompliant cloud data management solution. Deployed on AWS private instances within an AWS HIPAA account, EnterpriseDB s Postgres Plus Cloud Database combines a powerful suite of security and auditing features with those available from EC2. PPCD enables health care organizations to build and deliver secure, compliant database applications on AWS. Combined with sound compliance practices and governance, PPCD allows organizations to confidently leverage the benefits of the AWS cloud environment. Beyond compliance, PPCD also provides proven enterprise-grade capabilities needed for superior performance, effortless scaling and high availability. Organizations can deploy applications on PPCD knowing that their chosen database is the foundation of many of the world s most web applications. COVERED ENTITY APP Application audit logs Compliance monitoring PPCD DATABASE Data encryption in transit Data encryption at rest Database audit logs AWS INSTANCE Physical location controls Platform audit logs Workplace security controls For further information about EnterpriseDB and PPCD, please visit us at http://www.enterprisedb.com/cloud or email sales@enterprisedb.com. FOOTNOTES 1. Fourth Annual Benchmark Study on Patient Privacy & Data Security Ponemon Institute LLC 2. 2014 Data Breach Industry Forecast Experian Information Solutions, Inc. 8 2015 EnterpriseDB Corporation. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information