February 26, 2014 at 1:44 pm
Wondering if using TDE satisfies HIPAA requirements around encrypting PHI and PII data and if anyone knows if there are any specific Microsoft documents pointing to TDE as such.
I found this: https://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx but it's not real detailed.
Thanks!
February 26, 2014 at 3:58 pm
It will help, but is by no means sufficient. Since TDE protects at rest data, it does provide help with compliance when talking about database files, logs and the resulting backups: so if someone were to hack in and attempt to grab the backup files and logs from the OS , the content they would get is encrypted. Same if you were to detach a database and someone got a hold of those files.
On the other hand - TDE does NOT help secure any communication channels (so between the DB and any application serving the data up), and does nothing to secure the data WITHIN SQL Server. So if you have data reader access before TDE, you still have that very same access after, with no code changes required.
For HIPAA purposes you often need to show special encryption/secure methods for accessing/updating PII or PHI (to include the infamous auditing requirements) and for those specific pieces, TDE does nothing to help.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
February 26, 2014 at 4:06 pm
Awesome Matt! Thanks for the information. I was indeed speaking about the requirement when dealing with data at rest.
I am wondering if anyone has any documentation confirming this from Microsoft. I am trying to convince some people on my staff that TDE will be sufficient (perhaps even minimally acceptable) for passing HIPAA compliance checks when dealing with data at rest for our first release. Then looking at other alternatives farther down the road.
Thanks again Matt!
S
February 26, 2014 at 4:45 pm
seandakid (2/26/2014)
Awesome Matt! Thanks for the information. I was indeed speaking about the requirement when dealing with data at rest.I am wondering if anyone has any documentation confirming this from Microsoft. I am trying to convince some people on my staff that TDE will be sufficient (perhaps even minimally acceptable) for passing HIPAA compliance checks when dealing with data at rest for our first release. Then looking at other alternatives farther down the road.
Thanks again Matt!
S
Well - yes and no.
I have not seen an outright attestation on MS' site to that extent, mostly because compliance is also going to be dependent on what encryption method you pick. And as with many other things HIPAA itself doesn't specify a specific minimum standard, but leaves that up to NIST (who then can update the standard to whatever they wish as computing power goes up). MS prefers to stay out of that legal quagmire.
That said - the latest info I saw was from HIMSS, pointing to AES-128 as the minimum standard. Here's the standard they brought up:
http://www.himss.org/files/HIMSSorg/content/files/RA04_Encryption_HIPAA_MU_Stage2_Final.pdf
Assuming your HIPAA compliance team agrees that is the minimum, then yes - TDE does meet and exceed that standard (since it can use AES256).
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
February 27, 2014 at 3:38 am
seandakid (2/26/2014)
Awesome Matt! Thanks for the information. I was indeed speaking about the requirement when dealing with data at rest.I am wondering if anyone has any documentation confirming this from Microsoft. I am trying to convince some people on my staff that TDE will be sufficient (perhaps even minimally acceptable) for passing HIPAA compliance checks when dealing with data at rest for our first release. Then looking at other alternatives farther down the road.
Thanks again Matt!
S
Excellent "at rest" data security can also be obtained by utilising encrypted database backups (as found in Litespeed or SQLBackup) and by securing the database folders using NTFS ACls. Hardening the server is almost always overlooked and it's holes here that require you to implement procedures such as TDE.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 27, 2014 at 10:46 am
Great point Perry. I will add that to my documentation. Thanks!
S
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply