Achieving HIPAA Compliance with Postgres Plus Cloud Database

© 2014 EnterpriseDB Corporation. All rights reserved. 1

Achieving HIPAA Compliance with Postgres Plus Cloud Database April 1, 2015


Welcome!

•  Agenda: −  HIPAA Overview −  HIPAA and Amazon AWS −  HIPAA and Postgres Plus Cloud Database −  Postgres Plus Cloud Database Hardened Architecture −  Postgres Plus Cloud Database Advantages for Healthcare

Introduction


Individuals and organizations (“Participants”) utilizing this white paper, presentation and any related EnterpriseDB training (together “EDB Materials”) agree that any successful compliance program is the result of and due to, a combination of factors such as, but not limited to legal resources, training, culture, procedures, protocols, and strategies. Therefore, because of the complexity of the many legal authorities and business factors involved in a successful compliance program, and because it is difficult, if not impossible, to determine a Participant’s business and professional success and/or protection, these EDB Materials are not suitable for compliance with the laws, regulations, and rulings of any of the states or the federal government at any given time now or in the future. Participant acknowledges and accepts sole and exclusive responsibility for compliance with the legal authorities of each applicable state and the federal government. EnterpriseDB makes no warranties, express or implied, including but not limited to any implied warranties of merchantability or of fitness for a particular use or purpose.

It is up to you to stay current on all applicable legal authorities impacting your operations. Please consult a HIPAA-qualified attorney as part of your compliance program.

The information in this webinar is intended for US companies with healthcare applications.

Disclaimer


HIPAA OVERVIEW


•  HIPAA is The Health Insurance Portability and Accountability Act, enacted in 1996

•  Increased the use of electronic medical records

•  Contains provisions to protect the security and privacy of Protected Health Information (PHI)

•  Governs a wide range of personally identifiable health- and health-related data, including −  insurance and billing information −  diagnosis data −  clinical care data −  lab results such as images and test results

HIPAA and HITECH (1)


•  HITECH is the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act)

•  HITECH extended HIPAA in 2009 •  HIPAA and HITECH establish a set of federal

standards intended to −  protect the security and privacy of PHI −  impose requirements related to the use and disclosure of PHI −  provide appropriate safeguards to protect PHI, individual

rights, and administrative responsibilities.

•  We refer to HIPAA and HITECH together as “HIPAA”

HIPAA and HITECH (2)


•  A Covered Entity is an organization that creates, maintains, transmits, uses, and discloses an individual’s protected health information (PHI)

•  Each Covered entity is required to meet HIPAA requirements

Covered Entities and HIPAA


•  Omnibus means “comprising several items” •  Clarifies that any company maintaining PHI on behalf

of a covered entity is considered a Business Associate

•  Each cloud service provider, including AWS, is considered a HIPAA Business Associate (BA)

•  Therefore, AWS must enter into a Business Associate Agreement (BAA) with any covered entity on behalf of which AWS stores and transmits PHI

The HIPAA Final Omnibus Rule


•  HIPAA’s Privacy Rule −  restricts use and disclosure of PHI −  creates individual rights for PHI −  mandates administrative requirements

•  HIPAA’s Security Rule −  requires protection of individual’s PHI that is created, received,

used, or maintained by a covered entity −  requires appropriate administrative, physical, and technical

safeguards to protect the confidentiality, integrity, and security of PHI

−  requires access and audit controls for PHI

Specific HIPAA Requirements on a DBaaS


HIPAA and Amazon AWS


Customers must understand and distinguish between: •  Security of the cloud:

−  security measures that the cloud service provider (AWS) implements and operates

−  responsibility of the cloud provider (AWS)

•  Security in the cloud: −  security measures that the customer implements and

operates, related to the security of customer content and applications that make use of AWS services

−  responsibility of the customer (you) −  customers select security solutions to protect their own

content, platform, applications, systems and networks

Shared Responsibility Model


•  Amazon’s infrastructure responsibilities −  AWS Global Infrastructure, Regions, Availability Zones −  computing resources: compute, storage, networking

•  Customer responsibilities −  encryption for client-side, server side (file system), network

traffic −  operating system, network, and firewall configuration −  platform, applications, identity and access management −  customer data

•  See http://aws.amazon.com/compliance/shared-responsibility-model/

Shared Responsibility Details


HIPAA and

Postgres Plus Cloud Database


•  We recommend Postgres Plus Cloud Database Advanced, featuring EDB’s premium database, Postgres Plus Advanced Server, which includes:

−  enhanced security features

−  enhanced auditing to meet compliance obligations

−  database compatibility for Oracle

−  enterprise developer features

Postgres Plus Cloud Database Advanced


•  Encryption of data in transit: −  PPCD generates SSL certificates for every database −  client-side certificates can be generated based on the

database certificates and used in client applications

•  Encryption of data at rest: −  PPCD uses AES 512 bit cryptography to protect stored data −  AES is among the strongest ciphers available in modern

computing, and is the cipher standard recommended by NIST

•  Passwords: −  PPCD generates SSL certificates for every database −  client-side certificates can be generated based on the

database certificates and used in client applications

PPCD and HIPAA Requirements


•  Database auditing for compliance:

−  PPCD allows security administrators and auditors to track and analyze a variety of database activities including database access, usage, creation, change and deletion

−  audit reports can be generated and viewed using PPCD’s DBA Management Server

PPCD and HIPAA: Auditing



Hardened Architecture


Postgres Plus Cloud Database Architecture

DATABASE CLUSTER

Master Database

Writes Reads

Streaming Replication

Master Replicas Master Replicas Master Replicas

AUTOMATICALLY CREATED

Connection Pooler & Load Balancer

Cluster Manager Auto-provisioning, Health Check, Auto: Failover, Scaling, Backup

GUI Cloud Console

Admin App or Terminal

Cloud Resources Network, Elastic IP, Elastic Storage, VMs, Security, Hardware

Client Apps/Users

Auto Elastic

Scale-Out


•  Clusters of Postgres Plus Advanced Server databases launched from a multi-tenant console −  the PPCD console is the only multi-tenant portion of system −  the PPCD console processes no customer PHI data −  PPCD console user passwords are stored as MD5 hashes

•  All customer database instances are private −  only database port open by default

•  Postgres Plus Advanced Server −  row-level security governs which users can view which rows −  protection against SQL injection attacks −  protection of server side code from unauthorized viewing

Postgres Plus Cloud Database Security



Advantages for Healthcare


•  ACID-compliant −  Postgres Plus Advanced Server is a 100% ACID-compliant

relational DBMS −  key-value and JSON datatypes are also ACID-compliant −  high performance transaction engine powers many of the

world’s most advanced mission-critical applications

•  Rich data types −  supports a wide variety of structured, semi-structured and

unstructured data −  unlike NoSQL datastores, which operate under eventual

consistency semantics, all PPCD data is managed transactionally to ensure it is consistent and accurate at all times

Core Database Features (1)


•  Prioritize specific workloads in mixed workload databases to prevent one or more other workloads from monopolizing CPU or I/O resources

•  Simplify job scheduling −  allow critical reports to run when necessary −  ensure that backups can complete within their required window −  prioritize customer orders so they complete quickly −  set and meet SLAs for important jobs

Mixed Workload Management


•  Database Integration: Foreign Data Wrappers (FDW) −  provide a simple and powerful way to interoperate with

external data sources −  healthcare application developers and DBAs can use FDWs to

easily aggregate data from companion systems to create a single, integrated database

−  FDWs save significant time and costs for applications requiring database interoperability

•  Database Portability −  Postgres is available from multiple sources, eliminating single-

vendor lock-in −  Postgres is available on-premise, in virtualized environments,

and in the cloud for deployment flexibility

Integration and Portability


•  PPCD Advanced delivers comprehensive database compatibility for Oracle

•  Healthcare organizations can leverage their Oracle database investments when transitioning to the cloud

•  Oracle DBAs and application developers can use their existing skills, tools and practices to implement new systems using PPCD

•  EnterpriseDB offers Oracle Migration Services to assist organizations to migrate existing Oracle applications to PPCD

Database Compatibility for Oracle


Questions?


•  Postgres Plus Cloud Database: −  cloud.EnterpriseDB.com

•  Amazon Web Services (AWS) Compliance: −  aws.amazon.com/compliance

•  US Dept of Health & Human Services: Health Information Privacy: −  www.hhs.gov/ocr/privacy/hipaa/understanding

Resources
