Upload
enterprisedb
View
480
Download
1
Tags:
Embed Size (px)
Citation preview
© 2014 EnterpriseDB Corporation. All rights reserved. 1
Achieving HIPAA Compliance with Postgres Plus Cloud Database April 1, 2015
© 2014 EnterpriseDB Corporation. All rights reserved. 2
Welcome!
• Agenda: − HIPAA Overview − HIPAA and Amazon AWS − HIPAA and Postgres Plus Cloud Database − Postgres Plus Cloud Database Hardened Architecture − Postgres Plus Cloud Database Advantages for Healthcare
Introduction
© 2014 EnterpriseDB Corporation. All rights reserved. 3
Individuals and organizations (“Participants”) utilizing this white paper, presentation and any related EnterpriseDB training (together “EDB Materials”) agree that any successful compliance program is the result of and due to, a combination of factors such as, but not limited to legal resources, training, culture, procedures, protocols, and strategies. Therefore, because of the complexity of the many legal authorities and business factors involved in a successful compliance program, and because it is difficult, if not impossible, to determine a Participant’s business and professional success and/or protection, these EDB Materials are not suitable for compliance with the laws, regulations, and rulings of any of the states or the federal government at any given time now or in the future. Participant acknowledges and accepts sole and exclusive responsibility for compliance with the legal authorities of each applicable state and the federal government. EnterpriseDB makes no warranties, express or implied, including but not limited to any implied warranties of merchantability or of fitness for a particular use or purpose.
It is up to you to stay current on all applicable legal authorities impacting your operations. Please consult a HIPAA-qualified attorney as part of your compliance program.
The information in this webinar is intended for US companies with healthcare applications.
Disclaimer
© 2014 EnterpriseDB Corporation. All rights reserved. 4
HIPAA OVERVIEW
© 2014 EnterpriseDB Corporation. All rights reserved. 5
• HIPAA is The Health Insurance Portability and Accountability Act, enacted in 1996
• Increased the use of electronic medical records
• Contains provisions to protect the security and privacy of Protected Health Information (PHI)
• Governs a wide range of personally identifiable health- and health-related data, including − insurance and billing information − diagnosis data − clinical care data − lab results such as images and test results
HIPAA and HITECH (1)
© 2014 EnterpriseDB Corporation. All rights reserved. 6
• HITECH is the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act)
• HITECH extended HIPAA in 2009 • HIPAA and HITECH establish a set of federal
standards intended to − protect the security and privacy of PHI − impose requirements related to the use and disclosure of PHI − provide appropriate safeguards to protect PHI, individual
rights, and administrative responsibilities.
• We refer to HIPAA and HITECH together as “HIPAA”
HIPAA and HITECH (2)
© 2014 EnterpriseDB Corporation. All rights reserved. 7
• A Covered Entity is an organization that creates, maintains, transmits, uses, and discloses an individual’s protected health information (PHI)
• Each Covered entity is required to meet HIPAA requirements
Covered Entities and HIPAA
© 2014 EnterpriseDB Corporation. All rights reserved. 8
• Omnibus means “comprising several items” • Clarifies that any company maintaining PHI on behalf
of a covered entity is considered a Business Associate
• Each cloud service provider, including AWS, is considered a HIPAA Business Associate (BA)
• Therefore, AWS must enter into a Business Associate Agreement (BAA) with any covered entity on behalf of which AWS stores and transmits PHI
The HIPAA Final Omnibus Rule
© 2014 EnterpriseDB Corporation. All rights reserved. 9
• HIPAA’s Privacy Rule − restricts use and disclosure of PHI − creates individual rights for PHI − mandates administrative requirements
• HIPAA’s Security Rule − requires protection of individual’s PHI that is created, received,
used, or maintained by a covered entity − requires appropriate administrative, physical, and technical
safeguards to protect the confidentiality, integrity, and security of PHI
− requires access and audit controls for PHI
Specific HIPAA Requirements on a DBaaS
© 2014 EnterpriseDB Corporation. All rights reserved. 10
HIPAA and Amazon AWS
© 2014 EnterpriseDB Corporation. All rights reserved. 11
Customers must understand and distinguish between: • Security of the cloud:
− security measures that the cloud service provider (AWS) implements and operates
− responsibility of the cloud provider (AWS)
• Security in the cloud: − security measures that the customer implements and
operates, related to the security of customer content and applications that make use of AWS services
− responsibility of the customer (you) − customers select security solutions to protect their own
content, platform, applications, systems and networks
Shared Responsibility Model
© 2014 EnterpriseDB Corporation. All rights reserved. 12
• Amazon’s infrastructure responsibilities − AWS Global Infrastructure, Regions, Availability Zones − computing resources: compute, storage, networking
• Customer responsibilities − encryption for client-side, server side (file system), network
traffic − operating system, network, and firewall configuration − platform, applications, identity and access management − customer data
• See http://aws.amazon.com/compliance/shared-responsibility-model/
Shared Responsibility Details
© 2014 EnterpriseDB Corporation. All rights reserved. 13
HIPAA and
Postgres Plus Cloud Database
© 2014 EnterpriseDB Corporation. All rights reserved. 14
• We recommend Postgres Plus Cloud Database Advanced, featuring EDB’s premium database, Postgres Plus Advanced Server, which includes:
− enhanced security features
− enhanced auditing to meet compliance obligations
− database compatibility for Oracle
− enterprise developer features
Postgres Plus Cloud Database Advanced
© 2014 EnterpriseDB Corporation. All rights reserved. 15
• Encryption of data in transit: − PPCD generates SSL certificates for every database − client-side certificates can be generated based on the
database certificates and used in client applications
• Encryption of data at rest: − PPCD uses AES 512 bit cryptography to protect stored data − AES is among the strongest ciphers available in modern
computing, and is the cipher standard recommended by NIST
• Passwords: − PPCD generates SSL certificates for every database − client-side certificates can be generated based on the
database certificates and used in client applications
PPCD and HIPAA Requirements
© 2014 EnterpriseDB Corporation. All rights reserved. 16
• Database auditing for compliance:
− PPCD allows security administrators and auditors to track and analyze a variety of database activities including database access, usage, creation, change and deletion
− audit reports can be generated and viewed using PPCD’s DBA Management Server
PPCD and HIPAA: Auditing
© 2014 EnterpriseDB Corporation. All rights reserved. 17
Postgres Plus Cloud Database
Hardened Architecture
© 2014 EnterpriseDB Corporation. All rights reserved. 18
Postgres Plus Cloud Database Architecture
DATABASE CLUSTER
Master Database
Writes Reads
Streaming Replication
Master Replicas Master Replicas Master Replicas
AUTOMATICALLY CREATED
Connection Pooler & Load Balancer
Cluster Manager Auto-provisioning, Health Check, Auto: Failover, Scaling, Backup
GUI Cloud Console
Admin App or Terminal
Cloud Resources Network, Elastic IP, Elastic Storage, VMs, Security, Hardware
Client Apps/Users
Auto Elastic
Scale-Out
© 2014 EnterpriseDB Corporation. All rights reserved. 19
• Clusters of Postgres Plus Advanced Server databases launched from a multi-tenant console − the PPCD console is the only multi-tenant portion of system − the PPCD console processes no customer PHI data − PPCD console user passwords are stored as MD5 hashes
• All customer database instances are private − only database port open by default
• Postgres Plus Advanced Server − row-level security governs which users can view which rows − protection against SQL injection attacks − protection of server side code from unauthorized viewing
Postgres Plus Cloud Database Security
© 2014 EnterpriseDB Corporation. All rights reserved. 20
Postgres Plus Cloud Database
Advantages for Healthcare
© 2014 EnterpriseDB Corporation. All rights reserved. 21
• ACID-compliant − Postgres Plus Advanced Server is a 100% ACID-compliant
relational DBMS − key-value and JSON datatypes are also ACID-compliant − high performance transaction engine powers many of the
world’s most advanced mission-critical applications
• Rich data types − supports a wide variety of structured, semi-structured and
unstructured data − unlike NoSQL datastores, which operate under eventual
consistency semantics, all PPCD data is managed transactionally to ensure it is consistent and accurate at all times
Core Database Features (1)
© 2014 EnterpriseDB Corporation. All rights reserved. 22
• Prioritize specific workloads in mixed workload databases to prevent one or more other workloads from monopolizing CPU or I/O resources
• Simplify job scheduling − allow critical reports to run when necessary − ensure that backups can complete within their required window − prioritize customer orders so they complete quickly − set and meet SLAs for important jobs
Mixed Workload Management
© 2014 EnterpriseDB Corporation. All rights reserved. 23
• Database Integration: Foreign Data Wrappers (FDW) − provide a simple and powerful way to interoperate with
external data sources − healthcare application developers and DBAs can use FDWs to
easily aggregate data from companion systems to create a single, integrated database
− FDWs save significant time and costs for applications requiring database interoperability
• Database Portability − Postgres is available from multiple sources, eliminating single-
vendor lock-in − Postgres is available on-premise, in virtualized environments,
and in the cloud for deployment flexibility
Integration and Portability
© 2014 EnterpriseDB Corporation. All rights reserved. 24
• PPCD Advanced delivers comprehensive database compatibility for Oracle
• Healthcare organizations can leverage their Oracle database investments when transitioning to the cloud
• Oracle DBAs and application developers can use their existing skills, tools and practices to implement new systems using PPCD
• EnterpriseDB offers Oracle Migration Services to assist organizations to migrate existing Oracle applications to PPCD
Database Compatibility for Oracle
© 2014 EnterpriseDB Corporation. All rights reserved. 25
Questions?
© 2014 EnterpriseDB Corporation. All rights reserved. 26
• Postgres Plus Cloud Database: − cloud.EnterpriseDB.com
• Amazon Web Services (AWS) Compliance: − aws.amazon.com/compliance
• US Dept of Health & Human Services: Health Information Privacy: − www.hhs.gov/ocr/privacy/hipaa/understanding
Resources
© 2014 EnterpriseDB Corporation. All rights reserved. 27