Search code examples
mongodbhl7-fhirhipaa

FHIR: Spark.Net: Making MongoDB storage HIPAA compliant


I'm looking for ways to make the Mongo storage used by Spark.Net HIPAA compliant. Does using MongoDB SSL Transport to encrypt data on wire and using Gazzang for data at rest good enough? Are there other options for data at rest while still allowing for indexing certain properties in JSON?


Solution

  • Given HIPAA compliance has a number of privacy and security requirements, I would assume you are also getting some professional advice on how to comply. There are physical and technical requirements that extend beyond the database software, but encryption of data in motion and at rest will tick some of the boxes.

    I will add the disclaimer that "I am not a lawyer or a HIPAA expert", so you'll have to research/confirm the specific compliance details for your use case.

    Encryption of data in motion

    Encryption of data at rest

    MongoDB (as at 2.6) does not have built-in support for encryption of data at rest, however there are a number of third party partner solutions which currently include:

    The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you still have full access to query and indexing functionality.

    It's likely that some of the data you store may have more stringent requirements (eg. around privacy or redaction of specific fields) so there may be some additional application logic to implement.

    Related information

    • The MongoDB Security Architecture white paper goes into more detail on security & auditing options.
    • The Security section of the MongoDB manual includes some specifics on best practices and configuration.