Thread: PostgresSQL and HIPAA compliance
Hello, I have a few questions regarding the use of PostgreSQL and HIPAA
compliance. I work for a company that plans on storing protected health
information (PHI) on our servers. We have looked at various solutions for doing
so, and RDS is a prime candidate except for the fact that they have explicitly
stated that the Postgres engine is *not* HIPAA compliant.
Users on the IRC channel generally say that the guidelines are more catered
towards building better firewalls and a sane access policy, but I would like to
know if there is anything within the implementation of Postgres itself that
violates said compliance.
If anyone works at a similar company and utilizes postgresql to store PHI,
please let me know.
Thank you,
Alex
> On Jun 17, 2016, at 3:03 AM, Alex John <alex.john@holmusk.com> wrote: > > Hello, I have a few questions regarding the use of PostgreSQL and HIPAA > compliance. I work for a company that plans on storing protected health > information (PHI) on our servers. We have looked at various solutions for doing > so, and RDS is a prime candidate except for the fact that they have explicitly > stated that the Postgres engine is *not* HIPAA compliant. There's nothing fundamental to postgresql that would make HIPAA compliance difficult, and *probably* nothing major with the way it's deployed on RDS. Actual certification takes time and money, though. > > Users on the IRC channel generally say that the guidelines are more catered > towards building better firewalls and a sane access policy, but I would like to > know if there is anything within the implementation of Postgres itself that > violates said compliance. > > If anyone works at a similar company and utilizes postgresql to store PHI, > please let me know. EnterpriseDB are helping provide HIPAA compliant postgresql on AWS; it might be worth having a chat with them. http://www.enterprisedb.com/postgres-plus-edb-blog/fred-dalrymple/postgres-meets-hipaa-cloud http://www.slideshare.net/EnterpriseDB/achieving-hipaa-compliance-with-postgres-plus-cloud-database Cheers, Steve
The method you use to store the data is irrelevant. Access to your network. Logging. If you're encrypting the disk. How is the application presenting this data. What kind of ACLs are you using. Asking if PG is good to store HIPAA data is exactly as useful as asking if you can even store HIPAA data. There are so many more important things to consider.
RDS is a hosted service. They don't have all the guarentees you'd want for PHI. I'm sure they're MySQL engine probably has similar warnings.
Jim
On Fri, Jun 17, 2016 at 6:03 AM, Alex John <alex.john@holmusk.com> wrote:
Hello, I have a few questions regarding the use of PostgreSQL and HIPAA
compliance. I work for a company that plans on storing protected health
information (PHI) on our servers. We have looked at various solutions for doing
so, and RDS is a prime candidate except for the fact that they have explicitly
stated that the Postgres engine is *not* HIPAA compliant.
Users on the IRC channel generally say that the guidelines are more catered
towards building better firewalls and a sane access policy, but I would like to
know if there is anything within the implementation of Postgres itself that
violates said compliance.
If anyone works at a similar company and utilizes postgresql to store PHI,
please let me know.
Thank you,
Alex
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 06/17/2016 03:03 AM, Alex John wrote: > Hello, I have a few questions regarding the use of PostgreSQL and HIPAA > compliance. I work for a company that plans on storing protected health > information (PHI) on our servers. We have looked at various solutions for doing > so, and RDS is a prime candidate except for the fact that they have explicitly > stated that the Postgres engine is *not* HIPAA compliant. > Correct but that isn't a Postgres problem, it is an RDS one. > Users on the IRC channel generally say that the guidelines are more catered > towards building better firewalls and a sane access policy, but I would like to > know if there is anything within the implementation of Postgres itself that > violates said compliance. No. > > If anyone works at a similar company and utilizes postgresql to store PHI, > please let me know. > We do (see sig) for multiple companies and it is fully compliant. Your issue isn't PostgreSQL. JD -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development. Everyone appreciates your honesty, until you are honest with them.
On 06/17/2016 03:03 AM, Alex John wrote: > RDS is a prime candidate except for the fact that they have explicitly > stated that the Postgres engine is *not* HIPAA compliant. More precisely, it is not covered by the BAA Amazon will sign. I've helped several companies run HIPAA-compliant Postgres on regular EC2 instances (which *are* covered by your BAA, as long as they are dedicated instances---which do cost more). So you just have to do some of the server work yourself. If you are making the rest of your app HIPAA-compliant anyway, it shouldn't add a large burden to do Postgres that way too. Make sure your access rules are good, use SSL for the connections, put it on an encrypted disk (easy these days with encrypted EBS volumes), etc. Slightly more effort but still very doable is handling requirements for auditing accesses and changes. How you do this probably depends on the rest of your stack. Yours, Paul
-----Original Message-----
From: Alex John
Sent: Friday, June 17, 2016 3:04 AM
To: pgsql-general@postgresql.org
Subject: [GENERAL] PostgresSQL and HIPAA compliance
Hello, I have a few questions regarding the use of PostgreSQL and HIPAA
compliance. I work for a company that plans on storing protected health
information (PHI) on our servers. We have looked at various solutions for
doing so, and RDS is a prime candidate except for the fact that they have
explicitly stated that the Postgres engine is *not* HIPAA compliant.
Users on the IRC channel generally say that the guidelines are more catered
towards building better firewalls and a sane access policy, but I would like
to know if there is anything within the implementation of Postgres itself
that violates said compliance.
If anyone works at a similar company and utilizes postgresql to store PHI,
please let me know.
Thank you,
Alex
---------------------------------------------------------------------
HIPAA compliance does not specify (ever) the technical solution to meet the
requirements, so ANY datastore that can be properly managed within the
context of HIPAA compliance is legal and allowed. Ignore IRCs and search on
securing PHI on relational databases, you'll find lots of details around
data access roles, documentation, processes, data obfuscation, etc.
Mike
On 2016-06-17 14:09, Paul Jungwirth wrote: > On 06/17/2016 03:03 AM, Alex John wrote: >> RDS is a prime candidate except for the fact that they have explicitly >> stated that the Postgres engine is *not* HIPAA compliant. > > More precisely, it is not covered by the BAA Amazon will sign. > > I've helped several companies run HIPAA-compliant Postgres on regular > EC2 instances (which *are* covered by your BAA, as long as they are > dedicated instances---which do cost more). So you just have to do some > of the server work yourself. If you are making the rest of your app > HIPAA-compliant anyway, it shouldn't add a large burden to do Postgres > that way too. Make sure your access rules are good, use SSL for the > connections, put it on an encrypted disk (easy these days with encrypted > EBS volumes), etc. > > Slightly more effort but still very doable is handling requirements for > auditing accesses and changes. How you do this probably depends on the > rest of your stack. > > Yours, > Paul > This is what we do, we have dedicated EC2 instances for PostgreSQL storing PHI. From my point of view, it's the same as any other server running Linux (I can SSH in, or tunnel my DB connection). To be honest I'd rather have it this way than deal with the RDS interface. Try to avoid those HIPAA compliance meetings though, they are terrible and long. -- Stephen