FHIR: Spark.Net: Create MongoDB HIPAA Storage
I am looking for ways to make Mongo storage used by Spark.Net HIPAA compliant. Does MongoDB SSL Transport use data encryption on the wire and use Gazzang for data at rest well enough? Are there other options for data at rest, still allowing certain properties to be indexed into JSON?
source to share
Given HIPAA compliance has a number of privacy and security requirements, I would suggest that you also get some professional guidance on how to comply. There are physical and technical requirements beyond the database software, but encrypting data in motion and at rest will mark some of the boxes.
I will add a disclaimer that "I am not a HIPAA lawyer or expert," so you will have to research / confirm specific compliance data for your use case.
Data encryption in motion
-
MongoDB binary distributions do not include SSL support by default. You can build from source with SSL support or get a commercial MongoDB Enterprise license .
-
You need to make sure the SSL mode is set to
requireSSL
and enable certificatescertificate validation
with x.509 . -
I believe you need to use a Federal Information Processing Standard (FIPS) compliant encryption algorithm. FIPS mode is currently only supported in MongoDB Enterprise.
Data encryption at rest
MongoDB (as of 2.6) does not have built-in support for data encryption at rest, however there are a number of third-party partner solutions that currently include:
The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you have full access to the query and indexing functionality.
It is likely that some of the data you store may have more stringent requirements (for example, regarding privacy or editing certain fields), so additional application logic may be required to implement.
Additional Information
- The MongoDB Architecture Architecture provides more details on security and auditing options.
- The Security section of the MongoDB manual contains some of the best practices and configuration features.
source to share