FHIR: Spark.Net: Create MongoDB HIPAA Storage

Given HIPAA compliance has a number of privacy and security requirements, I would suggest that you also get some professional guidance on how to comply. There are physical and technical requirements beyond the database software, but encrypting data in motion and at rest will mark some of the boxes.

I will add a disclaimer that "I am not a HIPAA lawyer or expert," so you will have to research / confirm specific compliance data for your use case.

Data encryption in motion

• MongoDB binary distributions do not include SSL support by default. You can build from source with SSL support or get a commercial MongoDB Enterprise license .

• You need to make sure the SSL mode is set to requireSSL
  
  and enable certificatescertificate validation
  
  with x.509 .

• I believe you need to use a Federal Information Processing Standard (FIPS) compliant encryption algorithm. FIPS mode is currently only supported in MongoDB Enterprise.

Data encryption at rest

MongoDB (as of 2.6) does not have built-in support for data encryption at rest, however there are a number of third-party partner solutions that currently include:

• BitLocker Drive Encryption
• Vormetric Data Security Platform
• IBM Guardium data encryption

The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you have full access to the query and indexing functionality.

It is likely that some of the data you store may have more stringent requirements (for example, regarding privacy or editing certain fields), so additional application logic may be required to implement.

Additional Information

• The MongoDB Architecture Architecture provides more details on security and auditing options.
• The Security section of the MongoDB manual contains some of the best practices and configuration features.