How to Protect Sensitive (HIPAA) SQL Server Standard Data and Log Files

security sql-server windows-server-2008-r2 hipaa

Solution 1:

The general suggestion for HIPAA is to follow the PCI Data Security Standard (PCI-DSS), except everywhere they say "Cardholder Information" or "Account Information" you say "PHI". My company (Healthcare industry, dealing with PHI) uses the PCI-DSS as our primary starting point, along with a healthy dose of common sense (e.g. making sure the data STAYS encrypted (or confined to secure networks) at all times).

Column-level encryption of some kind is almost always a good idea when dealing with sensitive data, and given the potential cost of a lawsuit it's high up there with things to consider.

Solution 2:

You need to protect the PHI which would require that you encrypt the data in the database table. Encrypting the data within the column level if your best bet. Searching on these fields is going to be expensive, but that's the cost of high security.

I talk about a variety of data encryption options in chapter 2 of my book "Securing SQL Server"

Related

Small, simple LDAP server as an alternative to OpenLDAP [closed]
Completely disable "this program has stopped working, etc" dialog
What's the point of SAN routing?
postfix says mail sent ok, message does not arrive in ISPs inbox? no reject in log?
SSI includes not working on Debian with Apache
Windows Server 2003 Domain Controller Replacement
is it safe to remove mails on imap server with "rm"?
How to use kdump/crash to investigate an OOM issue?
How can I detect incidents of entropy depletion?
Fail2ban log filled with entries saying "fail2ban.filter : WARNING Determined IP using DNS Lookup:.."
SSL Certificate management with Powershell DSC
getent passwd dosen't show users of LDAP server