NoSQL databases for PHI?

Are the fast, document-based NoSQL solutions--MongoDB, Cassandra, CouchDB, etc--appropriate for PHI data? They have performance advantages compared to RDBMS for sure, but in general appears less mature.

I started designing a system based on MongoDB, but reading about the recent controversies in Reddit and Hacker News surrounding allegations of data loss with MongoDB gave me pause...

The controversy claimed MongoDB (appears to be one of the most popular NoSQLs) actually lost data. The implication is that with the many years of experience with RDBMSs, MySQL or PostgreQL are safer bets.

With the higher technical and regulatory requirements in healthcare, how much confidence can I really place on MongoDB?

Has anyone had success with using these database solutions in projects requiring HIPAA compliance?


I don't see why it would be a problem. Actually, I'd say the largest part of healthcare IT runs on a NoSQL solution called MUMPS. You'd just have to be careful how it was implemented, but the argument for using a NoSQL solution actually makes a lot of sense in healthcare. You can read more about MUMPS and it possibly being replaced by the above NoSQL solutions you mention: http://www.emrandhipaa.com/emr-and-hipaa/2011/10/18/analysis-of-mumps-in-healthcare-emr/

I'm sure many would love for MUMPS to be gone and one of the solutions you described be put in place. Although, up until now I can't say I've seen anyone do it yet.


To add to @linda's answer, the database is just another layer in the stack of components that create an application. The security of that system is based upon the combination of all components.

Bottom line:

MongoDB, MySQL, Postgres, etc... They are all just ways of organizing bits for storage/retrieval. There are not necessarily more security flaws in one or the other simply because one is relational and another is object-oriented.

If you are implementing a new EMR or migrating, Be sure to talk to your IT guys about project specifics before making any CXO decisions! I've experienced too many tales of management making large sweeping and disastrous decisions without IT Input.

For HIPAA compliance, all pt info needs to be encrypted 'in transit' and 'at rest'. - Source

Also, i believe Epic also uses Cache in some of their products, as well. It's an object database.


It's not so much about which tool you use to store the data, but rather how you secure that data. I don't see any reason why a NoSQL solution couldn't be secured to an appropriate level, just as a RDBMS solution could be done in a way that was completely insecure.

Things to consider in securing the data (this is by no means an exhaustive list):

  • Access to the server (physical and netsecurity)
  • Access to the data on the server (access rights)
  • Encryption (I've seen debates over whether it's necessary to encrypt the data)