3

I was hoping to get a recommendation on the best way to store a database encryption key for HIPAA compliance as well as Amazon S3 file storage security. I have been searching stackoverflow and googling in general, but I just can't quite get a solid grasp whether what I'm specifically doing is sufficient. I don't want something I'm doing differently from prescribed methods to make my app insecure.

Currently, I have a Rails app that uses the gem attr_encrypted to encrypt sensitive patient identifying data in the database like name, ssn, address etc. I also store things like images of signatures and patient pictures in Amazon S3 uses server side encryption. I know I shouldn't hardcode the database encryption key in the application or in any file that might get verion controlled, but can I keep it in heroku's env config variables? How are those secured? How separate are they from the database (as in, if someone gets into heroku and steals a copy of the database, are the ENV variables vulnerable somehow as well?)? I currently keep my AWS keys in heroku env variables, is that safe? Also, what is the best pass phrase to use for the encryption? I am currently using 2 sentences from a random page in a book I have.

Please let me know if I'm being terribly naive with any of the procedures I've outlined, and I apologize in advance if I am asking naive questions. I'd like to be HIPAA compliant, but in addition I'd like piece of mind that I've gone beyond what HIPAA requires since from what I understand, HIPAA compliance does not always = actually secure.

Thanks everyone!

Chris Wu
  • 51
  • 5
  • 4
    Doesn't HIPPA require two-factor authentication? Regardless, you should contact Heroku; I don't see how you could possibly satisfy the HIPPA audit requirements without their participation. Personally, I do not think this is a good idea. – Eli Dec 14 '12 at 16:18
  • For passphrases I'd take data from /dev/random. – Frederick Cheung Dec 14 '12 at 17:10
  • Hi @FrederickCheung, thanks for your reply. As per jamieb's addendum, I used /dev/urandom to produce a 64 character (no special character) string. cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1. Would that be sufficient as a passphrase in your opinion? Thanks! – Chris Wu Dec 14 '12 at 21:02
  • @Eli, I'm not sure what two-factor authentication entails regarding my application. I've seen a lot of medical record systems that just require username and password to access their data. Is this separate from my question about database encryption and referring to users proving their identity to access to medical records? Thanks for your help! – Chris Wu Dec 14 '12 at 21:06

1 Answers1

0

(This is more of a comment, but it was too long to be added as a comment):

@Eli: HIPAA doesn't actually mandate any specific technology. Which is good because it's a law and not as mutable as shifting technology.

@OP: Here is a whitepaper on building HIPAA-complaint apps on AWS. It should give you some good ideas. But Eli is correct in that you'll need to contact Heroku for their compliance information. Or you might just be better off migrating off of Heroku at this point. In my experience, it's a good prototyping platform, but it's easy (and expensive) to start bumping into it's limitations when dealing with production environments.

@FrederickCheung: Reading directly from /dev/random will block if there isn't enough entropy. It's generally recommended to use /dev/urandom or an actual crypto library if pseudo-random isn't good enough.

jamieb
  • 9,847
  • 14
  • 48
  • 63
  • Thanks alot for your reply. @jamieb, As I said to Fred, I've taken your suggestion and produced a 64 char. passphrase (alphanumeric with upper and lower case) from urandom. Do you think this is sufficient? In regards to migrating away from Heroku... I'm fine with moving to AWS as I can't find anything about Heroku sharing their compliance info. Part of what was attractive about Heroku was how much was done for me, since I have little experience with maintaining my own servers. In your opinion, should I just duplicate Heroku on AWS as much as possible (postgres etc)? Thanks so much! – Chris Wu Dec 14 '12 at 21:13
  • I dug up this post from 2 years ago on stackoverflow about heroku compliance. http://stackoverflow.com/questions/4308861/heroku-hipaa-compliance. "They say employees have access to data but are not allowed to access it without the consent of the owner. They also say it is a fireable offense for an employee to do so without consent." Would the underlying AWS structure + this assertion about employee access to data be enough for compliance? I'm guessing still not. Even if Heroku were compliant, you would still suggest migrating due to expense despite the added complexity introduced? Thanks! – Chris Wu Dec 14 '12 at 21:22
  • Heroku is a PaaS solution built on top of AWS, which is a IaaS solution. They both provide a home for your application but are very different products. Using AWS is more complex, but the trade-off is more flexibility. Which one is ultimately cheaper/better depends on your application, your in-house skill set, amount of traffic, SLA requirements, and business goals. – jamieb Dec 15 '12 at 17:33