Reputation: 11
HIPAA compliant PHP/MySQL application
I'm working on a PHP/MySQL application that must be HIPAA compliant. From what I've read, any personal data that may identify someone or any medical information must be 256-bit encrypted both at rest and in transit. I'm trying to figure out what the most efficient approach to this is.
I am using Amazon Web Services and I thought of using SSL encryption for both HTTP and database requests to protect data in transit. As for data at rest, I thought of compiling a custom MySQL server with AES 256 in order to use AES_ENCRYPT and AES_DECRYPT -- but would I then have to store an IV for each field I encrypt? Otherwise, doing encryption/decryption within the application itself would take too long and querying the database would be hell.
Any thoughts?
Upvotes: 1
Views: 4024
Answers (1)
Reputation: 5202
HIPAA does not actually require that your ePHI be encrypted "at-rest" when stored in your MySQL database, as long as it is isolated so that no unauthorised people can access it.
That said, it is generally always better to have your data encrypted at rest, if possible, as that prevents a breach from happening should the data be compromised.
Read in detail about HIPAA compliance for mySQL and encryption options here (I have no relationship with this website):
https://luxsci.com/blog/encryption-and-auditing-for-mysql-databases-under-hipaa.html
Upvotes: 2
Related Questions
- encrypt with PHP MYSQL
- Building Secure Public API with PHP/MYSQL
- Mysql encryption / storing sensitive data,
- How to choose solutions for secure messaging front-end and HIPAA compliant database?
- Overloading a Native PHP Function to Encrypt Data for HIPAA Compliance
- MySQL Database Security for Sensitive Data
- Simple encryption technique for MySQL using PHP
- Storing sensitive data securely in a database
- Database encryption - php/mysql
- Basic security, PHP mySQl