HIPAA, Security & Encryption

Titanium Schedule has HIPAA (Health Insurance Portability and Accountability Act) compliant features like user names, passwords, internal security levels, login audit trail, inactivity timeout, etc. Most of the questions we receive are about encrypting the data. There are several places where encryption can be a applied. Password encryption Users' passwords need to be encrypted, and this is done automatically inside Titanium Schedule. Encryption of network traffic You can encrypt the data while it is being transmitted between the server and the workstation. (This is done as a countermeasure to someone intercepting the packets of data between the server and your workstation. This is called "packet sniffing".) According to HIPAA, this is optional if your network is closed (i.e. private wire) and is recommended it your network is open (i.e. goes across the Internet). Many centers fall somewhere between a completely closed network and a completely open network. If you want to encrypt the data while it is being transmitted, you should use IPsec (Internet Protocol Security) or a VPN (Virtual Private Network). HIPAA states: "When using open networks, some form of encryption should be employed. The utilization of less open systems/networks such as those provided by a value-added network (VAN) or private-wire arrangement provides sufficient access controls to allow encryption to be an optional feature." IPsec (IP Security Protocol) is an extended IP protocol which enables secure data transfer. It provides services similar to SSL/TLS, however, these services are provided on a network layer. IPSec can be used for creation of encrypted tunnels between networks (VPN)—so called tunnel mode, or for encryption of traffic between two hosts—so called transport mode. How to configure IPSec Tunneling in Windows 2000. Encryption of data on the hard drive As a countermeasure to someone getting access to the SQL Server data files on the server and copying them, you can also encrypt those files. There are several third party utilities for this, and you can also use Microsoft EFS which, is built into the Windows operating system. The link below describes how to do this. (With a properly configured SQL Server, there is no reason for any Titanium Schedule users to have access to the underlying SQL Server data files. That is one of the security strengths of SQL Servers.) Encryption of data backup copies You need to be careful of what happens to backup copies of the data from Titanium Schedule. It is up to you to decide if the physical security of the backup copies is sufficient. If it is not, then you can also employ one of many third party utilities to encrypt the backup copies of the data. Make sure that the copies can be decrypted if necessary on a different computer. (i.e. Do not encrypt them using a key generated and only stored on the server, because the server may not be available when you need to decrypt the backup copy.) As with all backup approaches, it is best to test this before relying on it. (i.e. Backup the data, encrypt it, then go to another computer and decrypt and restore it.) Remember, if the key to decrypt the backup copies is lost, then the backups are useless. More information about these topics and others related to securing your data with Microsoft SQL Server is available at: Securing Your Database Server

Copyright © 2002-2009 Titanium Software, Inc. All Rights Reserved