Database systems are an essential business application for the healthcare industry, and almost all applications, websites, and proprietary healthcare tools will read and write data from some form of a database. Two of the most popular database applications used today are MySQL and MS-SQL.
MySQL is an Oracle-based open-source relational database that is most commonly found installed on Linux Operating Systems such as Red Hat, CentOS, and Ubuntu.
MS-SQL, also known as Microsoft SQL Server, is a very popular database for Windows Server users. Recently, Microsoft has ported MS-SQL to Linux, and you can also get MySQL on Windows.
A database is used to store tables of structured or unstructured data. It is an essential tool for healthcare organizations, and due to the very nature of a database, the chance of electronic Protected Health Information (ePHI) being saved in a database is very high.
As a result, securing MySQL and MS-SQL Databases is a primary concern. There are several specific rules to follow when implementing a database for your practice, and it is essential to adhere to the physical, technical, and administrative safeguards of HIPAA Compliance.
How Do You Secure PHI in MySQL and MS-SQL?
The initial risk assessment that takes place to identify what PHI is stored and processed by a client’s IT systems is one of the most vital parts of HIPAA Compliance. Your database will likely be at the top of this list.
Outsourcing the administration, data management, and maintenance of the database to a HIPAA Compliant hosting provider like Atlantic.Net will take away the overwhelming majority of headaches associated with securing a PHI in a Database.
All database products have great feature sets that enhance the security of the database. Here are some of the most critical best practices to follow:
- Access to the database must be controlled using a unique username and password combination integrated with a local OS or directory service tool such as Active Directory.
- Verify and authenticate users’ identities before granting access to the database with Multi-Factor authentication. This adds an extra layer of security to their account. Even if someone else obtains their password, it won’t be enough for them to sign in with the compromised credentials.
- User access should be locked down to an authorized IP address or IP range, this will approve access to a user from a specific location or office. Both MySQL and MS-SQL allow this feature when creating and editing database users.
- Disable root access/administrator access to the database. After the initial configuration, there should be no need to use these accounts, as disabling the account closes a security backdoor while also providing logs on specific users’ access that is required by HIPAA.
- Turn off user credential login caching. This will prevent previous users’ ID being displayed when logging into the SQL database or a database management application like MySQL Workbench or Microsoft SQL Server Management Studio.
- All users that have access to the database should be trained on how to use it, and all user access should be based upon the principle of least privilege.
- The database must be resilient to failure; this means that a regular backup schedule is needed, with the ability to provide business continuity capabilities in case the database gets corrupted or a disaster recovery scenario is invoked. This can be achieved by keeping an encrypted replica copy at a secure offsite location or by implementing synchronous or asynchronous database replication.
How Do You Secure the MySQL or MS-SQL Database Server?
Protecting the database is only half of the solution, treat the database server as one of your most critical assets by following these important guidelines:
- Ensure that PHI-centric databases are tested periodically and consistently for security flaws using well-known, commercially available web vulnerability scanners such as OpenVAS.
- Ensure that all laptops, computers, and servers use an automatic screen-locking feature. Locking the screen after three to five minutes of inactivity is usually satisfactory, and training should be given to employees to remind them to lock their workstation when stepping away from it.
- Update Database servers using the latest vendor-approved software and security updates. This includes Operating System patches and database updates, including feature set revisions.
- Do not log onto the Operating System or Database using administrator or root access. This includes the IT support teams.
- Back up your database server and the database files using a solution that can backup active databases. This may be done using flat-file backups or plugins to an existing backup solution.
How Do You Protect PHI Data in MySQL and MS-SQL?
You may be looking at these recommendations for database security and be worried about how you are ever going to implement such complicated safeguards on your MySQL or MS-SQL solution.
This is where the Atlantic.Net HIPAA-compliant hosting services can help. By partnering with us, you solve the overwhelming majority of the physical, technical, and administrative safeguards required for HIPAA compliance; all are included as standard!
Our customers frequently provide feedback that one of the key benefits of Atlantic.Net is our standardized encryption techniques, wherein disk-level encryption is applied at the hardware layer. Each block of data written to Atlantic.Net storage systems is encrypted with at least AES-256 encryption.
We also implement an encryption service that ensures the confidentiality of data transmission. This is achieved by implementing strict TLS cipher suites and by using an encrypted VPN. Best of all, the entire service is managed and maintained by Atlantic.Net.
It is still the customer’s responsibility to make sure that database encryption is enabled at the database layer. This is a configurable option found in the database preferences. Our team of experts can offer advice on the implementation of this mandatory requirement of HIPAA compliance.
Another key part of our service is the way it benefits your healthcare organization’s cybersecurity operations. This is essential for any database hosting PHI. We start by assessing the current state of the infrastructure and suggesting resolutions for threat management.
This is achieved by implementing continuous security monitoring solutions, such as a SIEM and an Intrusion Prevention System (IPS). The continuous logging of the environment will automatically create incidents that are proactively assessed by our technical teams. The logs are triggered from multiple sources such as servers, applications, firewalls, IPS Systems, or a Web Proxy.
Our HIPAA-compliant service includes Vulnerability Management with our Fully Managed Server Management service. Our HIPAA Compliant cloud platform is also regularly scanned for vulnerabilities, and we are regularly subjected to pen tests performed by external security companies. This approach ensures that the ACP Cloud is in the best possible state to thwart cybersecurity risks, keeping your database safe.
How Can Atlantic.Net Help with MySQL and MS-SQL and HIPAA Compliance?
Atlantic.Net has been securing our healthcare customers’ databases for many years, and we have over 25 years of experience providing security-defined solutions to our customers. The Atlantic.Net HIPAA-compliant hosting solution is a best-in-class solution that meets and exceeds the required safeguards for HIPAA-Compliance.
Our teams have vast experience to help you conduct database risk assessments, train your employees to HIPAA standards, and set up data access controls. We can even offer guidance on signing a Business Associate Agreement (BAA), implement a data backup program (and business continuity strategy), and help you dispose of your PHI data correctly when required.
At Atlantic.Net, we partner with you to develop hosting solutions tailored to your needs. We’re big enough to offer enterprise-level solutions and agile enough to care about what you want by providing just the right amount of guidance.
We bring you reliable, high-quality services and support at reasonable prices with seven well-located data centers like our Ashburn, New York, or San Francisco hosting data centers. Contact us and learn more about why we’re the right size for your HIPAA-Compliant Hosting needs.