> Does anyone have any knowledge of HIPAA compliance related to web and > database server setup? Specifically, if I have one database server and one > web server, does the database server need to be completely removed from the > internet or can the firewall filter out everything but what I need to > communicate between the two servers anyhow, like the SQL Server Port?
To the best of my knowledge, a separate network for your database server is not required for HIPAA compliance. HIPAA, like most government-mandated security rules, is pretty general about requirements, and doesn't go too much into implementation details. The HIPAA requirement is basically "don't expose ePHI data to unauthorized access", which means a lot of different things to a lot of different people. I think this would probably end up being at the auditor's discretion. A more significant issue would be, who within your organization can access unencrypted ePHI data? Having encrypted data within your database doesn't matter too much if your DBA or any developer can decrypt it at will. So, once again, key management becomes a problem. That said, placing your database server on a separate network is a very good idea if security is your biggest concern. Of course, this may significantly increase the cost of doing business in many respects, such as backup and standard management tasks. As I'm not certified as a HIPAA compliance auditor, you should not rely solely on my advice for direction, of course. You should probably discuss this with your auditing firm. And you will need one; you aren't compliant with anything until someone audits you. > I would check out this link which should have the information that you are > looking for: > https://www2.sans.org/reading_room/whitepapers/hipaa/hipaacompliant_configuration_guidelines_for_information_security_in_a_medical_center_environment_891 Actually, and somewhat surprisingly, it has absolutely no information about database server security, and very little useful information at all beyond the "manager briefing" level. I expect better from SANS. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317911 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
