Re: PostgresSQL and HIPAA compliance

From: Paul Jungwirth <pj(at)illuminatedcomputing(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: PostgresSQL and HIPAA compliance
Date: 2016-06-17 18:09:28
Message-ID: 57643CD8.30804@illuminatedcomputing.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 06/17/2016 03:03 AM, Alex John wrote:
> RDS is a prime candidate except for the fact that they have explicitly
> stated that the Postgres engine is *not* HIPAA compliant.

More precisely, it is not covered by the BAA Amazon will sign.

I've helped several companies run HIPAA-compliant Postgres on regular
EC2 instances (which *are* covered by your BAA, as long as they are
dedicated instances---which do cost more). So you just have to do some
of the server work yourself. If you are making the rest of your app
HIPAA-compliant anyway, it shouldn't add a large burden to do Postgres
that way too. Make sure your access rules are good, use SSL for the
connections, put it on an encrypted disk (easy these days with encrypted
EBS volumes), etc.

Slightly more effort but still very doable is handling requirements for
auditing accesses and changes. How you do this probably depends on the
rest of your stack.

Yours,
Paul

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Mike Sofen 2016-06-17 18:11:16 Re: PostgresSQL and HIPAA compliance
Previous Message David G. Johnston 2016-06-17 18:08:43 Re: Regression in query optimizer when upgrading from 9.4.5 to 9.5.2?