The smart folks over at Amazon Web Services just published a new white paper titled Creating HIPAA-Compliant Medical Data Applications. I’m a strong believer that it is possible to deploy Internet applications as securely “in the cloud” as in a private data center somewhere, and vendor documentation like this goes a long way toward helping others grasp this reality.
One weakness is that the white paper barely mentions encrypting data at rest. Here’s their accurate but incredibly concise statement:
HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, can also be used in a virtual computing environment, such as Amazon EC2 and Amazon S3.
Their blog post mentions some software libraries and commercial tools for achieving encryption at rest, but generally leaves any implementation for you to figure out. There are encryption recommendations for software developers and end users, but not for system administrators (aren’t we their key demographic?). Never fear – encrypting your data at risk is easy with Linux! There are many ways to achieve encryption of data when it is stored on disk, but whole-volume encryption is often appealing because it can be implemented completely transparently to the application.
One of the best tools for securing your data “at-rest” while it is stored on Amazon’s Elastic Block Store (EBS) is dm-crypt. It’s already built into most modern Linux kernels, and gives you extra confidence that noone else could read your EBS volumes. Anyone who’s thinking of deploying any app that stores sensitive information (in “the cloud” or in your data center) should consider implementing dm-crypt on their Linux servers. Below are instructions for creating and using an EBS volume which is protected by dm-crypt encryption…