I was wondering if there are any standards for encrypting sensitive data in Database which are compliant w/ SOX or HIPAA. Or does the Encrypt Function in SQLServer necessary?. or handle in Business logic.
Any ideas or links we have.
I was wondering if there are any standards for encrypting sensitive data in Database which are compliant w/ SOX or HIPAA. Or does the Encrypt Function in SQLServer necessary?. or handle in Business logic.
Any ideas or links we have.
First, Google for HIPAA Compliance
Then, read articles like this one: http://www.developer.com/java/ent/article.php/3301011/HIPAA-Security-Rule---What-Software-Developers-Should-Know.htm
And this http://www.hipaa.ihs.gov/index.cfm?module=compliance%5Fpacket
Finally, talk to your company's legal counsel. Failure to properly safeguard PHI will cost your company millions when you lose a lawsuit because your entire HIPAA compliance strategy was based on responses on StackOverflow.
At one company I was at, compliance in protecting credit cards they created a key and then destroyed that hard drive with a sledgehammer, so that no one could get the information that went into creating that key.
Though they were using the Oracle DB they created their own key to encrypt the credit cards.
For HIPAA compliance I would not trust any encryption done by the database, as it may not have the security that you need, and your company is on the hook for any failures.
Your best bet is to control the key yourself, and not have the key in the database, or server.
Have the key required to be input when the application or server application starts up, but, as S.Lott pointed out, your legal counsel will need to be involved in reviewing the design to make certain that all the issues are covered.
SQL Server 2008 cryptographic API is certified for Common Criteria compliance: Common Criteria Certification.