HIPPA Compliance

I have…

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ ] Performance issue
  • [x] Documentation issue or request

Current behavior

Expected behavior

@Sebastian Is Squidex HIPPA Compliant? If Yes then what configuration settings are? If not then how we can make it HIPPA compliant?

Does Community version works with MongoDB Enterprise version?

Minimal reproduction of the problem

Environment

App Name:

  • [ ] Self hosted with docker
  • [x] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: [LATEST]

Browser:

  • [x] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:

I have no idea. Nobody ever asked for that and I am not from the US. Is there a short checklist, that I could read? I think that a lot of these rules are more on your side. For example: If you share user credentials or do not use https, there is nothing I can do for that.

Yes

@Sebastian
You can refer below links for information

At the Application end, fundamental requirement is to encryption of data while transportation and at the rest at the database level with required Physical accesses.

So most important here that Data is not encrypted when I access it through Squidex backend? Is there a way through which we can have the read encrypted data at rest(MongoDB level) or hide the Inspect tab of the record where data can be shown in text format?

The video does not really help.

I am looking for some basic checklists. I had a look to this one:

1. Transport Encryption

That is up to you to enable https and secure transport and out of the scope of Squidex. But to work properly in all cases you need https anyway. So this is usually covered. In other sources I have also read that encryption is needed on the storage level. This should also be covered by MongoDB: https://www.mongodb.com/products/capabilities/security/encryption. There was a feature request to allow encryption on the field level, but I am not sure how this should work, because someone needs the public key.

2. Backup and Storage Encryption

I would expect that Mongo Enterprise does that already. If you also store the assets in MongoDB you are covered here. If you use a custom backup solution you have to ensure encryption by yourself. Furthermore if you store the assets in another location like Azure blob storage or something similar.

3. Identity and Access Management

Most users use Squidex with SSO solution like Azure AD. If Azure AD is HIPAA compliant, then Squidex is probably compliant as well in this aspect. But I have also read that it is needed to log all login attempts, which is not the case in Squidex.

Furthermore Squidex provides a fine grained permission system, but not on the field level. You can use scripting to hide sensitive information from the user. But just hiding the inspection tab would not help here.

4. Integrity

I think this topic is partly covered. Because we create a new event for each change, we have a full history of every record. The article above also mentions signing, which I am not familiar with. But I am not sure if this is really needed.

To be on the safe side, it is needed to have an audit. I am not sure about the costs, but it is very likely out of budget at the moment at our side. Perhaps we can share costs or work on that together.

@Sebastian

Thank a lot Sebastian for detailed reply. I know and already understand all the below points mentioned. Still I wanted to confirm about these things with you. I have some more on these points.

  1. Completely Clear

  2. Completely Clear. So Squidex should work with Encrypted MongoDB Enterprise without any issue. I am planning to have my own custom installation on my own server.

  3. There are safeguards in Azure AD for HIPPA compliance. You can see more information here - https://learn.microsoft.com/en-us/azure/active-directory/standards/hipaa-other-controls. These are same safeguards which you have already mentioned to safeguard PHI data.

  4. What points you think are party covered here? For the costs, I will message you directly.

Thank you

Signing is not covered as I mentioned.