HIPAA compliance and SQL Server: Tricks and tools of the trade

Find out which tools help attain HIPAA compliance. Lena Weiner profiles HIPAA pro Brandon Leach, who explains the steps needed to secure SQL Server.

Editor's note: This is part two of a two-part story on Brandon Leach, database administrator for Network Health...

of Medford, Mass. The first part was featured last week.

There are times when you absolutely have to use real data -- for example, when a database experiences an issue with bad data. In those cases, Brandon Leach tries to use as little data as possible to get the job done. As in all companies affected by HIPAA regulations, Leach's company has a compliance officer who provides oversight and feedback to their employees regarding reasonable risks that can be taken with data. They are usually very strict. For example, if an administrator needs 10 records to test whether or not a table is functioning properly, and uses 100 instead, that would be considered 90 HIPAA violations.

Brandon Leach

Most employees who work within HIPAA compliance guidelines generally cannot upload any sort of patient data to a personal computer or take the information home. This may sound like a no-brainer, but what if you were planning to work from home or needed to work late? This could easily become a real inconvenience in a field known for long hours. Still, Leach said you have to make sure you look at things through the lens of what is good for members.

Leach is also emphatic about the importance of change management in organizations that adhere to HIPAA regulations.

"Security requires understanding as to what changes are being made," he said. "Change management is almost a sister process to security -- they play into each other."

If an administrator needs 10 records for a test … and uses 100 instead, that would be considered 90 HIPAA violations.

When asked for some more keys to keeping your server secure, Leach suggests following the policy of least privileged users getting access to only exactly what they need. He often grants permissions and then removes them once the person is done with the project they're working on.

He also strongly suggests auditing your users and seeing who has access to the database on a frequent basis, going over your security policy a couple times a year and adjusting it as the business evolves.

"You would be surprised over the course of the year how much stuff can slip through," he said.

SQL Server and HIPAA compliance

Leach also says that developers on his team frequently use proxies to access SQL Server, which is a good way to keep things secure.

Within his organization, Network Health, "security never ends," said Leach. "It's a constant loop." He said they are constantly looking for ways to refine it. They bring in a third-party organization to do an audit every year -- usually a professional auditing firm like Ernst and Young. This level of compliance, he said, is fairly standard within healthcare organizations.

For more on HIPAA compliance

How BPM plays a critical role in compliance

The practical guide to HIPAA compliance

"I've never come across a company that doesn't take this seriously," he said. "There are notable cases of people being stupid -- a small provider who uploads info to a USB stick that gets stolen, for example -- but the results of that stuff happening is so bad, the consequences so severe, it's at the forefront of everyone's mind."

When asked about his experience with SQL Server security compared to its competitors, Leach seemed fairly satisfied. Some of the tools and features that Leach likes include the ability to log in at a database level rather than a server level, the availability of proxies, and being able to execute without seeing the data in the table you are executing upon.

"I think it's comparable to Oracle," he said, adding that SQL Server costs less despite being what he thinks is a comparable product. "They're about equal at this point. It's more about right tools for the job. Sometimes, you might want to use a NoSQL database. As long as you're able to secure input on the inside of your organization, you're good."

Dig Deeper on SQL Server Database Compliance