Last post Apr 23, 2014 08:24 AM by Illeris
Apr 21, 2014 06:35 AM|rinshad55|LINK
I am developing a Medical Billing Software and should be HIPAA complaint. My current architecture is using seperate database for each tenant. But I need to change it to a Multi tenant architecture. So Is there any problem for HIPAA with Multi tenant architecture
? Is it possible to get any Document/Proof related to this topic ?
Any help will be highly appreciable,
Apr 21, 2014 10:27 AM|bbcompent1|LINK
According to Asigra, the answer to your question is Multi-Tenancy is indeed HIPAA compliant. Here is the link to the article.
Asigra (n.d.). What is multi-tenancy? How secure is it? Retrieved from
Apr 21, 2014 11:32 AM|markfitzme|LINK
Also, don't forget that when you deploy the software you need a HIPAA compliant host. I've seen a lot of application developers miss that fact.
Apr 21, 2014 11:37 AM|bbcompent1|LINK
Duly noted Mark, if security is a concern, don't cheap out on your hosting package. Make sure it is one that guarantees 99.999% uptime because HIPAA requires no more than 5 minutes of unscheduled downtime per year. Also, this will be critical because many
of these tenants will want Service Level Agreements in place that offer a guarantee of reliable service.
Apr 23, 2014 03:00 AM|Illeris|LINK
HIPAA requires you separate the data per client/tenant. This means a shared database itself is not acceptable. Separating the databases itself is a good way to start. A next thing to do is assure the security per database & tenant is sufficient to reduct/minimize
the risk a user having access to one dbase can access data in another dbase. From your application you'll need to be sure (proof : in the design) there is no mixture of sessions possible between instances. From a management perspective : you need to be sure
separate security is used per dbase, and generic accounts are reduced to the maximum. Meaning : is one sql server account is used for all connections with all dbases, you're in trouble.
Also, require your hosting provider to be HIPAA compliant.
Best way to be sure : pay for an audit. The remarks I gave you are from an audit point of view ;-)
Apr 23, 2014 06:48 AM|bbcompent1|LINK
Shared database server yes, shared database however would not be the best idea and the reason aside from security goes further into a managability point of view. Say we start with ten tables per customer, how sustainable would this model be if we were to
add another 100-200 customers? Can you imagine how massive the one database would be? So therefore create one database per customer and secure the data using the encryption model mentioned in my first response to you. Having a private key pair (at least
128 bit encryption) ensures that no one other than an approved user by the client accesses the data. This way you cover your bases so during an audit as Illeris mentions you can prove there is no way you would have access to the consumer's data. Also, another
important thing to do is get yourself a certified ethical hacker to perform penetration testing to ensure your system is a less desirable target for attack.
Apr 23, 2014 06:49 AM|bbcompent1|LINK
And the multi-tenancy I was referring to was same database server, not a shared DB for the record. That is one of the ways that place keeps the consumer secure and maintains HIPAA compliance.
Apr 23, 2014 08:24 AM|Illeris|LINK
MS Dynamics NAV uses the same dbase for multiple companies. Not exactly the best multi-tenancy example you can find on the market :-).
The HIPAA (and others such as Sox, ...) test on data isolation. In practice this means they check if ever customer has it's own data, separated from the others. Then they check if the security model applied over all data sources assures isolation. This can
be done by using dbase specific accounts (at dbase level, but also from connection strings in your application), and by checking how & if encryption is applied.