Postgres data encryption

Good morning,
Italian regulations for sensitive data management requires encryption, so if I want to use OpenClinica to collect these data I need to encrypt at least value column in item_data table on PostgreSQL.
Did anybody else faced this problem? Which solution has the lower impact on the OpenClinica code?
Thank you in advance,
Enrico
«1

Comments

  • kristiakkristiak Posts: 1,197 ✭✭✭

    Hi Enrico,

    We have the same problem in Sweden and elsewhere in EU. Patient data has to be encrypted if it needs to be transmitted anywhere.. The best way to do this is to install a SSL certificate e.g. a validated certificate from Digicert. They are relatively cheap, about 200 USD/year. Digicert has excellent support and easy to install following their detailed instructions step by step.

    You can read more about the EU security directive at http://www.safenet-inc.com/data-protection/data-compliance/european-union-eu-compliance/ 

    Regards

    Krister

  • lindsay.stevenslindsay.stevens Posts: 391 ✭✭
    Options for postgres are described at [1], and some approaches are discussed at [2]. It seems to depend on who you need to hide the data from - for example if the client encrypts the data then you won't be able to do centralised data management. Is it definitely the case that the database needs to be encrypted, and not that the application has to use encrypted connections? Or both? Encrypted connections are possible through configuring the web server / Tomcat.

    The other issue is whether storing the private data in OpenClinica is necessary. In most cases we collect data from clinics that maintain their own records, using systems designed to protect privacy. The clinic maintains a list of pseudonyms for individuals (study subject ids). All data in OpenClinica is recorded against the pseudonym. If or when necessary, the identifying information is requested separately. The data extracted from OpenClinica is matched to the identifying data, which allows further matching to other information, like government health records.
  • haenselhaensel Posts: 530 ✭✭
    Hi Enrico

    This is a very challenging task. The database itself can store the data encrypted but that won't protect the data from access by the administrator (I'm not aware of anything that can protect the data from the administrator).
    If you could be more concrete with your requirements it might be possible to discuss different options.
    The only way we came about in the past is to encrypt the data right in the browser. That would require an (trusted) external service that encrypts the data before sending it to the OC server and decrypt it after loading it from the OC server.

    Regards,
    Christian
  • lindsay.stevenslindsay.stevens Posts: 391 ✭✭
    via Email
    Options for postgres are described at [1], and some approaches are
    discussed at [2]. It seems to depend on who you need to hide the data from
    - for example if the client encrypts the data then you won't be able to do
    centralised data management. Is it definitely the case that the database
    needs to be encrypted, and not that the application has to use encrypted
    connections? Or both? Encrypted connections are possible through
    configuring the web server / Tomcat.

    The other issue is whether storing the private data in OpenClinica is
    necessary. In most cases we collect data from clinics that maintain their
    own records, using systems designed to protect privacy. The clinic
    maintains a list of pseudonyms for individuals (study subject ids). All
    data in OpenClinica is recorded against the pseudonym. If or when
    necessary, the identifying information is requested separately. The data
    extracted from OpenClinica is matched to the identifying data, which allows
    further matching to other information, like government health records.

    [1] http://www.postgresql.org/docs/9.3/static/encryption-options.html
    [2]
    http://www.postgresql.org/message-id/4DF97E9C.3070703@postnewspapers.com.au
  • ecalanchiecalanchi Posts: 20
    Thank you all,
    we're already using SSL certificates to encrypt data transmission as kristiak suggested, but this issue is a little bit different: we need to collect personal sensitive data (Name, Last name, Date of birth...) for a patients registry. Since these data allow you to identify the patient, they have to be stored encrypted (even if nothing can protect the data from the administrator, as haensel said).
    lindsay.stevens made the point of the matter: we would like to avoid having to rely on another platform to (manually) identify patient.
    We are considering some options:
    - Encrypting "value" column in "item_data" table seems to be a solution, so we investigated Postgres encryption options and we found that they're supported only as of PostgreSQL 9.1.
    - Encrypting the whole disk involves other issues (performaces, backup policies...).
    - Managing encryption in the OpenClinica code is the most demanding option in terms of time costs and impact on the web-application.
    Has anyone dealt with this problem? We would like to discuss the impact on the application of these technical solutions.
  • toskriptoskrip Posts: 244 ✭✭
    Hi,

    it was already mentioned here (by lindsay.stevens). We use extra application with its own database to store patient identity data. Each patient identity is afterward represented via pseudonym which is stored within OpenClinica subject Person ID attribute. This is the most flexible setup because it allows you to encrypt whole identity database disk if necessary.

    best

    Tomas
  • kristiakkristiak Posts: 1,197 ✭✭✭
    In Sweden data about a patient health status combined with information to identify the individual can only be viewed by individuals involved with the care of the patients. Such individuals have special ID card that has to be inserted in to the terminal to allow log on and access to personal data. The data is stored within special network (SJUNET) and cannot be accessed from INTERNET without the ID card. This would require that OpenClinica is hosted within SJUNET and the administrator would have to have special authorisation and be part of the hospital staff, It is doable but very complicated and you will depend on the cooperation of the IT staff in the hospital. Thus we usually do not store such data can identify an individual patient. 
  • ccollinsccollins Posts: 361 admin
    via Email
    Hi Enrico,

    Thanks for starting this thread - you all do a great job laying out the
    considerations for at-rest data encryption that actually provides value.

    What we most commonly see at OpenClinica LLC is more of a 'check the box'
    approach... there's an IT security questionnaire that must be completed
    that asks 'is data encrypted?' and doesn't really care about who it's
    encrypted from.

    I'm not an expert in this area but considering the above, it strikes me
    that whole-disk encryption is probably the simplest to achieve if you want
    to just check the box. As you state the performance impact would need to be
    assessed.

    The plans are to officially support Postgres 9.1 sometime in the first half
    of next year. Hopefully this will be in Q1 but that is not certain.
    OpenClinica has been reported to run quite well on 9.1 so
    experimentation/testing could start much sooner.

    To do better than just checking the box, the procedures used are as
    important as the technology. PCI standards, used for credit cards, are a
    good place to start. This

    slide deck does a good job describing a set of requirements. A lot of these
    are typical InfoSec controls that are in place for any decent hosting
    solution (including our Optimized Hosting), but the ones that are specific
    to encryption/decryption/key management (requriement #3 in the slide deck)
    could be a start for an OpenClinica data encryption model.

    Regards,
    Cal
  • kristiakkristiak Posts: 1,197 ✭✭✭
    I should have mentioned that you can solve this and store most of the data externally to SJUNET and the key to the individual patient is stored within SJUNET and only accessible by the investigator or CRC at the clinic!
  • kristiakkristiak Posts: 1,197 ✭✭✭
    via Email
    We use exactly this system as well.

    Best

    Krister
This discussion has been closed.