Healthcare data protection for US organizations.
NornicDB provides features to help covered entities and business associates comply with HIPAA requirements for Protected Health Information (PHI).
| Requirement | Section | NornicDB Feature |
|---|---|---|
| Security Management | (a)(1) | Audit logging, risk analysis |
| Workforce Security | (a)(3) | RBAC, user management |
| Information Access | (a)(4) | Role-based permissions |
| Security Training | (a)(5) | Audit trails for review |
| Security Incidents | (a)(6) | Security alerting |
| Contingency Plan | (a)(7) | Backup, restore |
| Requirement | Section | NornicDB Feature |
|---|---|---|
| Access Control | (a)(1) | JWT auth, RBAC |
| Audit Controls | (b) | Comprehensive audit logging |
| Integrity | (c)(1) | Checksums, encryption |
| Person Authentication | (d) | Multi-factor ready |
| Transmission Security | (e)(1) | TLS 1.3 |
| Requirement | Section | Deployment Responsibility |
|---|---|---|
| Facility Access | (a)(1) | Customer infrastructure |
| Workstation Security | (b) | Customer responsibility |
| Device Controls | (d)(1) | Customer responsibility |
NornicDB uses all-or-nothing encryption at the storage level. When enabled, ALL data is encrypted - including all PHI fields, indexes, and metadata. This simplifies compliance because you don't need to identify and configure individual PHI fields.
# Enable full database encryption
database:
encryption_enabled: true
encryption_password: "your-secure-password-here"Benefits of full database encryption:
- ✅ Complete PHI protection - No need to identify PHI fields
- ✅ No configuration errors - Can't accidentally miss a field
- ✅ Simple compliance - One setting protects everything
- ✅ Strong encryption - AES-256 with PBKDF2 key derivation
Important: If you lose your encryption password, your data cannot be recovered. Store it securely!
All PHI access is logged:
{
"timestamp": "2024-12-01T10:00:00Z",
"type": "DATA_READ",
"user_id": "provider-123",
"resource": "patient-record",
"resource_id": "patient-456",
"action": "READ",
"phi_accessed": true,
"legal_basis": "treatment",
"details": "Routine care access"
}// Each user has unique ID
user := &User{
ID: "usr_" + uuid.New().String(),
Username: "dr.smith",
Roles: []Role{RoleProvider},
}rbac:
roles:
- name: provider
permissions: [read_phi, write_phi]
- name: admin
permissions: [read_phi, write_phi, manage_users]
- name: billing
permissions: [read_phi_limited]
- name: research
permissions: [read_deidentified]// Return only necessary fields
result, _ := db.Query(ctx, `
MATCH (p:Patient {id: $id})
RETURN p.name, p.dob // Only needed fields
`, params)| Event | Logged Data |
|---|---|
| Login | User, IP, time, success/fail |
| PHI Access | User, patient, fields, purpose |
| PHI Modification | User, patient, changes, time |
| Export | User, format, records |
| System Changes | User, setting, old/new value |
{
"event_id": "evt_abc123",
"timestamp": "2024-12-01T10:30:00Z",
"event_type": "PHI_ACCESS",
"user_id": "provider-123",
"user_name": "Dr. Smith",
"patient_id": "patient-456",
"action": "READ",
"fields_accessed": ["diagnosis", "medications"],
"purpose": "treatment",
"ip_address": "192.168.1.100",
"workstation": "clinic-ws-01"
}audit:
retention_days: 2555 # 7 years (HIPAA: 6 years minimum)
phi_retention: 2555tls:
enabled: true
min_version: TLS1.2 # HIPAA minimum
preferred_version: TLS1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256# Generate HIPAA-compliant certificates
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-keyout server.key -out server.crt// Checksums for PHI
node := &Node{
ID: "patient-123",
Properties: map[string]any{"diagnosis": "..."},
Checksum: sha256.Sum256(data),
}audit:
integrity:
enabled: true
algorithm: SHA-256
chain: true # Hash chain for tamper detection// Set up breach alerting
logger.SetAlertCallback(func(event audit.Event) {
if event.Type == audit.EventSecurityAlert {
notifySecurityTeam(event)
if isBreach(event) {
initiateBreachResponse(event)
}
}
})# Generate breach impact report
nornicdb hipaa breach-report \
--incident-id "INC-2024-001" \
--start "2024-11-01" \
--end "2024-11-15"When deploying NornicDB:
- Self-Hosted: You are the covered entity
- Cloud-Hosted: Ensure BAA with cloud provider
- Managed Service: Require BAA from service provider
- Enable TLS 1.2+ for all connections
- Enable encryption at rest (AES-256)
- Configure RBAC with minimum necessary
- Enable comprehensive audit logging
- Set up security alerting
- Configure session timeouts
- Document security policies
- Train workforce on PHI handling
- Establish incident response procedures
- Conduct risk assessments
- Maintain business associate agreements
- Retain audit logs for 6+ years
- Review audit logs regularly
- Document access reviews
- Maintain activity reports
# HIPAA-compliant configuration
encryption:
enabled: true
algorithm: AES-256-GCM
tls:
enabled: true
min_version: TLS1.2
auth:
enabled: true
session_timeout: 15m
max_failed_attempts: 3
lockout_duration: 30m
audit:
enabled: true
log_phi_access: true
retention_days: 2555
alert_on_failures: true
rbac:
enabled: true
default_role: none # No access by default- Encryption - PHI encryption
- RBAC - Access control
- Audit Logging - Audit controls
- GDPR Compliance - EU requirements
- SOC2 Compliance - Service controls