HIPAA Compliant Serverless Web Applications
When building a HIPAA compliant application for our clients there are a few things we need to make sure we keep in mind at all times. Protecting customer data is pivotal to an applications success. There are things we must do to keep data safe when it is stored in the database, in transit to/from the UI, and when in the UI itself.
Data At Rest
Perhaps the most important part of protecting customer data is when the data is in storage. The customer's data needs to be stored encrypted, and in a database setup to follow the HIPAA compliance requirements. Typically this is an expensive process, requiring a database and devops team, as well as all of the necessary infrastructure. To reduce overall expense we can use a "serverless" setup.
HIPAA Compliant Database
Our preferred back end as a service (BaaS) provider Supabase offers a HIPAA compliant database tier. Using this tier allows us to build high quality applications built on Supabase with all of the data security and protections provided by Supabase. By using this service we are able to reduce our reliance on team members, and instead put all of our focus on solving our customers needs.
Column Level Encryption
While the database is built to support the level of data we are protecting, we can still wrap even more protection around the data. Encrypting data at the column level provides another layer of security. This allows us to encrypt the specific customer data that needs the most protecting.
The easiest way to make sure that the data is secure is to just turn off access to the data for everyone, however that has the obvious downside of being somewhat useless. Instead we need to make sure that users are only ever able to see data that they have permission to see. PostgreSQL allows for this through row level security. When a user makes a request to a table, the database will only ever return data that the user is allowed to see. For instance, if a user makes a request to the users table to get all users, they would only see their own user record returned.
Building on top of this security layer, we are able to provide oru clients with the knowledge and comfort that their, and their customer's data is safe and secure.