Related Topics: Cloud Computing, Compliance Journal, Healthcare Innovation Journal

Blog Post

Cloud Healthcare with HIPAA Compliance By @Ariel_Dan | @CloudExpo [#Cloud]

Orbograph was seeking to benefit from the advantages of cloud without compromising full compliance with HIPAA, Safe Harbor

Case Study | Orbograph: Cloud Healthcare with HIPAA Compliance and Safe Harbor

Orbograph is an innovative healthcare ISV that provides Healthcare Revenue Cycle Management (HRCM) solutions, online medical scheduling, PHR, and other services to hospitals and clinics.

  • The Leader: Ran Rothschild, Director of Operations
  • The Project: The company's next generation of products launched as a cloud service.

The Challenge
Orbograph was seeking to benefit from the advantages of cloud computing (elasticity, flexibility, cost-effectiveness) without compromising full compliance with HIPAA, Safe Harbor, and the utmost protection for its sensitive customer and corporate data.

The Goal
The company needed to secure electronic Protected Health Information (e-PHI) that the company creates, receives, maintains or transmits electronically in a way that is compliant and requires no hardware across multiple servers in its cloud infrastructure.

The Background
In migrating to the cloud, HIPAA compliance and Safe Harbor requirements were raised. Rothschild identified data encryption as one of the key technologies that enable an organization to achieve safe harbor status, so he searched for a cloud encryption technology with fundamental requirements:

  • An "everything cloud" approach: No encryption gateways or encryption keys Hardware Security Modules (HSM / CloudHSM)
  • Maintaining HIPAA compliance
  • Ensuring data security

The Solution
Rothschild and his team selected Porticor for its ability to offer best-in-class security while maintaining HIPAA compliance. The Porticor solution was successfully tested against all of the technical safeguards in the HIPAA Security Rule and all HIPAA compliance requirements. To achieve a secure cloud encryption and key management solution, without deploying any hardware elements, Porticor's split key encryption and homomorphic key management were used.

Split key encryption splits encryption keys into two parts. The first part is common to all data objects in the application. It remains the sole possession of Orbograph and is unknown to Porticor or the cloud provider. The second part is different for each data object and is stored by the Porticor Key Management Service. Every time the application accesses the data store, a Porticor Virtual Appliance implemented in Orbograph's cloud account uses both parts of the key to dynamically encrypt and decrypt data.

Orbograph's half key (a "Master Key" in the Porticor terminology) is homomorphically encrypted before it arrives at the virtual appliance, which means it's always encrypted even while in use in the cloud.

The combination of these two technologies mitigates the threat of key theft both in storage, and in use.

A Porticor Virtual Appliance was implemented in each availability zone in high availability mode. Multiple encrypted virtual disks were created as iSCSI shares and mounted to the database servers.

According to Rothschild, the Porticor implementation and encrypted disks implementation took less than 30 minutes, and the overall project took just a few hours to deploy.

The Results

  • e-PHI was encrypted at rest and in transit, as recommended by HIPAA, using strong encryption algorithms, such as AES-256
  • No hardware (or cloud) HSM was used
  • HIPAA Compliance and Safe Harbor was achieved in the cloud
  • Additional databases and file server data can easily be secured as the project progresses
  • Encryption keys are never visible to the cloud provider or to Porticor
  • Homomorphic key management ensures Orbograph's master key is always encrypted
  • The Porticor solution is easy to use, flexible, and cost-effective.

The Next Steps
Orbograph expects a gradual migration to MongoDB in the near future. Porticor will integrate and encrypt the MongoDB data by installing a Porticor encryption agent directly on the MongoDB server. In addition, Orbograph is considering application level encryption using the Porticor provided RESTful encryption and key management API.

Additional Resources

  1. The Porticor HIPAA compliance
  2. Understanding Porticor's technology
  3. Introduction to Porticor - a 90 second video

For more information, please visit

More Stories By Ariel Dan

Ariel Dan is co-founder and Executive Vice President at Porticor cloud security. Follow him on twitter: @ariel_dan

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.