Sql-server – Should I encrypt OS disk with BitLocker for HIPAA compliance

Disclaimer: I am not a lawyer.

First, some required reading:

Microsoft Azure Trust Center

HIPAA Business Associate Agreement (BAA)

HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.

Microsoft currently offers the BAA to customers who have a Volume Licensing / Enterprise Agreement (EA), or an Azure only EA enrollment in place with Microsoft for in-scope services. The Azure only EA does not depend on seat size, rather on an annual monetary commitment to Azure that allows a customer to obtain a discount over pay as you go pricing.

Prior to signing the BAA, customers should read the Azure HIPAA Implementation Guidance. This document was developed to assist customers who are interested in HIPAA and the HITECH Act to understand the relevant capabilities of Azure. The intended audience includes privacy officers, security officers, compliance officers, and others in customer organizations responsible for HIPAA and HITECH Act implementation and compliance. The document covers some of the best practices for building HIPAA compliant applications, and details Azure provisions for handling security breaches. While Azure includes features to help enable customer's privacy and security compliance, customers are responsible for ensuring their particular use of Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations, and should consult with their own legal counsel.

Customers should contact their Microsoft account representative to sign the agreement.

You might be required to sign a BAA with your cloud provider (Azure.) Ask your compliance representative(s).

Here is the Azure HIPAA Implementation Guidance.

It is possible to use Azure in a way that complies with HIPAA and HITECH Act requirements.

Azure VMs, and Azure SQL, and SQL Server instances running within Azure VMs, are all in scope and supported here.

Bitlocker is sufficient for encryption of data at rest. It uses AES encryption in a way that satisfies HIPAA requirements (as well as the requirements of other similar organizations) for encryption of data at rest.

Furthermore, SQL Server will not store unencrypted, sensitive data on the OS drive unless you configure SQL to do so... like for instance configuring TempDB to live on the OS drive or something.

Encryption of cells/fields/columns within individual databases isn't strictly required assuming you have already satisfied requirements for encryption of data at rest in other ways, e.g. TDE or Bitlocker.

How you choose to manage the Bitlocker encryption key may come up, since it will not live inside a TPM chip or on a removable USB drive since you don't have access to the physical machine. (Consider having a sysadmin manually enter a password to unlock the data drive every time the server reboots.) This is sort of the main draw to services such as CloudLink, as they manage that sacred encryption key for you.