Custom Development for Data Privacy and Security Companies

Protect your users' data and ensure GDPR compliance with this checklist. If you need help implementing these measures, let us know. What is GDPR? Who needs to prepare for GDPR? The acronym stands for General Data Protection Regulation. It is a legal document detailing the rules pertaining to personal information collection and processing. In contrast to the recommendation-like 1995 Data Protection Directive, GDPR is a binding legislative act. According to the full text of GDPR, any organization which gathers or processes EU citizens’ personal data is subject to the regulation. Moreover, all your contractors (including software development companies) need to adhere to the standard for your app to be GDPR-compliant. Experts at Gartner think that the authorities would start enforcing the legislation right after it comes into effect, so the sooner you will be ready, the better. The regulation and its accompanying documents are massive in scope and size (260 pages), but there are things you can do to make your product fit its requirements. 1. Get informed consent Description The GDPR states that the businesses now have to ask users to agree to collecting and processing their personal information. The request "must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent”. Your application has to describe what information will be handled, why and where. Silence or doing nothing doesn’t equal consent – the user has to take an action (like ticking the checkbox). A timely notification with a clear description and an option for the user to accept/decline will do the job. Moreover, if you already have a certain user base, you might need to have them “repermission” your app, lest their consent level is below the GDPR-compliant. User must take an action to confirm consent to processing their personal information (e.g. click on the "I agree" form). Withdrawing consent should be as easy. No expression of consent is needed if you ask for an information which is absolutely necessary to do your part of the agreement (e.g. full name and address for an online shop) If you want to use client's data for extra purposes (behavior analysis, advertising etc.) you have to ask for consent. Tech. Solution Include the consent withdrawal option in the user's profile. The text of the consent request must be clear and unambiguous. The "I agree" tickbox will be enough, but the user must take an action to clearly express their will. 2. Data Minimization Description Store only the data that is necessary, delete when it is not needed anymore. Make sure that you are collecting only the information you can’t do without. And, if possible, implement automatic deletion of the data you no longer need. This will both protect your users’ privacy (giving you another selling point) and help you avoid lots of trouble in case of a data breach: informing the authorities and the owners of affected accounts, as well as paying a huge fine for ignoring data minimization rules. ‘Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.’ Bart Willemsen, research director at Gartner Solution There are three main types of collected information: The necessary minimum data to do business (e.g. an online shop needs only the name and address of a person to deliver their goods); Extra data (sex, age, marital state) which isn't directly involved in company's service requires getting extra consent or justification in the public offer of your business; Sensitive personal data, which is often used for profiling (sexual orientation, political and religious views, race, ethnicity etc.) requires another expression of consent. 3. Personal data encryption Description Encryption adds an extra layer of security the hacker must defeat before they can access the information. The GDPR Article 32 requires that the personal data is protected by the “state-of-the-art” measures. However, the exact nature of those measures is left for the companies to decide. As Belitsoft has quite a bit of experience in building HIPAA-compliant medical apps which have similar technical requirements, there are a few options we can recommend. It goes without saying that the personal data must be encrypted. The Ashley Madison hack has shown that the company has stored the users’ addresses and credit card details in plain text, leading to multimillion-dollar lawsuits. If GDPR was in effect back then, the company would’ve also received a huge fine. Tech. Solution There are three main ways that you can approach the creation of the GDPR-compliant database. First one is developing your own custom server with centralized database development. It will be able to provide the necessary level of security and saves you money in the long run, although you will need to make a certain investment up front. However, it will require careful optimization, as encrypting and decrypting information might be resource-intensive. The second option is turning to the third-party GDPR-compliant server with centralized DB. It is a much quicker solution, as all the technical issues have already been solved by the provider. It is also cheaper in the short term (the associated development costs are relatively minor) but will cost more in the long run. The third option is using blockchain technology and building custom server with a decentralized database. It is secure by design and will be considered a sufficient measure of protection. It is also a cost-effective long-term solution. Data Encryption, Third Party Server. Need a team of experts to build your GDPR-compliant application? Contact us and get a free quote on your project! 4. Implement "privacy by design" and "privacy by default" The concept of “privacy by design” is somewhat uncertain, but boils down to making sure privacy is taken care of at every stage of the product’s lifecycle. Implementing this idea is a much larger undertaking, which may even lead you to rewrite your app from scratch. To start, you need to conduct a Privacy Impact Assessment to determine which functionality you need to implement or modify. After the results are in, it is a matter of using them to design the application in a way that keeps personal information safe. ‘Many of the companies who we're talking to… they're going to want to trade with Europe too, and therefore it's very important that they buy a platform that is going to be compliant with those regulations.’ Paul Clarke (CTO at Ocado) on GDPR 4.1 Two-Factor Authentication Description TFA protects from online fraud and identity theft Tech. Solution Integrate with Google Authenticator or similar service. For iOS For Android 4.2 Blocking brute force attacks Description If a hacker intends to use automated login/password guessing, these measures can stop them. More about Brute Force Attack Tech. Solution Use Google Authenticator which can change access code every few seconds. Block account for several minutes after three failed login attempts Ask users to pass a CAPTCHA test after a certain number of failed logins. 4.3 Automatic Log-Off Description This feature helps prevent unauthorized access and modification of data 4.4 Separate domain names for Customer and Admin portals Description Separating portals helps protect the information and allows securing admin section without hampering users. 4.5 HTTP Authentication for Web Admin Panel Description Common CMS's have common vulnerabilities. This feature adds another layer of protection against them. Tech. Solution HTTP Authentication 4.6 SSL Certificate Description SSL certificates protect the information transfer between app server and database or between the user and your service. Tech. Solution SSL Certificate 4.7 Locking Unused Database Ports Description New servers are shipped with all the ports open. Lock the unneeded ones so they can't be used for intrusion. 4.8 Database can be accessed only from API server IP Description Allowing only one IP-address will prevent unauthorised access and locate data breach. Cloud firewalls could help with that. Tech. Solution Cloud Firewalls 4.9 Database connects to API server via HTTPS Description Encryption helps protect the information while it is in transfer. 4.10 Server is accessed via VPN Description VPN adds another layer of security to the data on the server. 4.11 Regular Database backup Description Backup the information in the DB and store it on an external cloud service. In the event of data breach, it will help to minimize losses. Tech. Solution Block Storage 4.12 Regular Server Log Backup Description All the server logs should be kept and stored externally. It helps locate inconsistensies in case of hacker attacks. Tech. Solution Block Storage 4.13 Adjust Inotify Description Set up triggers and notifications to detect intrusion quickly. Tech. Solution Inotify 4.14 Log all the Server Actions Description Logs allow to find out which data was modified. “Privacy by default” “Privacy by default” essentially means that if there are privacy settings in your product, they must be set to maximum at the start. Feel free to include an option to downscale the protection, should someone wish it. But your app cannot make a new user do something to get the highest level of privacy. The Privacy by default options in the app should be set to maximum protection when a user first registers/installs the app. Tech. Solution "Restrict private data usage" checkbox should be selected by default. Solution should pass "Data Protection Impact Assessments" (DPIA.) Seven Stages of DPIA Pseudonymization Pseudonymization means storing information which can identify a person (e.g. social security number) and the related data (gender, age, location etc.) separately. Tech. Solution System shouldn't collect data, which can allow matching user profile with real person without user consent; Private data should be stored on separate server with encrypted database; Application APIs should be covered by automated tests to prevent personal data leak 5. Prepare for the users exercising their rights The new European regulation has given people extra rights that companies must grant: Right to be forgotten; Right to object; Right to rectification; Right to access; Right to portability. . This calls for an update to your privacy policy, as well as the public offer of your product. In addition, giving every user an option to request correction, transfer or deletion of their data (even through a simple contact form) will be a must. 5.1 Right to be Forgotten Description Users can ask the company to delete all of their personal data if at least one of the following is true: Personal data is no longer needed for the stated purposes of processing; A person has withdrawn their consent and there is no other basis for the processing; Personal data has been acquired/processed illegally; Tech. Solution Manual removal of user data in private storage after receiving (for example by mail) request from a user. 5.2 Right to Object Description Users can object to using their personal data for direct marketing purposes, including profiling. Company must clearly inform the user about this right at the first contact and stop this user's data processing after receiving an objection. Tech. Solution "Restrict private data usage" checkbox should be introduced to the user profile. 5.3 Right to Rectification Description If their stored personal data is wrong, the user has the right to request its correction. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Tech. Solution Manual editing of data in private storage after receiving (for example by mail) a request from a user. 5.4 Right of Access Description Users have a right to know what information is stored. Tech. Solution This information should be presented to a user before registering in the system. 5.5 Right of Portability Description A user can ask to receive their personal data in a convenient format and request the transfer of their data to the other company (if technically feasible). Tech. Solution Implement the following: Automatic report generation to present private data in a convenient form; Manual removal of user data in private storage. 6. Document everything The regulation requires companies to not only implement additional data protection measures but also document them to be able to prove that they’ve taken the necessary steps. Otherwise, the official audit will prove that the company is incompliant and – you’ve guessed it – must pay a fine. That is why it is important to properly prepare security policies, data protection impact assessments, personal data registry and other relevant documents. See the complete list of things to describe on the Information Commissioner’s Office website. This task of mapping out the information processing and putting it on paper usually falls to Data Protection Officer (it’s likely you’ll need one). If you don’t have such a specialist on staff, you might also be breaking the law and putting your business at risk. 7. Plan for contingencies No matter how well you are defended at the moment, it pays to be prepared for personal data breaches. In most cases, you’ll need to notify the Information Commissioner’s Office (ICO) within 72 hours of detecting a breach. If you opt not to, you must have a valid (and properly supported by documents) reason for it. But if there is a “high risk to the rights and freedoms of individuals”, you need to inform your users as well. The notification for users must be written in a clear and plain language and include the following: Name and contacts of your DPO (or another contact point, if you don’t have a Data Protection Officer); Description of the likely consequences of the data breach (costs, reputation damage and so forth); Measures you’ve taken or intend to take to mitigate the information leak. If you fail to notify the ICO when necessary, the maximum fine might reach EUR 10M or 2% of annual global turnover. Note that this might stack with other fines, so having a reporting procedure in place is important. Tech. Solution Prepare a mass mailing plan for this contingency.

Belitsoft specializes in delivering easy to manage HIPAA-compliant solutions and technology services for medical practices of all sizes. Contact us if you would like to get a HIPAA risk assessment and analysis. According to HHS, business associates are directly liable for violating the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule. If an implementation specification is described as “required”, it must be fulfilled. Addressable stipulations must be implemented if it is reasonable and appropriate to do so. Plus, the choice must be documented. Business associates may use any technology solution to align with HIPAA requirements. Having analyzed our experience in healthcare development, we recommend the most suitable technical solutions to comply with HIPAA requirements. Access Control Access Control (required) Enable authorized users to access the minimum necessary information needed to perform job functions. Unique User Identification (required). Assign unique IDs for indicating and tracking user identity. Tech.Solution: Use the employee name or its variation (e.g. jsmith). A set of random numbers and characters (it is more difficult for an unauthorized user to guess, but may also be more difficult for authorized users to remember and management to recognize). Emergency Access Procedure (required). Provide access to necessary ePHI during emergency conditions (when normal environmental systems, such as electrical power, have been damaged due to a natural or manmade disaster). Tech.Solution: If the organization utilizes a cloud-based EHR, the disaster recovery plan addresses disruptions in access to an ISP or cloud-based EHR vendor to ensure the availability of the EHR for both treatment and billing services. Automatic Logoff (A). Apply procedures that terminate an electronic session after a predefined period of inactivity. Tech.Solution: Set a 10-minute period of inactivity after which the system will automatically be locked. In case the device is in the high-traffic area, establish a timeout of 2 to 3 minutes. Equipment used in protected areas with controlled, limited access, such as a lab or an isolated office, could have longer timeout periods. Activate an operating system screensaver that is password protected after a period of system inactivity. Encryption and Decryption (A). All collected and stored ePHI should be encrypted and decrypted by the person with the appropriate keys. Tech.Solution: Store the sensitive data in a secure environment with the proper physical and network security. Choose file/folder level encryption and full disk encryption for storing confidential info on mobile devices. Do not store the password to the PGP or S/MIME key in your system. Recommend your system visitors to enter the password and use cookies to keep the password from page to page. If you store ePHI in a MySQL database you should ensure that the password to that database is not stored in your system. Encrypt the data before saving it in the database for extra security stages. Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Integrity Protect ePHI from improper alteration or destruction in an unauthorized manner by both technical and non-technical parties. Thus, workforce members may make incidental changes that improperly alter or destroy ePHI. Data can also be compromised without human intervention that includes electronic media errors or failures. Mechanism to Authenticate Electronic Protected Health Information (A). Implement electronic mechanisms to protect ePHI from alteration or destruction by a virus or other malicious code. Tech.Solution: Backup the information in the DB and store it on an external cloud service. Block Storage Person or Entity Authentication Person or Entity Authentication. Verify that a person or entity seeking access to ePHI is they claim to be. Tech.Solution: Require something known only to that individual, such as a password or PIN. The password should be the longest possible (between six and 10+ characters) including a combination of numbers, special characters, and a mixture of upper and lower case letters. It should be changed at least every six months or whenever the password becomes known to the other person. And current or previous passwords could not be reused. It is possible to implement functionality that will control the password expiration. This logic will prevent users from logging in with an expired password and force them to change it. Require using a physical device such as a token, or telephone callback function. Require something unique to the individual such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns). Use two-factor authentication: By SMS/push notification, a person using a username and password to log into a database also has to insert a PIN code to confirm their identity. The request of a fingerprint scan (biometric) with the further entering of a password. Integrate with Google Authenticator or similar service. For iOS For Android Transmission Security Transmission Security. Prevent unauthorized access to ePHI that is being transmitted over an electronic communications network. Integrity Controls (A). Ensure that ePHI is not improperly modified during transmission (it applies to all individual health information that is maintained or transmitted). Tech.Solution: Use network communication protocols. Secure your web-solution with an SSL, PGP or AES encryption. SSL Certificates Do not use FTP to transfer patient data to/from payers and other medical organizations. Choose SFTP instead. Encryption (A). Communication containing PHI (either in the body or as an attachment) that goes beyond an internal firewalled server should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should, therefore, be encrypted and backed up. This applies to any form of electronic communication - email, SMS, instant message, etc. The encryption requirements apply to every part of the IT system, including servers like Amazon Cloud, Microsoft Azure or Atlantic.net. Tech.Solution: NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME. Physical Safeguards Facility Access Controls Facility Access Controls. Limit physical access to the electronic information system, while ensuring that properly authorized access is allowed. Contingency operations (A). Allow facility access to the physical office and stored data even during an emergency. Facility Security Plan (A). Define and document the use of physical access control to protect equipment that stores ePHI from unauthorized access and theft. Access Control and Validation Procedures (A). Control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Tech.Solution: Log all the server actions. Maintenance Records (A). Document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). Tech.Solution: In a small office, documentation may simply be a logbook that notes the date, reason for repair or modification and who authorized it. In a large organization, various repairs and modifications of physical security components may need to be documented in more detail and maintained in a database. Workstation Use Workstation Use. Restrict the use of workstations that have access to ePHI. Specify the protective surrounding of a workstation. Regulate how functions are to be performed on the workstations that can access ePHI. Tech.Solution: Automatic logoff Use and continually update antivirus software. Configure web filtering Device and Media Controls Device and Media Controls. Manage how ePHI is transferred/removed/disposed from the mobile devices if the user leaves the organization or the gadget is re-used, sold, etc. Disposal (required). The data can be permanently disposed of when needed. Yet, you will have to consider all the places where data can be archived, and you will need to ensure that all of those backups will expire and disappear. Tech.Solution: Block Storage Media Re-use (required). Remove ePHI from electronic media before the media are made available for reuse. Tech.Solution: Manual removal of patient data in electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as backup tape, optical disk, or smart card. Accountability (A). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. Data Backup and Storage (A). The HIPAA Rules do not dictate where ePHI may or may not be maintained. Thus, BAs are not prohibited from storing PHI outside of the United States (though there are other laws that may restrict the practice of storing PHI offshore; for example, some state Medicaid programs prohibit the offshoring of Medicaid data). ePHI that is collected, stored and used within your solution has to be backed up. The reserved copy should be stored in a secure environment and according to the best practices, it should have several backups that are stored in different locations. Also, the copy should be readily retrievable if the hardware or electronic media is damaged. Tech.Solution: Automatic data backup. Email archiving. Workstation Security Workstation Security. Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. Administrative Safeguards Administrative Safeguards. Administrative Safeguards fall out of the realm of software development, however, there are mandatory guidelines for any business that works with health information. Administrative security tasks involve: Appoint security officers who will regularly perform the risk assessment. Introduce risk management policies and procedures. Train employees on identifying potential cyber attacks and document all training. Restrict third-party access to ePHI. Develop a contingenсy plan to protect the integrity of ePHI, consider data backups and procedures to restore lost data in case of emergency. HIPAA Privacy Rules HIPAA Privacy Rules. HIPAA Privacy Rules refer to the use and disclosure of PHI and apply to any healthcare organizations and their business associates. According to the rules, BA may not use, access, or disclose PHI without the patient's consent, except for purposes of treatment, payment or certain health care operation; certain public safety and government functions, including: reporting of abuse and neglect, responding to government investigations, or disclosures to avoid a serious and imminent threat to the individual. However, before making disclosures for such purposes, BA should consult with CE. Tech.Solution: The app shall have a section (tab, button or equivalent) or active link to its Privacy Policy, and owner represents that commercially reasonable efforts are used to notify users of any material changes to its Privacy Policy. Limited data set. HIPAA Breach Notification Rules HIPAA Breach Notification Rules. Require BAs to promptly notify the Department of Health and Human Services of small security breaches within 60 days after the breach is discovered. Larger breaches (affecting 500+ patients) must also be reported to the media. Plus, BAs must notify their CE, which in turn must notify the individuals. Breach notifications should include the following information: The nature of the ePHI involved, including the types of personal identifiers exposed. The unauthorized person who used the ePHI or to whom the disclosure was made (if known). Whether the ePHI was actually acquired or viewed (if known). The extent to which the risk of damage has been mitigated. In all cases, patients must be notified and informed of steps they can take to mitigate potential damage. Tech.Solution: Prepare a mass mailing plan for this contingency. Maintain Required Documentation Maintain Required Documentation. Maintain the documents required by the Security Rule for six years from the document’s last effective date. Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.

What is HIPAA-compliant Database?  A database is an organized collection of structured information controlled by a database management system. To be HIPAA-compliant, the database must follow administrative, physical, and technical safeguards of the HIPAA Security Rule. Often it means limiting access to PHI, as well as safely processing, transmitting, receiving, and encrypting data, plus having a proactively breach mitigation strategy. Administrative, physical, and technical safeguards of the HIPAA Security Rule HIPAA Rules for Database Security If your database contains even a part of PHI, it is covered by the HIPAA Act of 1996 and can attract the attention of auditors. PHI is the information containing any identifiers that link an individual to their health status, the healthcare services they have received, or their payment for healthcare services. The HIPAA Security Rule (the part of HIPAA Act) specifically focuses on protecting electronic PHI. Technical safeguards (the part of HIPAA Security Rule) contain requirements for creating a HIPAA-compliant database. Centers for Medicare & Medicaid Services (CMS) covers HIPAA Technical Safeguards for database security in their guidance. The first question that can arise is whether you should use any specific database management system to address the requirements? The answer is absolutely no. The Security Rule is based on the concept of technology neutrality. Therefore, no specific requirements for types of technology are identified. Businesses can determine themselves which technologies are reasonable and appropriate to use. There are many technical security tools, products, and solutions that a company may select. However, the guidance warns that despite the fact that some solutions may be costly, it can’t be the cause of not implementing security measures. "Required" (R) specifications are mandatory measures. "Addressable" (A) specifications may not be implemented if neither the standard measure nor any reasonable alternatives are deemed appropriate (this decision must be well-documented and justified based on the risk assessment). Here are the mandatory and addressable requirements for a HIPAA-compliant database. Mandatory HIPAA Database Security Requirements HIPAA Compliant Database Access Control Database authentication. Verify that a person looking for access to ePHI is the one claimed. Database authorization. Restrict access to PHI according to different roles ensuring that no data or information is made available or disclosed to unauthorized persons. Encrypted PHI PHI must be encrypted both when it is being stored and during transit to ensure that a malicious party cannot access information directly. Unique User IDs You need to distinguish one individual user from another followed by the ability to trace activities performed by each individual within the ePHI database.  Database security logging and monitoring All usage queries and access to PHI must be logged and saved in a separate infrastructure to archive for at least six years.  Database backups Must be created, tested, and securely stored in a separate infrastructure, as well as properly encrypted.  Patching and updating database management software Regular software upgrades, as soon as they are available, to ensure that it’s running the latest tech. ePHI disposal capability Methods of deleting ePHI by trained specialists without the ability to recover it should be implemented. By following the above requirements you create a HIPAA-compliant database. However, it’s not enough. All HIPAA-compliant databases must be settled in a high-security infrastructure (for example, cloud hosting) that itself should be fully HIPAA-compliant. HIPAA-Compliant Database Hosting You need HIPAA-compliant hosting if you want either to store ePHI databases using services of hosting providers, or/and to provide access to such databases from the outside of your organization. Organizations can use cloud services to store or process ePHI, according to U.S. Department of Health & Human Services. HIPAA compliant or HIPAA compliance supported? Most of the time, cloud hosting providers are not HIPAA compliant by default but support HIPAA compliance, which means incorporating all the necessary safeguards to ensure HIPAA requirements can be satisfied. If healthcare business wants to start collaborating with a cloud hosting provider, they have to enter into a contract called a Business Associate Agreement (BAA) to enable a shared security responsibility model, which means that the hosting provider takes some HIPAA responsibility, but not all.  deloitte.com/content/dam/Deloitte/us/Documents/risk/us-hipaa-compliance-in-the-aws-cloud.pdf In other words, it is possible to utilize HIPAA compliance supported services and not be HIPAA compliant. Vendors provide tools to implement HIPAA requirements, but organizations must ensure that they have properly set up technical controls - it's their responsibility only. Cloud misconfigurations can cause an organization to be non-compliant with HIPAA. So, healthcare organizations must: be ensured that the ePHI is encrypted during transit, in use, and at rest; enable data backup and disaster recovery plan to create and maintain retrievable exact copies of ePHI, including secure authorization and authentication  even during times where emergency access to ePHI is needed; implement authentication and authorization mechanisms to protect ePHI from being altered or destroyed in an unauthorized manner as well as include procedures for creating, changing, and safeguarding passwords; implement procedures to monitor log-in attempts and report discrepancies; conduct assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; include auditing capabilities for their database applications so that security specialists can analyze activity logs to discover what data was accessed, who had access, from what IP address, etc. In other words, one needs to track, log, and store data in special locations for extended periods of time. PaaS/DBaaS vs IaaS Database Hosting Solutions Healthcare organizations may use their own on-premise HIPAA-compliant database management solutions or utilize cloud hosting services (sometimes with managed database services) offered by external hosting providers.  Selecting between different hosting options is often selecting between PaaS/DBaaS and IaaS.  For example, Amazon Web Services (AWS) provides Amazon Relational Database Services (Amazon RDS) that not only gives you access to already cloud-deployed MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server or Amazon Aurora relational database management software, but also removes almost all administration tasks (so-called PaaS/DBaaS solution). In turn, Amazon's Elastic Compute Cloud (Amazon EC2) services are for those who want to control as much as possible with their database management in the cloud (so-called IaaS solution).  on-Premise vs PaaS/DBaaS vs IaaS Database Hosting Solution PaaS/DBaaS vs IaaS Database Hosting Solution Azure also provides relational database services that are the equivalent of Amazon RDS: Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure Database for MariaDB. Other database engines such as SQL Server, Oracle, and MySQL can be deployed using Azure VM Instances (Amazon EC2 equivalent in Azure). Our company is specializing in database development and creates databases for large and smaller amounts of data storage. Belitsoft’s experts will help you prepare a high-level cloud development and cloud migration plan and then perform smooth and professional migration of legacy infrastructure to Microsoft Azure, Amazon Web Services (AWS), and Google Cloud. We also employ experts in delivering easy to manage HIPAA-compliant solutions and technology services for medical businesses of all sizes. Contact us if you would like to get a HIPAA risk assessment and analysis.