On a few of my client's sites, we store PII in Webform submissions. I'm currently using this module along with Webform Encryption to accomplish that securely. While we're not storing PHI currently, I try to adhere to HIPAA best practices whenever possible. I was doing some research and came across this article (specifically the section on using KMS to encrypt PHI): https://aws.amazon.com/blogs/security/frequently-asked-questions-about-h...
Basically the way this module currently functions isn't HIPAA compliant, because it's using the KMS encrypt/decrypt methods to process the data directly. The way we'd need to use KMS, in order to be HIPAA complaint, would be to create a second key, encrypt/decrypt it with KMS, and then use that local key to handle the encryption/decryption of any PHI data.
The patch I've written to solve for this adds two new capabilities to the module:
Both of the above features require being pointed to an Encryption profile that uses Amazon KMS to work. With this approach, I can generate a data key, store the encrypted key locally, and leverage another encryption module (like RealAES) to handle the actual processing of the webform information. There's no impact to existing installs of the KMS module, it's purely optional functionality for anyone that needs it.
Fixed
1.0
Drupal Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Issue #3117505 by dylf, jacobbell84: Support for KMS as a provider and...
Automatically closed - issue fixed for 2 weeks with no activity.