In the digital age, safeguarding sensitive information is not optional. It's essential. At Ovianta, a SaaS solution empowering doctors with streamlined workflows and intelligent insights, protecting patient data is a top priority. MongoDB's cryptographic tools, particularly Client-Side Field Level Encryption (CSFLE), offer powerful methods to secure data in-use.

In this article, we'll explore MongoDB's CSFLE and share how Ovianta leverages encryption to meet stringent data protection requirements while working within the constraints of serverless environments like Vercel.

What is Client-Side Field Level Encryption?

MongoDB's CSFLE encrypts specific fields on the client side, ensuring sensitive data remains inaccessible to unauthorized parties, even if the database itself is compromised. The approach aligns with compliance standards like GDPR and HIPAA, making it an excellent choice for industries handling sensitive information, such as healthcare.

CSFLE Highlights:

• Data confidentiality: Data is encrypted before it leaves the client.
• Field-level granularity: Only sensitive fields are encrypted, leaving the rest of the database searchable.
• Compliance-friendly: Helps meet data protection regulations.

Automatic vs. Manual Encryption

MongoDB supports two CSFLE modes: Automatic Encryption and Manual Encryption.

1. Automatic Encryption:
   • Simplifies implementation by using MongoDB drivers to handle encryption.
   • Requires the installation of an extra library.
   • Not compatible with all hosting environments, including serverless platforms like Vercel.
2. Manual Encryption:
   • Offers fine-grained control by letting developers manage encryption and decryption explicitly.
   • Does not rely on additional libraries, making it suitable for environments with strict resource constraints, including serverless platforms like Vercel.

At Ovianta, we chose manual encryption because automatic encryption's library is incompatible with Vercel's serverless architecture. This decision ensures we maintain robust security without compromising the performance or scalability of our platform.

Manual Encryption: How Ovianta Secures Data

At Ovianta, we handle sensitive patient information, such as medical histories and consultation records. Using manual encryption allows us to encrypt this data securely before storing it in MongoDB. Here's how we do it:

1. Key Management:
   • We generate and manage Data Encryption Keys (DEKs) using a secure Key Management System (KMS).
   • Our KMS integrates seamlessly with MongoDB, providing a secure mechanism for key storage.
2. Encryption and Decryption:
   • Data is encrypted using the MongoDB Client Encryption Library before it is sent to the database.
   • Authorized services decrypt data when needed, ensuring only specific application workflows can access sensitive information.

import { ClientEncryption } = from 'mongodb-client-encryption');

// Initialize encryption settings
const clientEncryption = new ClientEncryption(client, {
  keyVaultNamespace: 'encryption.__keyVault',
  kmsProviders: {
    aws: {
      accessKeyId: '<AWS_ACCESS_KEY_ID>',
      secretAccessKey: '<AWS_SECRET_ACCESS_KEY>',
    },
  },
});

// Encrypt sensitive patient data
const encryptedValue = await clientEncryption.encrypt('patientSensitiveData', {
  keyId: 'keyId',
  algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic',
});

// Store encrypted data in MongoDB
await collection.insertOne({ sensitiveField: encryptedValue });

It's also possible to decrypt using the MongoClient directly without needing to activate full automatic encryption by using the property bypassAutoEncryption

const secureClient = new MongoClient(uri, {
    autoEncryption: {
      keyVaultNamespace,
      kmsProviders,
      bypassAutoEncryption: true
    },
  });

const result = await collection.find().toArray();

Why Ovianta Chose Manual Encryption

Manual encryption provides us with:

• Flexibility: By managing encryption directly in our code, we avoid dependencies on libraries incompatible with serverless environments.
• Granular control: We can tailor encryption to specific fields and workflows, ensuring efficiency and compliance. Although it is possible to achieve this behavior using schemas, that will force us to work on automatic mode that is not working in serverless environments such as Vercel.
• Portability: Since no special libraries are required, our encryption setup can be easily replicated across various environments.

How CSFLE Benefits Ovianta's Users

For our customers—doctors and healthcare providers—CSFLE means:

• Enhanced Privacy: Patient data is encrypted before leaving the client, ensuring it remains confidential even in the unlikely event of a breach.
• Regulatory Compliance: By implementing advanced cryptographic measures, Ovianta adheres to stringent healthcare data protection standards, building trust with users.

Conclusion

At Ovianta, securing patient data is central to our mission of empowering healthcare providers with seamless, AI-driven workflows. MongoDB's CSFLE, particularly through manual encryption, allows us to achieve high levels of security while maintaining the flexibility needed for our serverless architecture.

Whether you're building a healthcare app or managing sensitive user data, MongoDB's encryption options offer a reliable path to compliance and trust. For environments like ours, where automatic encryption isn't an option, manual encryption ensures robust security without compromise.

References:

• MongoDB Documentation: Automatic Encryption
• MongoDB Documentation: Manual Encryption

At Ovianta, we're building a next-generation product for doctors to streamline software for their consultations using NextJS. Follow us on this journey to know more about how we're building.