I'm looking for ways to make the Mongo storage used by Spark.Net HIPAA compliant. Does using MongoDB SSL Transport to encrypt data on wire and using Gazzang for data at rest good enough? Are there other options for data at rest while still allowing for indexing certain properties in JSON?
Given HIPAA compliance has a number of privacy and security requirements, I would assume you are also getting some professional advice on how to comply. There are physical and technical requirements that extend beyond the database software, but encryption of data in motion and at rest will tick some of the boxes.
I will add the disclaimer that "I am not a lawyer or a HIPAA expert", so you'll have to research/confirm the specific compliance details for your use case.
The default binary distributions of MongoDB currently do not include SSL support. You can either build from source with SSL support, or get a commercial license for MongoDB Enterprise.
You should ensure the SSL mode is set to requireSSL and enable certificate validation with x.509 certificates.
I believe you need to use a Federal Information Processing Standard (FIPS) compliant encryption algorithm. FIPS mode is currently only supported in MongoDB Enterprise.
MongoDB (as at 2.6) does not have built-in support for encryption of data at rest, however there are a number of third party partner solutions which currently include:
The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you still have full access to query and indexing functionality.
It's likely that some of the data you store may have more stringent requirements (eg. around privacy or redaction of specific fields) so there may be some additional application logic to implement.