Insecure due to use of attr_encrypted?

[rreusser]

I haven't fully investigated, but right out of the gate, the use of attr_encrypted is a possible red flag. Is the hipaarails gem secure? Should it be modified to use attr_encryptor instead?

See: attr-encrypted/attr_encrypted#32

[rreusser]

Looks like not much activity on this gem, so this is in part just to serve as a warning for anyone looking to use this gem! I do like the idea though. I realize this isn't just a discussion board, but for anyone looking to create a HIPAA-compliant rails app, here are two extremely useful resources I've found:

http://luxsci.com/blog/what-makes-a-web-site-hipaa-secure.html
http://www.atlashealth.com/

[anirudhvr]

Hello rreuser,

THanks for the issue report and sorry I've been tardy. I believe attr_encrypted version 1.3.0 has fixed the flaw per the thread you mentioned. I've pushed a fix just now.

BTW, if you are interested in picking up / contributing to this project, please do let me know!

[rreusser]

Thanks for the reply! Not sure I'll have time to work on this since it looks like the client will be leaning on Atlas Health for encryption and auditing. Neither of those things are too difficult, but the fact that they prevent us from having to worry about a Business Associate Agreement with AWS makes it worthwhile. Thanks again for your attention to this!