Educating the startup community on the complexities and necessity of HIPAA is important. I'm glad Aptible is helping the YC community.
To tack on to my colleague at Catalyze: We provide two thorough guides to both HIPAA and HITRUST. If anyone is looking for a deep dive on either topic, you can access the guides here:
The guides are a thorough summary and aggregation of all our content spread throughout the web, which is why they are behind a form. If you would like to access all the content directly, it's largely all available for free as separate entries in our Academy:
Speaking from a HIPAA point of view, the amount of complexity you must manage to build your own compliant environment on AWS is extremely high. HIPAA's controls account for block level encryption, managing your logs a certain way, and many many more things.
Furthermore, compliance is more than just doing the right thing. It's proving that you are compliant. There is immeasurable value with selecting a vendor who is audited to be HIPAA Compliant or HITRUST Certified because then the risk is offloaded to someone with credibility in the marketplace via a Business Associate Agreement. If you wanted to build your own HIPAA compliant stack on AWS, and you want to be taken as credible when trying to sell to a CIO at a hospital, then you will need to go through the procedure of becoming HITRUST Certified as well.
Otherwise you will just be nibbling at the edges and taking on all the risk while hampering your business model.
Aren't you still building your own compliant environment on the application side with a heroku like model?
I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application, and general settings fields. Most of the problems will come from the Application architecture. You can have a prebuilt envorionment for everything but if you're code is garbage then good luck.
Not sure how hosting in AWS is any different from hosting on Heroku, considering you're ultimately still responsible for the Application side. Does Heroku manages your logs in someway that AWS cannot?
Even with an agreement with a merchant, aren't you still responsible for your application code? Isn't that still subject to HIPAA requirements?
Also AWS is HIPAA compliant and they will do a Business Associate Agreement, and has been HITRUST certified iirc.
"I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application."
Not quite, in fact, the first thing you need to do to meet a BAA with many cloud vendors is terminate SSL locally. This means no using things like ELBs. What about if you need a VPN? How do you guarantee that traffic is still encrypted (let's say TCP) once it hits the VPC VPN to your application server. These are very real healthcare compliance scenarios which you would need to figure out a solution for on the infrastructure side which you would need to build buy. I'm sure there are similar things that need to be handled WRT PCI.
Application security is important (of course). I used to work on application security with hospital organizations at an EHR vendor, so even though we sell infrastructure I can help customers out when it comes to this topic. The reason why there isn't really an "Application Security checkbox" is because the question? "What is the correct amount of access to patient data" is a hard one. Prestigious healthcare organizations all the way down to startups struggle with it, so it's usually a more involved process.
No, kgosser is correct. AWS offers "HIPAA-eligible services". Batteries not included.
Being able to demonstrate HIPAA compliance is different. You need to be able to:
1) Prove that a wide range of controls are in place and operating effectively, many of which are administrative (risk assessments, policy controls, workforce training, manual config reviews, access control reviews, etc.)
2) Keep all of your documentation current, even as your code and architecture changes.
If you DIY on AWS, you accept all of the risk for everything from the hypervisor up. Not just the risk of adversarial breach, but misconfiguration, inappropriate configuration, patching, etc.
You are correct in understanding there is a bifurcation between the infrastructure and application levels. You, as the software developer, will be largely responsible for the application-level security and privacy. The infrastructure obligations are extremely complex and go much deeper than you might imagine upon first blush.
For the ease of math, let's say at the infrastructure level it takes "10" things be HIPAA compliant. An IaaS vendor like AWS will do about 1/10th of it, and do it very well. Mostly the firewall and physical safeguards. They do sign a BAA and claim to be HIPAA Compliant, but you need to keep in mind that it's only for a fraction of what you're ultimately responsible for. The other 9/10ths is nontrivial. It includes things like encryption, monitoring, vulnerability scanning, breach policies, how you handle your logs. Lots of things.
The difference between hosting on AWS vs. hosting on Heroku will be how many of those 9/10ths Heroku will automate for you, and then—here's the kicker—that they agree to in their Business Association Agreement with you. Even if they do the other 9/10ths, if they won't sign a BAA with you, then you're still at risk.
In essence AWS is an IaaS vendor who will sign a BAA that does a few compliant things, but you still have a long long journey ahead of you. You could build your own, certainly, on either AWS or Heroku. You could also look for a HIPAA Compliant Platform as a Service (PaaS) who automates the other 9/10ths and then signs a BAA for those things. The company I work for, Catalyze, is just that. We basically are the other 9/10ths on top of AWS, sign a BAA for it, and stand behind you with a HITRUST Certification.
This means for people who work remotely but live in Seattle. So for example, someone who works remotely for a company in NY but lives in Seattle. This would be a spot for all those people to work so they feel like a community.
> In 2013 the Internet traffic I actually do generate is much more secure than the Internet traffic I generated 20 years ago.
For someone to be successful in 1993 to use the Internet, you had to be knowledgable enough to do the things you're talking about. I'd wager roughly 97%+ of the population is not smart enough, which is why Bruce's statements are in effect true.
Tell me again how this is different than Malcolm Gladwell? Same format, same insight-porn result, yet this guy is heralded by you all and Gladwell is eviscerated. Confusing, really.
Not familiar with forcast.io — thanks for sharing! Before I got into web development I worked at a company called Prologue doing motion graphics in After Effects and Photoshop. Even if you've never heard of them, you've probably seen their work: http://prologue.com/
This background is much of the motivation for the library.
Ah cool. Yeah, I instantly thought of use cases like Forecast.io's weather animations for your library. I think this is a _major_ trend about to explode, and approaching it with a JS library instead of animated GIFs seems like it has big potential.
Check out www.forecast.io to see the UI polish I'm talking about.
To tack on to my colleague at Catalyze: We provide two thorough guides to both HIPAA and HITRUST. If anyone is looking for a deep dive on either topic, you can access the guides here:
https://catalyze.io/hipaa-compliance
https://catalyze.io/hitrust
The guides are a thorough summary and aggregation of all our content spread throughout the web, which is why they are behind a form. If you would like to access all the content directly, it's largely all available for free as separate entries in our Academy:
https://catalyze.io/learn