There are a few options if you want HIPAA compliance. Note that "HIPAA compliance" is somewhat of a loaded term in that there aren't many super-technical benchmarks to meet, but a general "do-good" attitude including (but not limited to) some of the following points:
- Physical server isolation: you cannot have other instances sniffing around in your deallocated garbage memory.
- Encrypted data stores: physical theft of the server should not provide access to your data.
- Server providers who can sign a Business Associate Agreement: many hospitals and firms with medical data require this in their stipulations.
- Audit trails for database modifications, access, etc. Basically, log everything, and this has to be encrypted too if it contains protected health information (PHI).
- All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.
- "Soft" guidelines such as password complexity measures, auto session expiration, disallowed multi-sessions.
Again, this is not an exhaustive list. You really need to check with a lawyer who knows this stuff. The fines are enormous (read: business-ending) if you break the rules.
How do you work to implement these? Well, find a host who is willing to sign a BAA. Here are the two major contenders I'm aware of:
- Use Amazon AWS; they're willing to sign a BAA with you and provide you the physical server isolation you need. However, this doesn't come cheap. Expect >$2,000/mo in costs to keep this configuration. Also, you'd better be a network pro or willing to learn how to manage VPCs correctly to provide proper network-level isolation for the databases.
- Use aptible.com (they happen to be a YC company, and I don't know of anyone else doing this). Frank & Chas (the founders) are very responsive and aim to provide a comprehensive package, including backups, audit trails, and even employee training. The Docker-based and heroku-like interface is very appealing:
This option is still expensive. They host on AWS as well, so you're paying for the server costs + premium. However, this will still be a lot cheaper than hiring a competent sysadmin to make sure the execution is flawless.
Does HIPAA really require "physical server isolation"? I wasn't able to find anything specifying that in my reading. (Encrypting data at rest is definitely required. I suspect the S3 functionality was built to address the requirement.)
AFAICT the whole "can't do HIPAA in the cloud" meme arose from the reluctance of cloud services to sign BAAs, Google only got on board with that earlier this year.
I'm a lawyer, but not your lawyer. This is not legal advice. :)
The HIPAA Security Rule requires that you take "reasonable and appropriate" measures to safeguard the confidentiality, integrity, and availability of electronic regulated health data.
Physical server isolation is not prima facie required, meaning there is no requirement that literally states you must isolate servers down to bare metal. Your customers' judgments about what constitutes "reasonable and appropriate" safeguards may vary, though. That decision should be driven by your risk assessment.
Encryption is also not prima facie required, actually.[0] I can't imagine a case in which it would be reasonable for a cloud SaaS provider not implement it, so I'd say it is de facto required. MFA may be moving to the same category, for most web services.
I think this might just be a stipulation to sign a BAA with Amazon, combined with my tendency to err on the side of safety. I can't find anything to cite either. On a slightly related note, lack of memory safety happens to be how Home Depot lost all those credit card numbers.
- Physical server isolation: you cannot have other instances sniffing around in your deallocated garbage memory.
- Encrypted data stores: physical theft of the server should not provide access to your data.
- Server providers who can sign a Business Associate Agreement: many hospitals and firms with medical data require this in their stipulations.
- Audit trails for database modifications, access, etc. Basically, log everything, and this has to be encrypted too if it contains protected health information (PHI).
- All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.
- "Soft" guidelines such as password complexity measures, auto session expiration, disallowed multi-sessions.
Again, this is not an exhaustive list. You really need to check with a lawyer who knows this stuff. The fines are enormous (read: business-ending) if you break the rules.
How do you work to implement these? Well, find a host who is willing to sign a BAA. Here are the two major contenders I'm aware of:
- Use Amazon AWS; they're willing to sign a BAA with you and provide you the physical server isolation you need. However, this doesn't come cheap. Expect >$2,000/mo in costs to keep this configuration. Also, you'd better be a network pro or willing to learn how to manage VPCs correctly to provide proper network-level isolation for the databases.
- Use aptible.com (they happen to be a YC company, and I don't know of anyone else doing this). Frank & Chas (the founders) are very responsive and aim to provide a comprehensive package, including backups, audit trails, and even employee training. The Docker-based and heroku-like interface is very appealing:
https://support.aptible.com/hc/en-us/articles/202638630-Depl...
This option is still expensive. They host on AWS as well, so you're paying for the server costs + premium. However, this will still be a lot cheaper than hiring a competent sysadmin to make sure the execution is flawless.