
TrueVault (YC W14) Brings Easy HIPAA Compliance to Startups and Health Apps - trey_swann
http://techcrunch.com/2014/02/14/truevault-launches-to-bring-easy-hipaa-compliance-to-startups-and-health-apps/
======
chimeracoder
I'm the technical co-founder of a startup[0] that stores patient data, and I
know a couple of people who are working on what they call "Heroku for HIPAA-
compliant applications" (slightly different from what TrueVault is, though it
serves a similar consumer base)[1].

When I first heard about this and started building our application, I was
surprised nobody has tackled this space before. Building HIPAA-compliant
applications on AWS is a lot easier[2] than most people think, but it's a
_huge_ pain.

More importantly, it's the _same_ huge pain for almost everyone who goes
through the process, and in a way that's rather easy to "factor out".

In that regard, it's not that different from HR or payroll services, which
startups almost never do in-house (once they are larger than a few employees,
and until they get to be fairly large).

It looks like we're a bit beyond the stage where TrueVault would make sense
for us, but I'm glad that this space is starting to attract attention.
Technical founders should spend their limited time on building amazing
technology and amazing products, not duplicating the same compliance work that
everyone else has had to go through.

[0] [https://www.boardrounds.com/](https://www.boardrounds.com/)

[1] The company is Aptible:
[https://www.aptible.com/](https://www.aptible.com/) (We aren't customers of
these folks, though we like their product)

[2] None of it would be too technically difficult for most of the people
reading HN - it's more the diligence of checking boxes, writing up policy
docs, etc. It's _important_ to do it right, but it's generally a matter of
time (and money) more than anything else.

~~~
yogo
It's great that you guys are tackling it, and that it was untapped. But, I
also think that no one delved to much in that space for a reason (HIPPAA has
been around for a long time), which might be that if you screw up you're in
really hot water. Most people and investors tend to stay away from things that
lend themselves to potentially big lawsuits. Don't get me wrong, if another
company is making it their full-time responsibility to provide a service and
shoulder most of the liability I can see the value and I'm all for it, because
it means I'm reducing my exposure.

------
naveenspark
We are using TrueVault for Immunity Project. We have some bias since TrueVault
is in our YC batch, but Jason and Trey worked 24/7 to help us with our HIPAA
compliance needs. They used their API to build a custom portal for us to
securely communicate patient data over a weekend. We highly recommend them.

------
gwintrob
The TrueVault team is awesome and they have a killer API. If you're building
anything that touches patient health info, you should talk to them about HIPAA
security.

------
rficcaglia
having gone through many hipaa audits/reviews both as customer and as vendor,
in my experience when contracts are being signed/renewed it is much more about
the people and processes involved.

never had any customer ask specifics about encryption algorithms, apis, dev
stack, tooling, or key managment. ("do you encrypt data at rest?" "ok,
check.") i wish they would. we spend a lot of time and effort on those
decisions.

had lots of requests about hr policies and procedures, ongoing perimeter
scanning and network intrusion detection, data loss prevention, patching
process, hids, data destruction logs, physical security, breach notification
plans, disaster recovery SOPs, and other stuff you would find in various NIST
and FISMA specs.

but maybe that's how it should be...smart, experienced people will more often
than not make good decisions and use the right tools for the job (whether easy
or hard) and be vigilant and introspective. give inexperienced folks the
best/easiest tools in the world that dont require them to understand the
details underneath, and they can find clever ways to create huge gaping holes.
and if they are looking for the easiest path, they are probably not well
equipped to handle all the unknown unknowns that invariably pop up (usually
friday late afternoon!)

honestly, i prefer to know my stack(s) intimately from the kernel sources up,
and know how to evaluate and react to potential problems at all layers, than
simply outsource all responsibility for these issues to someone. (ok I
outsource some pieces, but only when it makes the solution better, not just
easier.) ymmv.

also, fwiw, never had a breach from outside ... but had numerous incidents of
employees who have lost or stolen laptops which just happened to have a sql
dump of "test data". human error/laziness gets you every time.

still, good to see options evolving in the market! the more educated buyers
become, the better questions they will ask! and the more rigorous vendors will
get...we hope :)

------
mixonic
Aptible is another young startup in the HIPAA space:
[https://www.aptible.com/](https://www.aptible.com/) They support a PaaS model
similar to Heroku.

------
wrs
Searchable encrypted records seems like a contradiction. Normally I'd expect
that the fields you can search on are not encrypted (at least not in the
search index), and given the obvious conscientiousness of TrueVault I'd expect
to see that mentioned in the docs if it were so, but I don't.

Can someone from TV elucidate how that works?

~~~
lnanek2
No clue how it actually works, but just as a software engineer I can think of
plenty of ways to do it. So base case you have is just the equivalent of a
table scan - go through each row and decrypt it and check if it matches. But
then after that you can do a lot to speed it up. Like you could keep an
accessed timestamp on the records and then search most recent ones first so
after the first search for a patient on a day they have an appointment
everything else will be fast that day. Lots of other speed ups possible, like
checking who is searching and checking only their patients first, which may be
possible to store as an unencrypted relationship that tells you which
encrypted records to check.

Or heck, if you have enough memory, keep your indexes in memory where they
aren't required to be encrypted. Or if you don't have enough then cache
according to some algorithm that works good for the use cases.

------
jusben1369
Good luck guys! At Spreedly we have the same type of approach for FinTech
startups by removing all the PCI compliance headaches. Perhaps one day
there'll be a fit to work together. I imagine startups will love you if you
pull this off!

------
selimthegrim
Since when does AWS sign a BAA? I thought they disclaimed liability and said
to treat them like a phone company or infrastructure provider w.r.t S3?

~~~
chimeracoder
Since this past summer: [http://www.emrandhipaa.com/emr-and-
hipaa/2013/06/19/amazon-a...](http://www.emrandhipaa.com/emr-and-
hipaa/2013/06/19/amazon-aws-will-sign-hipaa-business-associate-agreement/)

