Hacker News new | past | comments | ask | show | jobs | submit login

AWS just announced their Postgres RDS is HIPAA compliant yesterday. I imagine the rest of Federal restricted data usages can follow shortly soon after (I think AWS is already certified in some areas?).

Given that, I see no reason why anyone should indulge Oracle or patronize them given their revenue-model.




AWS has also been certified to be PCI Level 1 compliant for a few years now.

As far as Oracle Cloud appeal is concerned - I can totally see the big "enterprise" type IT departments using Oracle/Weblogic stack going for it at least in the "paid POC" type mode to get things rolling.


> I can totally see the big "enterprise" type IT departments using Oracle/Weblogic stack going for it at least in the "paid POC" type mode to get things rolling.

As someone who works at an "enterprise" - the default is AWS. They have the consulting network, the certifications, and the list of other big companies already using them. Their biggest challenger is Azure, because Microsoft are already in the enterprise, and have good stories to tell around helping you cloudify your Office deployment model, Exchange, etc etc etc. At that point "hosting VMs" is an easy upsell for them.


"Nobody's gotten fired for buying, uh, Oracle."


Browse federal websites and check how many Sun icons you still see. My hypothesis: Oracle killed Solaris once they realized USDS and 18F had solid long term growth prospects.


I don't track these things closely, but hasn't 18F come to be considered a disappointment in terms of results-per-dollar-spent, so far? (Not to mention results-per-unit-hype)


I think between USDS and 18F, 18F has been showing more stable growth and they're on an eat-what-you-kill budget.


Good to know. I've been more-or-less able to keep clear of the government purchasing super-fun-games for a few years and anything I may have ever known about that world has gotten stale. Thanks!


I believe it was already HIPAA compliant (or else I need to go into hiding).

The path to HIPAA compliance in AWS is just arrange to get a business agreement with Amazon.


Amazon's BAA allows you to use only approved services [1] to process, store, and transmit ePHI. The list isn't very long, it's currently just 10 AWS services, and it doesn't include some basic ones like SQS. RDS with PostgreSQL was just added to that list this week (Aurora was also added, which is neat because now that it has a PostgreSQL front-end, I have two reasons to play with it).

[1] https://aws.amazon.com/compliance/hipaa-compliance/


RDS was only HIPAA for MySQL and SQL Server. PostgreSQL certification is brand new and a huge deal for some of my projects.


So I suppose this means storing data in Postgres RDS is HIPAA compliant now by default? I am not an expert in this, but I do have to sit through a day of training every year for this.

You should probably be doing a bunch of other things to be HIPAA compliant in AWS, it's not just a box you check off.

In the past you could be HIPAA compliant and use Postgresql RDS by signing a business associate agreement and doing things like using dedicated instances in their own VPC.


So I suppose this means storing data in Postgres RDS is HIPAA compliant now by default?

At a minimum, you'd still have to sign that BAA with them. I mention that not for you, but for anyone else at home thinking "oh, I can deploy RDS/PostgreSQL and be OK with HIPAA without doing anything else!" That's (still) not the case.

In logic terms, this certification is necessary but not sufficient. It's not sufficient by itself, but it is a hard requirement because RDS hasn't been covered under their BAA up until the last day or so. That is, it wasn't covered the last time I checked, maybe a week ago, but it is now today. This was confirmed by our AWS tech reps when we recently talked to them: they absolutely did not HIPAA certify PostgreSQL the last time we asked about it. And oh, how I promise you we talked about it.

In the past you could be HIPAA compliant and use Postgresql RDS by signing a business associate agreement and doing things like using dedicated instances in their own VPC.

Citation needed. We were told multiple time by our reps and solution architect that RDS+PostgreSQL was not certified in any way. The only AWS options we had for HIPAA PostgreSQL were 1) hosting our own instance (that is, not using RDS in any way, just plain old EC2) or 2) paying a third party for managed PostgreSQL hosting.


In the past (before this week), if you were storing ePHI in RDS with PostgreSQL, you weren't following the terms of the BAA.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: