I've written a HIPPA-compliant application that was VPS-hostable. It's been a while, but IIRC, it simply involved a combination of TLS everywhere and encrypting the sensitive fields in the DB. I don't remember if there was any other trick involved, but it wasn't difficult. By far the hardest thing about that project was the complexity of the medical codes-- not HIPAA compliance-- and that is something the cloud wouldn't help with at all.
> , it simply involved a combination of TLS everywhere and encrypting the sensitive fields in the DB.
I'm sorry, are you saying securing patient data is simple? No offense, but you might be the only person on this planet to share this sentiment and there's a reason why.
So, it's simpler to secure sensitive information in a database, secure your hosting, maintain security updates to those hosts, undergo audits, keep up with changing regulations, keep up with the latest threat vulnerabilities, staff a full response team in case something happens, etc?
Not trying to be rude, but it's obviously not simple.
What's crazy about your answer is that we had a whole host of "Bitcoin for your data hacks" that were only made possibly by setups your describing.
>By far the hardest thing about that project was the complexity of the medical codes-
Yes, this is also complex. But a totally different problem in a totally different space.
> secure sensitive information in a database, secure your hosting, maintain security updates to those hosts, undergo audits, keep up with changing regulations, keep up with the latest threat vulnerabilities, staff a full response team in case something happens
To be fair of the things you've described, if you can swing it, you should be doing most of this regardless for a business setup. Specific to HIPAA would be the auditing and 'changing regulations' (and depending on client needs, you'll likely have other audits for business needs).
I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?
> To be fair of the things you've described, if you can swing it, you should be doing most of this regardless for a business setup
Not sure how to respond to this. Are you saying I should go out and hire 2-3 people to set up a ton of infrastructure and maintain it for me instead of relying on the professionals at Azure (who specialize in this) and it's done automatically at a fraction of the cost? We went through 5 years of "bitcoin for your data" fraud in exactly the situation your describing.
I don't need to hire anybody as of now. None.
> I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?
This is my point. I don't know and don't care. I don't have to worry about it at all. I don't have to worry about updating the handful of apps and servers that connect to all the different integrations we use because this field is siloed into a 1,000,000 little pieces. I don't have to worry about PHI getting leaked out of some server I forgot to update somewhere or misconfigured because I made a mistake while installing it or setting it up the first time. That stuff is all handled through Azure's existing cloud infrastructure. It's literally tailored to healthcare solutions. No single person (or 2 or 3 or even 4) full time people could come close to what they offer at the cost.
I don't think I was communicating my first point effectively; I didn't mean to reference you personally or to the approach taken (VPS or cloud). If there is a business who needs HIPAA, then most likely, the business should be doing all of those original points because doing them is better (more effective, better security, etc.) than not doing them. I'm trying to say than extending to HIPAA could potentially be 'simple' if there is a business already doing most of this.
I understand that you're using Azure's existing infrastructure to handle your logistical technical management, but I was here asking if you had to make any changes to keep abreast of changing regulations. There seems to be practical business decisions that need to be made that HIPAA impacts, such as what data constitutes PHI (has that changed? Maybe you had to go back and change what data you were keeping because of the above regulation changes- I don't know if that could be the case, that's why I'm asking, I'm not aware of what I don't know). If Azure is somehow keeping track of all "changing regulations" for you (including business needs) and you've never had to worry about it, that's good to know. I would still be interested in any specific details if you're aware of it.
> but I was here asking if you had to make any changes to keep abreast of changing regulations.
No, we haven't. Not yet.
> If Azure is somehow keeping track of all "changing regulations" for you (including business needs) and you've never had to worry about it, that's good to know. I would still be interested in any specific details if you're aware of it.
You do bring up a good point and I shouldn't have implied otherwise that it can handle everything for you. So yes, there is a ton of other stuff that isn't magically handled by you such as identifying PHI and stuff. That being said, they have a whole suite of analytical and machine learning tools that will help you do this.
BUT, they do have this healthcare platform they're building like this stuff https://learn.microsoft.com/en-us/dynamics365/industry/healt... that I would imagine would provide a bit more coverage on those types of changes than something you're building yourself.
No problem at all. It's such a fascinating and cool field to build software in.
Someone else above had mentioned the complexity of medical coding and I don't know what you do or what you're working on but that's another really interesting part of the puzzle. And starts to get into why it's so hard for one system to communicate with each other in healthcare.
There was a business person in charge of keeping up with any regulatory changes. The regulations at the time were pretty stable, and I can’t think of a single change order that came from it.
The most important things to consider (IIRC) were ensuring that the data was encrypted at rest and in flight, and that access to the data was audit logged and properly authorized.
We had an audit every so often. None of this was hard. Just tedious. It does help to have a HIPPA expert advise.
I don’t think public cloud vs self hosting makes a massive difference. Of all the problems such a project faces, that is not close to the top one.
Keeping machines patched and up to date is also not terribly hard.
Anyway, I’m not saying you’re totally wrong. Our project may have had more hidden risk than I realize. But it’s my opinion based on that experience.
> I don’t think public cloud vs self hosting makes a massive difference.
Right now, I'm the CTO of a medium-sized healthcare company. We're building our own EMR to replace the one we're currently using ON TOP of building out some line-of-business integrations that can help modernize other parts of our office.
Part of that is grabbing data from an FTP EDT source from an HIE, storing that, processing it and then reporting.
Our EMR has a bulk data download that we roll throuhg each night, processing data, building reports, etc.
These integrations also tie into existing apps we use like Microsoft Teams, Microsoft Forms, Power BI, etc.
With the EMR we're building, I was able to pull on some help early on, set up all environments in Azure (dev, test, prod), all databases, background services (which we use A TON), blob storage, certificates, etc. I can count on one hand the number of times I've had to touch it since.
Prior to me coming on, all our data was stored on a server we hosted ourselves. It was a simple shared drive that constantly needed to be patched and updated. Went down ALL the time. And became a nightmare to manage on top of the 20 other pieces of technology we needed to use to get by. You know what I did? Copied the entire share to OneDrive and shut down the server and I was done. Never had to think about it again. And it's versioned. That's another benefit of cloud infrasturcture.
I'm a single dev at a healthcare company that has dozens of things going on all because I can rely on Azure's cloud infrastructure.
And that's not even counting the additional healthcare services they offer like FHIR servers, deidentifications services, pulling out snomed, med, and diagnoses codes from history and physicals, etc.
I couldn't come close to this if I was tasked to do it myself. And the problem is that healthcare changes constantly. So you need to be able to be nimble and fast. Being able to offload those sort of challenges has been super helpful in that regard.
It's not a silver bullet. My biggest issues NOW are people related. Links in emails are the hands down the biggest attack vector I have to worry about (for better or for worse).
As far as the coding complexity, while a totally different animal, is another huge challenge as you mentioned. And it's not just "how do I translate this to a billing code" it's being able to make sense of unstructured clinical documentation, being able to report on it and analyze it, and most importantly share it. An encounter with a patient could potentially have to collect upwards of 2000 data points that are changing based on the patient, the diagnoses, or what's happening the world (Covid for instance). It's an insanely challenging problem which it sounds like you have experience with.
I’m not opposed to the cloud. I run my current (non-HIPAA) project on Render, and it is really convenient. But, I also run a number of things on VPSs, and they aren’t difficult at all other than the up-front friction. They have been rock solid for us. I think it’s mostly a function of how simple we keep our setup. The cloud is certainly more convenient when managing a big team with lots of dynamic allocations of resources. But, VPSs (which some consider to be then cloud), and physical servers get more shade than I think they deserve.
You can go really far as a business on a single physical server and with a second backup server. With a bit of care, deployments can be simple and reliable, too.
> I’m not opposed to the cloud. I run my current (non-HIPAA) project on Render, and it is really convenient. But, I also run a number of things on VPSs, and they aren’t difficult at all other than the up-front friction. They have been rock solid for us. I think it’s mostly a function of how simple we keep our setup. The cloud is certainly more convenient when managing a big team with lots of dynamic allocations of resources. But, VPSs (which some consider to be then cloud), and physical servers get more shade than I think they deserve.
I need to remember most people aren't as bad as I am on the infra side of things.
> You can go really far as a business on a single physical server and with a second backup server. With a bit of care, deployments can be simple and reliable, too.
You're right. A lot of what pushed me towards the cloud was that I wasn't building a single app. It was a collection of small, line of business type of stuff + an in progress EMR + a ton of Office 365 integration so it always made sense to go straight for Azure. As well as just not having the experience it sounds like you do.
