[kgosser]

Speaking from a HIPAA point of view, the amount of complexity you must manage to build your own compliant environment on AWS is extremely high. HIPAA's controls account for block level encryption, managing your logs a certain way, and many many more things.

Furthermore, compliance is more than just doing the right thing. It's proving that you are compliant. There is immeasurable value with selecting a vendor who is audited to be HIPAA Compliant or HITRUST Certified because then the risk is offloaded to someone with credibility in the marketplace via a Business Associate Agreement. If you wanted to build your own HIPAA compliant stack on AWS, and you want to be taken as credible when trying to sell to a CIO at a hospital, then you will need to go through the procedure of becoming HITRUST Certified as well.

Otherwise you will just be nibbling at the edges and taking on all the risk while hampering your business model.

[llama052]

Aren't you still building your own compliant environment on the application side with a heroku like model?

I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application, and general settings fields. Most of the problems will come from the Application architecture. You can have a prebuilt envorionment for everything but if you're code is garbage then good luck.

Not sure how hosting in AWS is any different from hosting on Heroku, considering you're ultimately still responsible for the Application side. Does Heroku manages your logs in someway that AWS cannot?

Even with an agreement with a merchant, aren't you still responsible for your application code? Isn't that still subject to HIPAA requirements?

Also AWS is HIPAA compliant and they will do a Business Associate Agreement, and has been HITRUST certified iirc.

[markolschesky]

"I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application."

Not quite, in fact, the first thing you need to do to meet a BAA with many cloud vendors is terminate SSL locally. This means no using things like ELBs. What about if you need a VPN? How do you guarantee that traffic is still encrypted (let's say TCP) once it hits the VPC VPN to your application server. These are very real healthcare compliance scenarios which you would need to figure out a solution for on the infrastructure side which you would need to build buy. I'm sure there are similar things that need to be handled WRT PCI.

Application security is important (of course). I used to work on application security with hospital organizations at an EHR vendor, so even though we sell infrastructure I can help customers out when it comes to this topic. The reason why there isn't really an "Application Security checkbox" is because the question? "What is the correct amount of access to patient data" is a hard one. Prestigious healthcare organizations all the way down to startups struggle with it, so it's usually a more involved process.

[chasb]

No, kgosser is correct. AWS offers "HIPAA-eligible services". Batteries not included.

Being able to demonstrate HIPAA compliance is different. You need to be able to:

1) Prove that a wide range of controls are in place and operating effectively, many of which are administrative (risk assessments, policy controls, workforce training, manual config reviews, access control reviews, etc.)

2) Keep all of your documentation current, even as your code and architecture changes.

If you DIY on AWS, you accept all of the risk for everything from the hypervisor up. Not just the risk of adversarial breach, but misconfiguration, inappropriate configuration, patching, etc.

[kgosser]

You are correct in understanding there is a bifurcation between the infrastructure and application levels. You, as the software developer, will be largely responsible for the application-level security and privacy. The infrastructure obligations are extremely complex and go much deeper than you might imagine upon first blush.

For the ease of math, let's say at the infrastructure level it takes "10" things be HIPAA compliant. An IaaS vendor like AWS will do about 1/10th of it, and do it very well. Mostly the firewall and physical safeguards. They do sign a BAA and claim to be HIPAA Compliant, but you need to keep in mind that it's only for a fraction of what you're ultimately responsible for. The other 9/10ths is nontrivial. It includes things like encryption, monitoring, vulnerability scanning, breach policies, how you handle your logs. Lots of things.

The difference between hosting on AWS vs. hosting on Heroku will be how many of those 9/10ths Heroku will automate for you, and then—here's the kicker—that they agree to in their Business Association Agreement with you. Even if they do the other 9/10ths, if they won't sign a BAA with you, then you're still at risk.

In essence AWS is an IaaS vendor who will sign a BAA that does a few compliant things, but you still have a long long journey ahead of you. You could build your own, certainly, on either AWS or Heroku. You could also look for a HIPAA Compliant Platform as a Service (PaaS) who automates the other 9/10ths and then signs a BAA for those things. The company I work for, Catalyze, is just that. We basically are the other 9/10ths on top of AWS, sign a BAA for it, and stand behind you with a HITRUST Certification.

The guide we wrote up on HIPAA Compliance might be of use to you: https://catalyze.io/hipaa-compliance. Also, our Academy entries might be helpful to understand the complexities: https://catalyze.io/learn.

For some super nerdy technical explanations, take a look at how Catalyze approaches the other "9/10ths" here: https://hipaa.catalyze.io