Hacker News new | ask | show | jobs
by wadadadad 649 days ago
> secure sensitive information in a database, secure your hosting, maintain security updates to those hosts, undergo audits, keep up with changing regulations, keep up with the latest threat vulnerabilities, staff a full response team in case something happens

To be fair of the things you've described, if you can swing it, you should be doing most of this regardless for a business setup. Specific to HIPAA would be the auditing and 'changing regulations' (and depending on client needs, you'll likely have other audits for business needs).

I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?
1 comments
mexicocitinluez 649 days ago
> To be fair of the things you've described, if you can swing it, you should be doing most of this regardless for a business setup

Not sure how to respond to this. Are you saying I should go out and hire 2-3 people to set up a ton of infrastructure and maintain it for me instead of relying on the professionals at Azure (who specialize in this) and it's done automatically at a fraction of the cost? We went through 5 years of "bitcoin for your data" fraud in exactly the situation your describing.

I don't need to hire anybody as of now. None.

> I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?

This is my point. I don't know and don't care. I don't have to worry about it at all. I don't have to worry about updating the handful of apps and servers that connect to all the different integrations we use because this field is siloed into a 1,000,000 little pieces. I don't have to worry about PHI getting leaked out of some server I forgot to update somewhere or misconfigured because I made a mistake while installing it or setting it up the first time. That stuff is all handled through Azure's existing cloud infrastructure. It's literally tailored to healthcare solutions. No single person (or 2 or 3 or even 4) full time people could come close to what they offer at the cost.

link
wadadadad 649 days ago
I don't think I was communicating my first point effectively; I didn't mean to reference you personally or to the approach taken (VPS or cloud). If there is a business who needs HIPAA, then most likely, the business should be doing all of those original points because doing them is better (more effective, better security, etc.) than not doing them. I'm trying to say than extending to HIPAA could potentially be 'simple' if there is a business already doing most of this.

I understand that you're using Azure's existing infrastructure to handle your logistical technical management, but I was here asking if you had to make any changes to keep abreast of changing regulations. There seems to be practical business decisions that need to be made that HIPAA impacts, such as what data constitutes PHI (has that changed? Maybe you had to go back and change what data you were keeping because of the above regulation changes- I don't know if that could be the case, that's why I'm asking, I'm not aware of what I don't know). If Azure is somehow keeping track of all "changing regulations" for you (including business needs) and you've never had to worry about it, that's good to know. I would still be interested in any specific details if you're aware of it.

link
mexicocitinluez 649 days ago
Sorry, totally misinterpreted that.

> but I was here asking if you had to make any changes to keep abreast of changing regulations.

No, we haven't. Not yet.

> If Azure is somehow keeping track of all "changing regulations" for you (including business needs) and you've never had to worry about it, that's good to know. I would still be interested in any specific details if you're aware of it.

I get your question know. So, when I was referring to Microsoft and HIPAA it was primarily around this side of things: https://learn.microsoft.com/en-us/azure/compliance/offerings...

You do bring up a good point and I shouldn't have implied otherwise that it can handle everything for you. So yes, there is a ton of other stuff that isn't magically handled by you such as identifying PHI and stuff. That being said, they have a whole suite of analytical and machine learning tools that will help you do this.

But since you mentioned policy changes, https://www.cms.gov/priorities/key-initiatives/burden-reduct... this is big and will have wide-reaching consequences and things like the ability to export patient data isn't necessarily baked into Azure.

BUT, they do have this healthcare platform they're building like this stuff https://learn.microsoft.com/en-us/dynamics365/industry/healt... that I would imagine would provide a bit more coverage on those types of changes than something you're building yourself.

Here's a deidentification service that can be integrated: https://learn.microsoft.com/en-us/azure/healthcare-apis/deid...

link
wadadadad 649 days ago
Awesome, I really appreciate your time and the references. Thank you!
link
mexicocitinluez 649 days ago
No problem at all. It's such a fascinating and cool field to build software in.

Someone else above had mentioned the complexity of medical coding and I don't know what you do or what you're working on but that's another really interesting part of the puzzle. And starts to get into why it's so hard for one system to communicate with each other in healthcare.

link