I'm the technical co-founder of a startup[0] that stores patient data, and I know a couple of people who are working on what they call "Heroku for HIPAA-compliant applications" (slightly different from what TrueVault is, though it serves a similar consumer base)[1].
When I first heard about this and started building our application, I was surprised nobody has tackled this space before. Building HIPAA-compliant applications on AWS is a lot easier[2] than most people think, but it's a huge pain.
More importantly, it's the same huge pain for almost everyone who goes through the process, and in a way that's rather easy to "factor out".
In that regard, it's not that different from HR or payroll services, which startups almost never do in-house (once they are larger than a few employees, and until they get to be fairly large).
It looks like we're a bit beyond the stage where TrueVault would make sense for us, but I'm glad that this space is starting to attract attention. Technical founders should spend their limited time on building amazing technology and amazing products, not duplicating the same compliance work that everyone else has had to go through.
[1] The company is Aptible: https://www.aptible.com/ (We aren't customers of these folks, though we like their product)
[2] None of it would be too technically difficult for most of the people reading HN - it's more the diligence of checking boxes, writing up policy docs, etc. It's important to do it right, but it's generally a matter of time (and money) more than anything else.
It's great that you guys are tackling it, and that it was untapped. But, I also think that no one delved to much in that space for a reason (HIPPAA has been around for a long time), which might be that if you screw up you're in really hot water. Most people and investors tend to stay away from things that lend themselves to potentially big lawsuits. Don't get me wrong, if another company is making it their full-time responsibility to provide a service and shoulder most of the liability I can see the value and I'm all for it, because it means I'm reducing my exposure.
We are using TrueVault for Immunity Project. We have some bias since TrueVault is in our YC batch, but Jason and Trey worked 24/7 to help us with our HIPAA compliance needs. They used their API to build a custom portal for us to securely communicate patient data over a weekend. We highly recommend them.
The TrueVault team is awesome and they have a killer API. If you're building anything that touches patient health info, you should talk to them about HIPAA security.
having gone through many hipaa audits/reviews both as customer and as vendor, in my experience when contracts are being signed/renewed it is much more about the people and processes involved.
never had any customer ask specifics about encryption algorithms, apis, dev stack, tooling, or key managment. ("do you encrypt data at rest?" "ok, check.") i wish they would. we spend a lot of time and effort on those decisions.
had lots of requests about hr policies and procedures, ongoing perimeter scanning and network intrusion detection, data loss prevention, patching process, hids, data destruction logs, physical security, breach notification plans, disaster recovery SOPs, and other stuff you would find in various NIST and FISMA specs.
but maybe that's how it should be...smart, experienced people will more often than not make good decisions and use the right tools for the job (whether easy or hard) and be vigilant and introspective. give inexperienced folks the best/easiest tools in the world that dont require them to understand the details underneath, and they can find clever ways to create huge gaping holes. and if they are looking for the easiest path, they are probably not well equipped to handle all the unknown unknowns that invariably pop up (usually friday late afternoon!)
honestly, i prefer to know my stack(s) intimately from the kernel sources up, and know how to evaluate and react to potential problems at all layers, than simply outsource all responsibility for these issues to someone. (ok I outsource some pieces, but only when it makes the solution better, not just easier.) ymmv.
also, fwiw, never had a breach from outside ... but had numerous incidents of employees who have lost or stolen laptops which just happened to have a sql dump of "test data". human error/laziness gets you every time.
still, good to see options evolving in the market! the more educated buyers become, the better questions they will ask! and the more rigorous vendors will get...we hope :)
Searchable encrypted records seems like a contradiction. Normally I'd expect that the fields you can search on are not encrypted (at least not in the search index), and given the obvious conscientiousness of TrueVault I'd expect to see that mentioned in the docs if it were so, but I don't.
No clue how it actually works, but just as a software engineer I can think of plenty of ways to do it. So base case you have is just the equivalent of a table scan - go through each row and decrypt it and check if it matches. But then after that you can do a lot to speed it up. Like you could keep an accessed timestamp on the records and then search most recent ones first so after the first search for a patient on a day they have an appointment everything else will be fast that day. Lots of other speed ups possible, like checking who is searching and checking only their patients first, which may be possible to store as an unencrypted relationship that tells you which encrypted records to check.
Or heck, if you have enough memory, keep your indexes in memory where they aren't required to be encrypted. Or if you don't have enough then cache according to some algorithm that works good for the use cases.
Good luck guys! At Spreedly we have the same type of approach for FinTech startups by removing all the PCI compliance headaches. Perhaps one day there'll be a fit to work together. I imagine startups will love you if you pull this off!
When I first heard about this and started building our application, I was surprised nobody has tackled this space before. Building HIPAA-compliant applications on AWS is a lot easier[2] than most people think, but it's a huge pain.
More importantly, it's the same huge pain for almost everyone who goes through the process, and in a way that's rather easy to "factor out".
In that regard, it's not that different from HR or payroll services, which startups almost never do in-house (once they are larger than a few employees, and until they get to be fairly large).
It looks like we're a bit beyond the stage where TrueVault would make sense for us, but I'm glad that this space is starting to attract attention. Technical founders should spend their limited time on building amazing technology and amazing products, not duplicating the same compliance work that everyone else has had to go through.
[0] https://www.boardrounds.com/
[1] The company is Aptible: https://www.aptible.com/ (We aren't customers of these folks, though we like their product)
[2] None of it would be too technically difficult for most of the people reading HN - it's more the diligence of checking boxes, writing up policy docs, etc. It's important to do it right, but it's generally a matter of time (and money) more than anything else.