Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?
Heroku HIPAA Compliance
Asked Answered
Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.
To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.
I have the white-paper and I already sent Heroku the same question. No response yet. Thanks though. –
Skyler
I finally heard back from Heroku. They say employees have access to data but are not allowed to access it without the consent of the owner. They also say it is a fireable offense for an employee to do so without consent. –
Skyler
I wrote to Heroku about HIPAA, they said that they currently do not sign BAAs. "We hope to get to a place where we can sign those agreements and offer a HIPAA-compliant product, but we're not there yet and don't have an ETA" (however, I'm not sure if this conclusively means that Heroku can't be part of a HIPAA-compliant system, but it probably does) –
Pavier
HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:
164.314 Organizational requirements. (B) (B) In accordance with 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section;
You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.
Heroku has told me they will not sign Business Associate Agreements at the moment, so if you store any PHI on the server it is not possible to be HIPAA compliant.
If you store PHI on which server? The heroku postgres server? –
Pavier
Yes on the PG server. You could store the PHI on AWS S3 as they would sign a BAA, however, your data would still be routing through Heroku. Better to just set the server on AWS EC2 directly (Amazon signs BAAs now). –
Laguna
Heroku has announced their Shield accounts that will provide HIPAA compliance.
From the link
The Shield Private Dyno includes an encrypted ephemeral file system
and restricts SSL termination from using TLS 1.0 which is considered
vulnerable. Shield Private Postgres further guarantees that data is
always encrypted in transit and at rest. Heroku also captures a high
volume of security monitoring events for Shield dynos and databases
which helps meet regulatory requirements without imposing any extra
burden on developers.
That may or may not obviate the need for BAA's, MOU's, etc.
© 2022 - 2024 — McMap. All rights reserved.