Heroku HIPAA 合规性
是否可以在 Heroku 上运行符合 HIPAA 要求的应用程序?更具体地说,我需要两个应用程序,一个存储会员信息,另一个存储会员的私人健康信息。我打算使用非对称和对称密钥加密来加密敏感数据 - 对于将成员与其在其他应用程序上的敏感数据链接起来的密钥使用非对称加密,对于会员应用程序中的特定字段(例如姓名、电子邮件地址和电话)使用对称加密。我主要担心的是 Heroku 的任何人都可以破解非对称加密,因为他们可以访问这两个应用程序(和私钥)。我对此的担心是否正确,或者 Amazon EC2 的基础设施是否会阻止 Heroku 员工访问这两个应用程序?
Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
Amazon 有一份关于 AWS 的 HIPAA 合规性的白皮书(只需谷歌 AWS Hipaa 合规性),其中他们谈论了他们的 HIPAA 诚意。例如,AWS 系统管理员无权直接登录访问客户操作系统映像。
据我所知,Heroku 尚未分享他们如何保护个人客户帐户的详细信息。
Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.
To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.
HIPAA 合规性涉及许多不同的领域,不仅仅包括技术。具体来说,关于 HIPAA 内的技术要求,有很多要求,但 Heroku 最明显无法满足的要求是:
您需要 Heroku 的 BAA。 HIPAA 在定义分包商和业务伙伴时不区分加密数据和未加密数据。为了更好地了解 HIPAA 的所有要求,这里有一个综合列表 - https://catalyze.io/hipaa/< /a>.希望有帮助。
HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:
You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.
Heroku 告诉我,他们目前不会签署业务伙伴协议,因此,如果您在服务器上存储任何 PHI,则不可能符合 HIPAA。
Heroku has told me they will not sign Business Associate Agreements at the moment, so if you store any PHI on the server it is not possible to be HIPAA compliant.
Heroku 已宣布其 Shield 帐户将提供 HIPAA 合规性。
来自链接
这可能会也可能不会消除对 BAA、MOU 等的需要。
Heroku has announced their Shield accounts that will provide HIPAA compliance.
From the link
That may or may not obviate the need for BAA's, MOU's, etc.