Heroku HIPAA 合规性

发布于 2024-10-04 16:05:34 字数 283 浏览 8 评论 0原文

是否可以在 Heroku 上运行符合 HIPAA 要求的应用程序?更具体地说,我需要两个应用程序,一个存储会员信息,另一个存储会员的私人健康信息。我打算使用非对称和对称密钥加密来加密敏感数据 - 对于将成员与其在其他应用程序上的敏感数据链接起来的密钥使用非对称加密,对于会员应用程序中的特定字段(例如姓名、电子邮件地址和电话)使用对称加密。我主要担心的是 Heroku 的任何人都可以破解非对称加密,因为他们可以访问这两个应用程序(和私钥)。我对此的担心是否正确,或者 Amazon EC2 的基础设施是否会阻止 Heroku 员工访问这两个应用程序?

Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

琴流音 2024-10-11 16:05:34

Amazon 有一份关于 AWS 的 HIPAA 合规性的白皮书(只需谷歌 AWS Hipaa 合规性),其中他们谈论了他们的 HIPAA 诚意。例如,AWS 系统管理员无权直接登录访问客户操作系统映像。

据我所知,Heroku 尚未分享他们如何保护个人客户帐户的详细信息。

Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.

To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.

情域 2024-10-11 16:05:34

HIPAA 合规性涉及许多不同的领域,不仅仅包括技术。具体来说,关于 HIPAA 内的技术要求,有很多要求,但 Heroku 最明显无法满足的要求是:

164.314 组织要求。 (B) (B) 根据 164.308(b)(2),确保代表业务伙伴创建、接收、维护或传输电子受保护健康信息的任何分包商同意遵守本子部分的适用要求通过签订符合本节规定的合同或其他安排;

您需要 Heroku 的 BAA。 HIPAA 在定义分包商和业务伙伴时不区分加密数据和未加密数据。为了更好地了解 HIPAA 的所有要求,这里有一个综合列表 - https://catalyze.io/hipaa/< /a>.希望有帮助。

HIPAA compliance involves a number of different areas, including more than just technology. Specifically regarding the technology requirements within HIPAA, there are a bunch of requirements, but the one that you most obviously can't meet with Heroku is this one:

164.314 Organizational requirements. (B) (B) In accordance with 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section;

You need a BAA from Heroku. HIPAA doesn't distinguish between encrypted and unencrypted data when it defines subcontractors and business associates. For a good sense of all that is required of HIPAA, here's a comprehensive list - https://catalyze.io/hipaa/. Hope that helps.

你在看孤独的风景 2024-10-11 16:05:34

Heroku 告诉我,他们目前不会签署业务伙伴协议,因此,如果您在服务器上存储任何 PHI,则不可能符合 HIPAA。

Heroku has told me they will not sign Business Associate Agreements at the moment, so if you store any PHI on the server it is not possible to be HIPAA compliant.

薄情伤 2024-10-11 16:05:34

Heroku 已宣布其 Shield 帐户将提供 HIPAA 合规性

来自链接

 The Shield Private Dyno includes an encrypted ephemeral file system
 and restricts SSL termination from using TLS 1.0 which is considered 
 vulnerable. Shield Private Postgres further guarantees that data is 
 always encrypted in transit and at rest. Heroku also captures a high 
 volume of security monitoring events for Shield dynos and databases 
 which helps meet regulatory requirements without imposing any extra 
 burden on developers.

这可能会也可能不会消除对 BAA、MOU 等的需要。

Heroku has announced their Shield accounts that will provide HIPAA compliance.

From the link

 The Shield Private Dyno includes an encrypted ephemeral file system
 and restricts SSL termination from using TLS 1.0 which is considered 
 vulnerable. Shield Private Postgres further guarantees that data is 
 always encrypted in transit and at rest. Heroku also captures a high 
 volume of security monitoring events for Shield dynos and databases 
 which helps meet regulatory requirements without imposing any extra 
 burden on developers.

That may or may not obviate the need for BAA's, MOU's, etc.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文