Menu
Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?
597
Heroku regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance to further strengthen our trust with customers.
Secure & compliantThe Heroku platform is built for security from the ground up in compliance with key industry standards for data protection. For apps in regulated industries, Heroku Shield Postgres delivers PCI and HIPAA compliance.
Heroku utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Heroku Shield is a set of Heroku platform services that offer additional security features needed for building high compliance applications. Use Heroku Shield to build HIPAA or PCI* compliant apps for regulated industries, such as healthcare, life sciences, or financial services.
Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.
To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.
62
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
