New Firestore Database PCI and HIPAA Compliance

[David B]

While the Firebase Real-Time Database never aimed to achieve PCI or HIPAA compliance, I'm wondering if the new Firestore DB (in beta) is going to meet or even plan to meet any compliance requirements such as HIPAA/PCI? Insight/transparency into this area would be helpful for planning future projects.

[Mike McDonald]

According to https://cloud.google.com/security/compliance/hipaa/, we won't sign a BAA for Datastore (or Firestore). I can't comment on roadmap, but compliance (especially with upcoming GDPR pieces) is important to Google Cloud and Firebase, and we're digging deeper here.

According to https://cloud.google.com/security/compliance/pci-dss/, Datastore meets PCI requirements, thus Firestore is likely to meet them as well.

Thanks,

--Mike

[Mike H.]

Actually, the document that you referenced does not explicitly mention Datastore, Firestore, or Firebase. Google Cloud Storage, which is in the referenced document, and included in the HIPAA compliant list, includes Firestore and Firebase in its "Solutions" as well as documentation. The Venn Diagram here seems a little cloudy. 

Is one to assume that Firebase is a part of Google Cloud Storage, and thus HIPAA compliant?

[Rajee Jones]

The answer to this will be helpful to me as well. I am also working on a project for a client for whom I am wanting to use Firestore.

[Jeremy Whiteley]

Has anyone been able to find out if firestore is hipaa compliant or plans to be?

[Ian Barber]

https://cloud.google.com/security/compliance/hipaa/ is still canonical  

One of the things needed for your system to HIPPA compliant is to have a BAA with your provider, which GCP offers for certain products, but Firestore is not one of those products. Only the products specifically listed are available for a BAA.

That can change of course, but we don't have anything to share on that unfortunately (I genuinely don't know) - the safest thing would be to assume it will not change in the near future. 

On Tue, Feb 27, 2018 at 2:02 PM Jeremy Whiteley <jeremy....@gmail.com> wrote:

Has anyone been able to find out if firestore is hipaa compliant or plans to be?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e3ec13e2-50df-4cd3-8985-8faec5293f69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bill Thomas]

Hi Ian,

Is there anyway to get a roadmap or some form of guidance?  I am looking to build a HIPAA compliant app, but have leeway on when we begin.  It could be as much as 1 year from now.  Is there a realistic chance Firebase could be HIPAA compliant by then or are there structural reasons why HIPAA compliance will be difficult to achieve for Firebase?

Thanks

[Kato Richardson]

Hi Bill,

Assume that it won't be available by then and you'll be better off.

If I might be permitted to mount the soapbox for a moment: You shouldn't bet your business on anybody else's roadmap. One of the top reasons we don't share ours. The only certain thing about priorities is that they can and definitely will shift over time. So even if it were on the roadmap within the next year, that would likely change, and you'd be in for a costly pivot.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/995ef3de-2e97-4f1f-92b8-fc90d2c000a8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Sudhakar Ramakrishnan]

Dear Kato

I saw your last response. I just want to throw my weight behind the HIPAA necessity and a  +1 to having Firestore be HIPAA compliant and if there is anyway we can all throw weight behind this feature priority let us know.

I know you don't want us to assume anything about Firestore and HIPAA compliance and work around this assumption, but it is such an important aspect when selecting Firestore amongst the GCP stack. I am sure you understand the trade offs but this is a very important market segment where Firestore could make such a huge dent.

thanks

Sudhakar

[Kato Richardson]

Thanks Sudhakar,

Really appreciate the feedback. It's unclear whether Firebase will ever be fully HIPAA compliant, but we definitely hear loud and clear that it's a blocker for a good number of devs. We continue to evaluate this on a per product basis.

One way to help prioritize this is to submit a feature request.

☼, Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6794f60f-8f21-4f88-87e7-8b9b03ab1ef9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[David B]

The Google Cloud PCI-DSS page now lists Cloud Firestore (with a link to the Firestore documentation) and Cloud Functions as PCI-DSS compliant. 

Note the page currently states:

"This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data."

There is also a link to a matrix PDF that better describes the responsibilities of both Google and the Customer for PCI-DSS compliance.

[Volodymyr Zherebnyi]

+1

[David Szabo]

We’re working on clearing HIPAA for the Chat use-case with Firebase using HIPAA’s Conduit exception & data de-identification. We’ve put together sample code for iOS, Android and JavaScript that we’re auditing with a data privacy expert - ping me if you want to learn more and I’ll send you where we are.

David

[alb...@meruhealth.com]

Hi David! Thanks for your message. Interested to hear more how this progresses for you. We are a health care startup and using Firebase heavily for non-PHI.

Best,

-Albert

[David Szabo]

Hi Albert,

In the meantime, we’ve completed the HIPAA audit and posted a how-to article to explain how the solution works: https://VirgilSecurity.com/hipaa-firebase

Whitepaper with more details on how the solution works from the HIPAA/legal perspective: https://VirgilSecurity.com/firebase-whitepaper

I’m happy to answer any questions that may pop up.

David

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/fe64dead-cf04-425a-9fd1-1e8a88b49de4%40googlegroups.com.

[Volodymyr Zherebnyi]

Hi David,

Thank you for posting updates, it as awesome.

What does it means chat use-case? What does it require for full compliance? Is it possible in near future?

Thank you,

Volodymyr

[David Szabo]

Sorry Volodymyr, I missed your message earlier.

"Chat use-case" means that we passed the HIPAA review for building an end-to-end encrypted chat app on top of Firebase in a way that the sample redacts (deletes) messages after delivery. So, the end-to-end encrypted messages only stay in Firestore until they're queued for delivery, then they're delivered. This is how the sample app qualifies HIPAA's "conduit" exception - see whitepaper at https://VirgilSecurity.com/firebase-whitepaper

For any other healthcare use-cases that require storing permanent PHI (such as doctors' notes), this isn't sufficient, as they should not be deleted. However, if your app only delivers those documents from one device to another, our approach may still work for you.

David

[David Szabo]

Check out our HIPAA-complaint end-to-end encrypted chat app source at https://github.com/VirgilSecurity/demo-firebase-ios and https://github.com/VirgilSecurity/demo-firebase-android

[Volodymyr Zherebnyi]

Thank you very much for your answer,

Alas, it is not our use case. We are looking for full compliance. 

Volodymyr

[Sher Hurlburt]

How is firebase compliance, whether HIPAA or PCI, different from Firestore?

[David Szabo]

Hi Sher, we’ve used Firestore to build the chat app. The same technique can also be applied to other products of the Firebase platform.

David

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/2af52ac6-ce51-4871-9f2f-753acb7d5c4c%40googlegroups.com.