PCI, HIPPA, and sensitive information with FireBase

[David S]

Anybody using FireBase to drive capture of sensitive data?

We are considering FireBase for parts of financial/healthcare app with administration "War Board" backed by Firebase.

Thoughts?

[James Tamplin]

Hi David,

We've got several folks using us for data that absolutely needs to remain private (User Info, Bitcoin wallets etc)

PCI and HIPPA compliance haven't been a priority for us. We've been more focused on features and infrastructure improvements.

We are, however, actively working on SafeHarbor compliance for our European developers.

If you need any personal help with the app, please do ping me off-list.

Warmly,

James

--

James Tamplin

Co-Founder

Firebase

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Liam Conrad]

Just a nudge. ;-)

Were PCI and HIPAA compliance implemented, Firebase would be an immense asset in the real-time delivery of PHI-based data to our providers, sales people, pharmacists--everyone, really. While it's a bit low on your priority list, this would certainly be a welcome feature to an already awesome service.

LiamC

[Matt Langston]

Hey James,

Is this still the case?

[Kato Richardson]

Gentlemen, there is no new news on this front. For now, we do not support HIPPA, PCI (we're not a merchant service) or Safe Harbor.

When and if this changes, we will be sure to post details to the mailing list. Until then, additional requests for updates will receive the same answer as above.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6f7f9e68-163e-4ea6-8f08-126b506b970b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Olivier Mills]

Hi James, Kato, 

Any updates on HIPAA? Would Firebase sign a BAA as per HIPAA/HITECH ?

Thanks!

Olivier

[Kato Richardson]

As stated, we'll post an update when there is news. Sorry we don't have more.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1710c2f2-d9df-404d-bd17-7f8b400ce4f8%40googlegroups.com.

[Oren Rubin]

+1

(Adding myself to this thread, as I didn't find a place to subscribe for firebase changes)

James, Kato, I think it's a crucial feature for growing companies.

[James Tamplin]

Thanks for the feedback Oren. We're working closely with Google Cloud (who can sign a BAA). When we can, we'll broadcast the news and update this thread, though we don't have an ETA right now. 

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/35a17a7d-da84-401a-959a-3d49e55f2aca%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

James Tamplin

Co-Founder & CEO, Firebase

651-235-0520

www.firebase.com

@JamesTamplin @Firebase

[Daniel Beeler]

Hi James,

My group is very excited by the new Firebase, congratulations! We would like to begin integration for a September deployment, but are wary of a commitment without timeline for HIPAA compliance. Any guidance here?

Thanks!

Dan

[Kato Richardson]

Hi Dan,

We can't make any commitments here. You should assume we will not be compliant any time soon and plan accordingly.

Kato

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/8c755d0b-c550-4205-b15c-c6a73dd755bd%40googlegroups.com.

[Kevin Kreger]

Hello Kato,

Thanks for tamping down expectations. :-) We are starting a new project in Bangalore with a network of hospitals and ambulances.

We want to use Firebase and there is no HIPAA here. For other readers of this thread: as per HIPAA guidelines you can de-identify

PHI by removing the PII and replacing with a hashed version of an 'id' so that you can re-identify the PHI. If the PII is segregated 

from firebase (and sent through another channel/server that is HIPAA compliant) then they could in theory use your service and still

be HIPAA compliant:

http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

This may provide an option for using firebase until you can provide a HIPAA BAA. Of course, everyone has to have HIPAA 

compliant app/storage already under android and their other platforms so this approach may not be so burdensome.

For us, we expect firebase to be HIPAA ready by the time we enter the US market.

Kind regards,

Kevin

[Eugene]

+1, adding myself to this thread as PCI compliance will be a very useful feature.

[Jörn B.]

Apparently a simple '+1' dir adding oneself to this thread is not enough. That's a pity. Maybe these are enough characters to get accepted? If not please let me know how to get subscribed to this thread. Getting an update on when Firebase can be Hipaa compliant would be very helpful to me.

[Frank van Puffelen]

Hey Jörn. Sorry about the rejection. I didn't realize that this is an active thread when I moderated your previous post.

[be...@uxwebservices.com]

Very interested to hear updates on this topic.

[Jofferson Tiquez]

Hi Kevin,

Good day! I am quite interested on this approach you proposed. But, does "plain hashing" the id of the PII enough to gain compliance? And have you actually done this and passed the audit? 

So if im not mistaken you are doing something like this? 

Any help would be greatly appreciated. Thank you. :)

Cheers,
Joff

[Ran Styr]

+1 (Adding myself to this thread, as I didn't find a place to subscribe for firebase changes)

[alanka...@gmail.com]

Hey Kato,

Isn't Firebase based on the Google Cloud Platform? In which case this document from Google on HIPAA compliance will also be valid for Firebase?

https://cloud.google.com/security/compliance

Thanks!

- A

On Monday, May 30, 2016 at 6:47:11 AM UTC+5:30, Kato Richardson wrote:

[Kato Richardson]

Hi Alan, 

That's mostly true, since Firebase is built on GCP.

For example, we adhere to the same privacy and security, have data encrypted at rest, and are generally offer the same EU compliance. 

We can't, however, provide data centers in EU. Most importantly for this thread, we can't offer PCI or HIPAA certification.

Cheers,

Kato

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/80ee09db-d19a-4018-928e-3520e0e44d4a%40googlegroups.com.

[Deb Vorndran]

Posting to get updates on this thread

[ArikEL]

Posting to get updates on this thread (me 2)

בתאריך יום רביעי, 18 בינואר 2017 בשעה 18:10:21 UTC+2, מאת Deb Vorndran:

[Kevin Moore]

I agree with l the general consensus here.
Firebase is an awesome offering, and with that
said , Hipaa compliance would blow the roof
Off this product...

I am in the very same position, funded healthcare startup with MEAN stack; want to add the F to it...MEANF.

[alb...@meruhealth.com]

Hi Alan,

Do you have any official sources or whitepaper stating that what privacy & security do you adhere to and that you employ encryption at rest? I have read through the Google Cloud security documentation but haven't found Firebase mentioned anywhere.

Best,

-Albert

[alanka...@gmail.com]

Hey Albert,

Google Cloud docs don't mention Firebase specifically but Firebase is built upon the Google Cloud Platform (see Kato's confirmation of this). As such, the security measures applicable to GCP should automatically apply to Firebase. GCP employs encryption at rest. 

- A

[sr micky]

[Eric Salazar]

replying for updates

[Adrian Carolli]

posting to get updates

[kko...@gmail.com]

Posting for updates.

[Edward Potter]

We have a year projection of 40,000 clients using FB in the next 12 months. We had assumed it was 100% HIPPA compliant. It's not. Amazon is saying: We're 100% HIPPA compliant. Confused?  If Amazon can do it, why can't Google? 

thanks, ed

[Joe Leiman]

Subscribing.

[shahj...@gmail.com]

Subscribing.

[Mike King]

Subscribing.

[Felipe Broering]

+1000

[Houman Amirfarzan]

8/28/16

+1,adding myself to this thread as HIPPA compliance will be a very useful feature for the ICU app that we are working to develop. 

[Hajji Daoud]

HIPAA compliance is critical for us, otherwise for a few of our projects we will have to use Amazon or Azure.

[Vincent Cotro]

Subscribing +100

[gaurav.b...@my-meds.com]

Subscribing to this post.

[David B]

+1 as well (and subscribing)

[Nathan Rodriguez]

Subscribing to stay in the know of HIPAA

[Владимир Ерохин]

subscribing. 

суббота, 1 февраля 2014 г., 18:36:22 UTC+2 пользователь David S написал:

[Maciej Zywno]

Subscribing

[Jose Arzac]

Subscribing

[se...@zencharts.com]

Any updates on this front?

On Saturday, February 1, 2014 at 11:36:22 AM UTC-5, David S wrote:

[Muhammad Hamid]

What is the status of FireBase compliance with HIPAA ? I need to use it in Xamarin i will have to go with something else then

[Ian Barber]

No further updates - you can see a list of certifications for Firebase here: https://firebase.google.com/support/faq/#privacy

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5f855241-0108-4544-92d7-804392dace21%40googlegroups.com.

[YS Kim]

Subscribed

[Anas]

Subscribed

[Jehan Musa]

+1

subscribe in 2018..

so this thread is 4-year-old
i will take a look again in 2019..hope this will change..

[KK]

Yes, it is 4 years old! We got around it by storing the sensitive data in encrypted form. There's a performance hit as we can't really query that information directly.

ᐧ

--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/sg-WCHVXs5k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/511bc935-2d5e-4cf3-8932-c782f5c86faf%40googlegroups.com.

[se...@zencharts.com]

Do you think this will be updated anytime soon or no? I like the idea of just making some intermediate point of info that we can control if that's the only option.

[nguyen...@google.com]

+1 for HIPAA compliance of Firebase for Meru Health!

[Karuwa Apps]

So is it HIPPA compliant now?

[David B]

I posted a response in a related question New Firestore Database PCI and HIPAA Compliance regarding Firestore's PCI-DSS compliance status. 

The Google Cloud PCI-DSS page now lists Cloud Firestore (with a link to the Firestore documentation) and Cloud Functions as PCI-DSS compliant. 

Note the page currently states:

"This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data."

There is also a link to a matrix PDF that better describes the responsibilities of both Google and the Customer for PCI-DSS compliance.

Now that Google lists Firestore/Cloud Functions on the PCI compliance page, our group is continuing to hold-off on using Firebase for any HIPAA-related projects until it's listed on Google's HIPAA Compliance page.

[David Szabo]

We’re working on clearing HIPAA for the Chat use-case with Firebase using HIPAA’s Conduit exception & data de-identification. We’ve put together a sample code that we’re auditing with a data privacy expert - ping me if you want to learn more and I’ll send you where we are.

David 

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/398d65c7-81bf-4630-a433-bbabadca291c%40googlegroups.com.

[David Szabo]

We completed our data privacy review for our HIPAA-compliant chat app. The open source projects are available at (iOS) https://github.com/VirgilSecurity/demo-firebase-ios and (Android) https://github.com/VirgilSecurity/demo-firebase-android - JS coming soon.

We also wrote up a white paper that explains how the sample apps have been built and how they passed the HIPAA review: https://VirgilSecurity.com/firebase-whitepaper

Any questions, happy to help.

David

On Wednesday, July 25, 2018 at 12:38:39 PM UTC-7, David Szabo wrote:

We’re working on clearing HIPAA for the Chat use-case with Firebase using HIPAA’s Conduit exception & data de-identification. We’ve put together a sample code that we’re auditing with a data privacy expert - ping me if you want to learn more and I’ll send you where we are.

David 

On Jul 25, 2018, at 9:07 AM, David B <dbo...@newfiregroup.com> wrote:

I posted a response in a related question New Firestore Database PCI and HIPAA Compliance regarding Firestore's PCI-DSS compliance status. 

The Google Cloud PCI-DSS page now lists Cloud Firestore (with a link to the Firestore documentation) and Cloud Functions as PCI-DSS compliant. 

Note the page currently states:

"This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data."

There is also a link to a matrix PDF that better describes the responsibilities of both Google and the Customer for PCI-DSS compliance.

Now that Google lists Firestore/Cloud Functions on the PCI compliance page, our group is continuing to hold-off on using Firebase for any HIPAA-related projects until it's listed on Google's HIPAA Compliance page.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

[Christian Brousseau]

+1

On Friday, August 17, 2018 at 2:16:52 AM UTC+2, David Szabo wrote:

We completed our data privacy review for our HIPAA-compliant chat app. The open source projects are available at (iOS) https://github.com/VirgilSecurity/demo-firebase-ios and (Android) https://github.com/VirgilSecurity/demo-firebase-android - JS coming soon.

We also wrote up a white paper that explains how the sample apps have been built and how they passed the HIPAA review: https://VirgilSecurity.com/firebase-whitepaper

Any questions, happy to help.

David

On Wednesday, July 25, 2018 at 12:38:39 PM UTC-7, David Szabo wrote:

We’re working on clearing HIPAA for the Chat use-case with Firebase using HIPAA’s Conduit exception & data de-identification. We’ve put together a sample code that we’re auditing with a data privacy expert - ping me if you want to learn more and I’ll send you where we are.

David 

On Jul 25, 2018, at 9:07 AM, David B <dbo...@newfiregroup.com> wrote:

I posted a response in a related question New Firestore Database PCI and HIPAA Compliance regarding Firestore's PCI-DSS compliance status. 

The Google Cloud PCI-DSS page now lists Cloud Firestore (with a link to the Firestore documentation) and Cloud Functions as PCI-DSS compliant. 

Note the page currently states:

"This means that these services provide an infrastructure upon which customers may build their own service or application which stores, processes, or transmits cardholder data."

There is also a link to a matrix PDF that better describes the responsibilities of both Google and the Customer for PCI-DSS compliance.

Now that Google lists Firestore/Cloud Functions on the PCI compliance page, our group is continuing to hold-off on using Firebase for any HIPAA-related projects until it's listed on Google's HIPAA Compliance page.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[David Szabo]

And we just pushed out our JavaScript sample as well: https://github.com/VirgilSecurity/demo-firebase-js

Feel free to reuse it. Any questions, I’m always happy to help.

David

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/aa5091a0-e910-45a9-aefd-c9e4916195ba%40googlegroups.com.

[Amir Sadras]

subscribing

[Christopher Moses]

subscribing

[jo...@nowims.com]

You can look at the list of Google Cloud HIPAA compliant products here

https://cloud.google.com/security/compliance/hipaa/

Firestore is on the list but not real-time db.

[Christopher Moses]

HHS and the FTC released this great interactive questionnaire to help healthcare developers determine whether or not they need to comply with certain laws, including HIPAA: 

https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-apps-interactive-tool

I made the huge assumption we'd need to be HIPAA compliant (as my last company needed to be...), and after using this tool, looks like we won't need to be. Recommend others in this thread have a look before assuming they need to be HIPAA compliant. 

[Luke Pighetti]

Thanks, everyone, you may have saved our project a shitload of money, headache, and heartache.

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/56964844-7f04-447f-a9fd-c96fa454d6cd%40googlegroups.com.