HIPAA requirements vs. AppEngine security guidelines
56 views
Skip to first unread message
Ken
Jul 6, 2009, 1:19:58 PM7/6/09
to Google App Engine
Hi,
I'm researching the feasibility of running a healthcare app on the
AppEngine cloud. I've read through the AE terms of service and they
don't say much about the actual security guidelines other than
deferring to the boilerplate Google security policy. I have no doubt
there are internal documents detailing the exact security guarantees
provided by Google's infrastructure, but that information is not
readily available to the public.
It's been a full year since the last time HIPAA was discussed in this
group. Now that SSL support has been enabled, data transfer
constraints can be met with ease. So, what's the story today with GAE
and HIPAA compliance? Are the App Engine's data storage and transfer
mechanisms compatible with the guidelines set out by HIPAA?
Google Apps documentation has quite a bit more security information,
such as specifying annual SAS 70 Type II audits. I'm not familiar
with this particular security audit, but some quick research seems to
indicate that SAS 70 audit controls are mostly a superset of HIPAA
guidelines. However, there are some aspects of HIPAA compliance that
seem to be difficult to implement in a distributed database system, so
any reassurances from the Google App Engine folks in this regard would
be most appreciated.
Thanks!
Ken
I'm researching the feasibility of running a healthcare app on the
AppEngine cloud. I've read through the AE terms of service and they
don't say much about the actual security guidelines other than
deferring to the boilerplate Google security policy. I have no doubt
there are internal documents detailing the exact security guarantees
provided by Google's infrastructure, but that information is not
readily available to the public.
It's been a full year since the last time HIPAA was discussed in this
group. Now that SSL support has been enabled, data transfer
constraints can be met with ease. So, what's the story today with GAE
and HIPAA compliance? Are the App Engine's data storage and transfer
mechanisms compatible with the guidelines set out by HIPAA?
Google Apps documentation has quite a bit more security information,
such as specifying annual SAS 70 Type II audits. I'm not familiar
with this particular security audit, but some quick research seems to
indicate that SAS 70 audit controls are mostly a superset of HIPAA
guidelines. However, there are some aspects of HIPAA compliance that
seem to be difficult to implement in a distributed database system, so
any reassurances from the Google App Engine folks in this regard would
be most appreciated.
Thanks!
Ken
richard emberson
Jul 6, 2009, 3:44:44 PM7/6/09
to google-a...@googlegroups.com
Not going to happen. The IT requirements for Google would
cost far more than the couple of applications that might
need HIPAA. They would have to have a completely
separate group with their own machines, passwords,
procedures, etc. with a real wall (both material wall
and software/hardware wall) between the group and the rest of
Google or all of Google would have to be HIPAA
compliant. So, how much is it worth for Google? Not much.
RME
--
Quis custodiet ipsos custodes
cost far more than the couple of applications that might
need HIPAA. They would have to have a completely
separate group with their own machines, passwords,
procedures, etc. with a real wall (both material wall
and software/hardware wall) between the group and the rest of
Google or all of Google would have to be HIPAA
compliant. So, how much is it worth for Google? Not much.
RME
Quis custodiet ipsos custodes
GenghisOne
Jul 6, 2009, 5:17:51 PM7/6/09
to Google App Engine
Does anyone know if Amazon's EC2 platform is HIPAA-compliant?
On Jul 6, 12:44 pm, richard emberson <richard.ember...@gmail.com>
wrote:
On Jul 6, 12:44 pm, richard emberson <richard.ember...@gmail.com>
wrote:
Andrew Badera
Jul 7, 2009, 7:01:06 AM7/7/09
to google-a...@googlegroups.com
There's a whitepaper by Amazon on the topic. Google it, it's been a
few months since I looked at it, don't have a link offhand, sorry.
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This email is: [ ] bloggable [x] ask first [ ] private
few months since I looked at it, don't have a link offhand, sorry.
Thanks-
- Andy Badera
- and...@badera.us
- Google me: http://www.google.com/search?q=andrew+badera
- This email is: [ ] bloggable [x] ask first [ ] private
GenghisOne
Jul 7, 2009, 10:11:14 PM7/7/09
to Google App Engine
Andy
Thanks for the heads-up...
The link to that paper is here and it makes for a good read...
http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf
Unfortunately after I skimmed through it I felt a little unsettled
about AppEngine's security model...probably just my limited
understanding of what's under the hood, but nonetheless security is
kinda important and maybe its time to start asking some plain
questions.
For instance, here's one thing the Amazon whitepaper had to say about
auditing...
"In designing a HIPAA-compliant system, customers should put auditing
capabilities in place
to allow security analysts to drill down into detailed activity logs
or reports to see who had
access, IP address entry, what data was accessed, etc. This data
should be tracked, logged, and
stored in a central location for extended periods of time in case of
an audit. "
So can AppEngine enable this and if so how? My gut is telling me yes
but there's still a nagging concern...How do I know if someone inside
Google looked at my customers data? Is there some kind of *deep*
logging mechanism of sorts?
Thx much.
BTW -- If Google has a comparable whitepaper, I'd very much appreciate
the link.
Thx much.
On Jul 7, 4:01 am, Andrew Badera <and...@badera.us> wrote:
> There's a whitepaper by Amazon on the topic. Google it, it's been a
> few months since I looked at it, don't have a link offhand, sorry.
>
> Thanks-
> - Andy Badera
> - and...@badera.us
> - Google me:http://www.google.com/search?q=andrew+badera
> - This email is: [ ] bloggable [x] ask first [ ] private
>
Thanks for the heads-up...
The link to that paper is here and it makes for a good read...
http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf
Unfortunately after I skimmed through it I felt a little unsettled
about AppEngine's security model...probably just my limited
understanding of what's under the hood, but nonetheless security is
kinda important and maybe its time to start asking some plain
questions.
For instance, here's one thing the Amazon whitepaper had to say about
auditing...
"In designing a HIPAA-compliant system, customers should put auditing
capabilities in place
to allow security analysts to drill down into detailed activity logs
or reports to see who had
access, IP address entry, what data was accessed, etc. This data
should be tracked, logged, and
stored in a central location for extended periods of time in case of
an audit. "
So can AppEngine enable this and if so how? My gut is telling me yes
but there's still a nagging concern...How do I know if someone inside
Google looked at my customers data? Is there some kind of *deep*
logging mechanism of sorts?
Thx much.
BTW -- If Google has a comparable whitepaper, I'd very much appreciate
the link.
Thx much.
On Jul 7, 4:01 am, Andrew Badera <and...@badera.us> wrote:
> There's a whitepaper by Amazon on the topic. Google it, it's been a
> few months since I looked at it, don't have a link offhand, sorry.
>
> Thanks-
> - Andy Badera
> - and...@badera.us
> - Google me:http://www.google.com/search?q=andrew+badera
> - This email is: [ ] bloggable [x] ask first [ ] private
>
Jeff Enderwick
Jul 8, 2009, 1:23:53 AM7/8/09
to google-a...@googlegroups.com
I say go hire a HIPAA consultant who can answer such questions authoritatively.
I've been through FIPS before, and you would not believe the odd
lawyeresque contrivances used to get certified. With HIPAA you are in
the same realm, and so you should hire yourself the appropriate
barrister.
$.02,
Jeff
I've been through FIPS before, and you would not believe the odd
lawyeresque contrivances used to get certified. With HIPAA you are in
the same realm, and so you should hire yourself the appropriate
barrister.
$.02,
Jeff
nathanr
Jul 8, 2009, 2:02:31 PM7/8/09
to Google App Engine
On Jul 8, 12:23 am, Jeff Enderwick <jeff.enderw...@gmail.com> wrote:
> I say go hire a HIPAA consultant who can answer such questions authoritatively.
decisions on a third-party's statements. I'd have your attorney
review each service's documents directly.
That said, even if AppEngine doesn't comply on its own, the new-ish
data connectors that let you attach to information from behind your
firewall may be enough to let you build out some minor infrastructure
to supplement AppEngine for compliance purposes.
Andrew Badera
Jul 8, 2009, 5:40:30 PM7/8/09
to google-a...@googlegroups.com
On Tue, Jul 7, 2009 at 10:11 PM, GenghisOne<mdka...@gmail.com> wrote:
>
> Andy
>
> Thanks for the heads-up...
>
> The link to that paper is here and it makes for a good read...
> http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf
>
>
> Andy
>
> Thanks for the heads-up...
>
> The link to that paper is here and it makes for a good read...
> http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf
>
Thanks for the link. Bookmarked it this time.
--ab
Reply all
Reply to author
Forward
0 new messages