Firebase Cloud Messaging是否符合HIPAA? [英] Is Firebase Cloud Messaging HIPAA Compliant?

问题描述

我想在医疗保健应用程序中使用Firebase Cloud Messaging.我想知道是否符合FCM HIPAA标准，它是否提供BAA?

I want to use Firebase Cloud Messaging in a healthcare application. I want to know is FCM HIPAA Compliant and does it provide BAA?

推荐答案

我们刚刚与第三方合作完成了使用端到端加密的Firestore Chat示例应用程序(iOS和Android)的HIPAA审核.如果您要实施医疗保健聊天应用程序，请继续阅读.否则，这无关紧要.

We’ve just completed the HIPAA audit with a 3rd party for a Firestore Chat sample app (iOS and Android) that’s using End-to-End Encryption. If you’re implementing a healthcare Chat app, keep reading. Otherwise, this isn’t relevant.

挑战:如果您知道E2EE的工作原理，您就会意识到，仅凭E2EE就能保护您的患者数据免受Firebase/Firestore的侵害:显然，律师对此并不认同.因此，我们必须实施一个人工数据编辑，该功能会在消息传递后立即从Firestore中删除聊天消息.这使您的应用有资格获得HIPAA的管道例外，因为它仅充当消息传递系统，不存储永久的运行状况数据.这样，您的聊天解决方案就不需要HIPAA.

The challenge: if you know how E2EE works, you realize that it alone should protect your patients’ data from Firebase/Firestore: apparently, lawyers don’t agree with that. So we had to implement an artificial data redaction that deletes chat messages from Firestore as soon as the messages are delivered. This enables your app to qualify for HIPAA’s Conduit exception, because it only acts as a message delivery system, it doesn’t store permanent health data. This way, your chat solution is exempt of HIPAA.

我们已经将该解决方案整理到了一个How-to博客文章中: https://VirgilSecurity.com/hipaa- firebase -带有可重复使用的示例应用程序的指针.

We’ve compiled the solution into a How-to blog post: https://VirgilSecurity.com/hipaa-firebase - with pointers to reusable sample apps.

包含我们的HIPAA审核和白皮书的白皮书第三方数据隐私专家的注释: https://VirgilSecurity.com/firebase-whitepaper

Whitepaper that contains our HIPAA audit & 3rd-party data privacy expert’s notes: https://VirgilSecurity.com/firebase-whitepaper

这篇关于Firebase Cloud Messaging是否符合HIPAA?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！