Heroku HIPAA合规性 [英] Heroku HIPAA Compliance

问题描述

可以在Heroku上运行符合HIPAA标准的应用程序吗？更具体地说，我需要两个应用程序，一个存储会员信息，另一个存储会员的私人健康信息。我打算使用非对称和对称密钥加密来加密敏感数据，这些加密对于将会员与其他应用中的敏感数据链接到成员的密钥不对称，并且对于成员应用中的特定字段（如姓名，电子邮件地址和电话）是对称的。我主要关心的是Heroku中的任何人都可以打破非对称加密，因为他们可以访问应用程序（和私钥）。我是否正确地关心此事，或者Amazon EC2的基础架构是否阻止Heroku员工访问这两个应用程序？亚马逊有一份关于HIPAA遵守AWS（只是谷歌AWS Hipaa合规性）的白皮书，他们谈论他们的HIPAA的诚意。例如，AWS系统管理员不能直接登录到客户操作系统映像。

据我所知，Heroku没有分享他们如何保护他们个人客户账户的细节。

Is it possible to run apps on Heroku that are HIPAA compliant? More specifically, I need two apps, one that stores member information and another that stores private health information of the members. I intend to encrypt sensitive data using both asymmetric and symmetric key encryption–asymmetric for the keys that link members with their sensitive data on the other app, and symmetric for specific fields in the members app, such as name, email address and phone. My main concern is that anyone at Heroku can break the asymmetric encryption, since they have access to both apps (and private keys). Am I correct to be concerned about this, or does the infrastructure of Amazon EC2 prevent Heroku staff from accessing both apps?

解决方案

Amazon has a whitepaper on HIPAA compliance with AWS (just google AWS Hipaa compliance) where they talk about their HIPAA bona fides. For example, AWS sysadmins don't have direct login access to customer OS images.

To the best of my knowledge, Heroku has not shared details of how they secure their individual customer accounts.

这篇关于Heroku HIPAA合规性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！