by trey_swann on 2/14/14, 11:10 PM with 11 comments
by chimeracoder on 2/14/14, 11:28 PM
When I first heard about this and started building our application, I was surprised nobody has tackled this space before. Building HIPAA-compliant applications on AWS is a lot easier[2] than most people think, but it's a huge pain.
More importantly, it's the same huge pain for almost everyone who goes through the process, and in a way that's rather easy to "factor out".
In that regard, it's not that different from HR or payroll services, which startups almost never do in-house (once they are larger than a few employees, and until they get to be fairly large).
It looks like we're a bit beyond the stage where TrueVault would make sense for us, but I'm glad that this space is starting to attract attention. Technical founders should spend their limited time on building amazing technology and amazing products, not duplicating the same compliance work that everyone else has had to go through.
[0] https://www.boardrounds.com/
[1] The company is Aptible: https://www.aptible.com/ (We aren't customers of these folks, though we like their product)
[2] None of it would be too technically difficult for most of the people reading HN - it's more the diligence of checking boxes, writing up policy docs, etc. It's important to do it right, but it's generally a matter of time (and money) more than anything else.
by naveenspark on 2/15/14, 1:51 AM
by gwintrob on 2/14/14, 11:18 PM
by rficcaglia on 2/15/14, 12:44 AM
never had any customer ask specifics about encryption algorithms, apis, dev stack, tooling, or key managment. ("do you encrypt data at rest?" "ok, check.") i wish they would. we spend a lot of time and effort on those decisions.
had lots of requests about hr policies and procedures, ongoing perimeter scanning and network intrusion detection, data loss prevention, patching process, hids, data destruction logs, physical security, breach notification plans, disaster recovery SOPs, and other stuff you would find in various NIST and FISMA specs.
but maybe that's how it should be...smart, experienced people will more often than not make good decisions and use the right tools for the job (whether easy or hard) and be vigilant and introspective. give inexperienced folks the best/easiest tools in the world that dont require them to understand the details underneath, and they can find clever ways to create huge gaping holes. and if they are looking for the easiest path, they are probably not well equipped to handle all the unknown unknowns that invariably pop up (usually friday late afternoon!)
honestly, i prefer to know my stack(s) intimately from the kernel sources up, and know how to evaluate and react to potential problems at all layers, than simply outsource all responsibility for these issues to someone. (ok I outsource some pieces, but only when it makes the solution better, not just easier.) ymmv.
also, fwiw, never had a breach from outside ... but had numerous incidents of employees who have lost or stolen laptops which just happened to have a sql dump of "test data". human error/laziness gets you every time.
still, good to see options evolving in the market! the more educated buyers become, the better questions they will ask! and the more rigorous vendors will get...we hope :)
by mixonic on 2/14/14, 11:28 PM
by wrs on 2/15/14, 2:45 AM
Can someone from TV elucidate how that works?
by jusben1369 on 2/14/14, 11:48 PM
by selimthegrim on 2/14/14, 11:28 PM