I say go hire a HIPAA consultant who can answer such questions authoritatively.
I've been through FIPS before, and you would not believe the odd lawyeresque contrivances used to get certified. With HIPAA you are in the same realm, and so you should hire yourself the appropriate barrister. $.02, Jeff On Tue, Jul 7, 2009 at 7:11 PM, GenghisOne<mdkach...@gmail.com> wrote: > > Andy > > Thanks for the heads-up... > > The link to that paper is here and it makes for a good read... > http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf > > Unfortunately after I skimmed through it I felt a little unsettled > about AppEngine's security model...probably just my limited > understanding of what's under the hood, but nonetheless security is > kinda important and maybe its time to start asking some plain > questions. > > For instance, here's one thing the Amazon whitepaper had to say about > auditing... > > > "In designing a HIPAA-compliant system, customers should put auditing > capabilities in place > to allow security analysts to drill down into detailed activity logs > or reports to see who had > access, IP address entry, what data was accessed, etc. This data > should be tracked, logged, and > stored in a central location for extended periods of time in case of > an audit. " > > So can AppEngine enable this and if so how? My gut is telling me yes > but there's still a nagging concern...How do I know if someone inside > Google looked at my customers data? Is there some kind of *deep* > logging mechanism of sorts? > > Thx much. > > BTW -- If Google has a comparable whitepaper, I'd very much appreciate > the link. > > Thx much. > > On Jul 7, 4:01 am, Andrew Badera <and...@badera.us> wrote: >> There's a whitepaper by Amazon on the topic. Google it, it's been a >> few months since I looked at it, don't have a link offhand, sorry. >> >> Thanks- >> - Andy Badera >> - and...@badera.us >> - Google me:http://www.google.com/search?q=andrew+badera >> - This email is: [ ] bloggable [x] ask first [ ] private >> >> On Mon, Jul 6, 2009 at 5:17 PM, GenghisOne<mdkach...@gmail.com> wrote: >> >> > Does anyone know if Amazon's EC2 platform is HIPAA-compliant? >> >> > On Jul 6, 12:44 pm, richard emberson <richard.ember...@gmail.com> >> > wrote: >> >> Not going to happen. The IT requirements for Google would >> >> cost far more than the couple of applications that might >> >> need HIPAA. They would have to have a completely >> >> separate group with their own machines, passwords, >> >> procedures, etc. with a real wall (both material wall >> >> and software/hardware wall) between the group and the rest of >> >> Google or all of Google would have to be HIPAA >> >> compliant. So, how much is it worth for Google? Not much. >> >> >> RME >> >> >> Ken wrote: >> >> > Hi, >> >> >> > I'm researching the feasibility of running a healthcare app on the >> >> > AppEngine cloud. I've read through the AE terms of service and they >> >> > don't say much about the actual security guidelines other than >> >> > deferring to the boilerplate Google security policy. I have no doubt >> >> > there are internal documents detailing the exact security guarantees >> >> > provided by Google's infrastructure, but that information is not >> >> > readily available to the public. >> >> >> > It's been a full year since the last time HIPAA was discussed in this >> >> > group. Now that SSL support has been enabled, data transfer >> >> > constraints can be met with ease. So, what's the story today with GAE >> >> > and HIPAA compliance? Are the App Engine's data storage and transfer >> >> > mechanisms compatible with the guidelines set out by HIPAA? >> >> >> > Google Apps documentation has quite a bit more security information, >> >> > such as specifying annual SAS 70 Type II audits. I'm not familiar >> >> > with this particular security audit, but some quick research seems to >> >> > indicate that SAS 70 audit controls are mostly a superset of HIPAA >> >> > guidelines. However, there are some aspects of HIPAA compliance that >> >> > seem to be difficult to implement in a distributed database system, so >> >> > any reassurances from the Google App Engine folks in this regard would >> >> > be most appreciated. >> >> >> > Thanks! >> >> >> > Ken >> >> >> -- >> >> Quis custodiet ipsos custodes > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
