[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
On Jul 8, 12:23 am, Jeff Enderwick jeff.enderw...@gmail.com wrote: I say go hire a HIPAA consultant who can answer such questions authoritatively. This is good advice. You really don't want to be basing legal decisions on a third-party's statements. I'd have your attorney review each service's documents directly. That said, even if AppEngine doesn't comply on its own, the new-ish data connectors that let you attach to information from behind your firewall may be enough to let you build out some minor infrastructure to supplement AppEngine for compliance purposes. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
On Tue, Jul 7, 2009 at 10:11 PM, GenghisOnemdkach...@gmail.com wrote: Andy Thanks for the heads-up... The link to that paper is here and it makes for a good read... http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf Thanks for the link. Bookmarked it this time. --ab --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
There's a whitepaper by Amazon on the topic. Google it, it's been a few months since I looked at it, don't have a link offhand, sorry. Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Mon, Jul 6, 2009 at 5:17 PM, GenghisOnemdkach...@gmail.com wrote: Does anyone know if Amazon's EC2 platform is HIPAA-compliant? On Jul 6, 12:44 pm, richard emberson richard.ember...@gmail.com wrote: Not going to happen. The IT requirements for Google would cost far more than the couple of applications that might need HIPAA. They would have to have a completely separate group with their own machines, passwords, procedures, etc. with a real wall (both material wall and software/hardware wall) between the group and the rest of Google or all of Google would have to be HIPAA compliant. So, how much is it worth for Google? Not much. RME Ken wrote: Hi, I'm researching the feasibility of running a healthcare app on the AppEngine cloud. I've read through the AE terms of service and they don't say much about the actual security guidelines other than deferring to the boilerplate Google security policy. I have no doubt there are internal documents detailing the exact security guarantees provided by Google's infrastructure, but that information is not readily available to the public. It's been a full year since the last time HIPAA was discussed in this group. Now that SSL support has been enabled, data transfer constraints can be met with ease. So, what's the story today with GAE and HIPAA compliance? Are the App Engine's data storage and transfer mechanisms compatible with the guidelines set out by HIPAA? Google Apps documentation has quite a bit more security information, such as specifying annual SAS 70 Type II audits. I'm not familiar with this particular security audit, but some quick research seems to indicate that SAS 70 audit controls are mostly a superset of HIPAA guidelines. However, there are some aspects of HIPAA compliance that seem to be difficult to implement in a distributed database system, so any reassurances from the Google App Engine folks in this regard would be most appreciated. Thanks! Ken -- Quis custodiet ipsos custodes --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
Andy Thanks for the heads-up... The link to that paper is here and it makes for a good read... http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf Unfortunately after I skimmed through it I felt a little unsettled about AppEngine's security model...probably just my limited understanding of what's under the hood, but nonetheless security is kinda important and maybe its time to start asking some plain questions. For instance, here's one thing the Amazon whitepaper had to say about auditing... In designing a HIPAA-compliant system, customers should put auditing capabilities in place to allow security analysts to drill down into detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. This data should be tracked, logged, and stored in a central location for extended periods of time in case of an audit. So can AppEngine enable this and if so how? My gut is telling me yes but there's still a nagging concern...How do I know if someone inside Google looked at my customers data? Is there some kind of *deep* logging mechanism of sorts? Thx much. BTW -- If Google has a comparable whitepaper, I'd very much appreciate the link. Thx much. On Jul 7, 4:01 am, Andrew Badera and...@badera.us wrote: There's a whitepaper by Amazon on the topic. Google it, it's been a few months since I looked at it, don't have a link offhand, sorry. Thanks- - Andy Badera - and...@badera.us - Google me:http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Mon, Jul 6, 2009 at 5:17 PM, GenghisOnemdkach...@gmail.com wrote: Does anyone know if Amazon's EC2 platform is HIPAA-compliant? On Jul 6, 12:44 pm, richard emberson richard.ember...@gmail.com wrote: Not going to happen. The IT requirements for Google would cost far more than the couple of applications that might need HIPAA. They would have to have a completely separate group with their own machines, passwords, procedures, etc. with a real wall (both material wall and software/hardware wall) between the group and the rest of Google or all of Google would have to be HIPAA compliant. So, how much is it worth for Google? Not much. RME Ken wrote: Hi, I'm researching the feasibility of running a healthcare app on the AppEngine cloud. I've read through the AE terms of service and they don't say much about the actual security guidelines other than deferring to the boilerplate Google security policy. I have no doubt there are internal documents detailing the exact security guarantees provided by Google's infrastructure, but that information is not readily available to the public. It's been a full year since the last time HIPAA was discussed in this group. Now that SSL support has been enabled, data transfer constraints can be met with ease. So, what's the story today with GAE and HIPAA compliance? Are the App Engine's data storage and transfer mechanisms compatible with the guidelines set out by HIPAA? Google Apps documentation has quite a bit more security information, such as specifying annual SAS 70 Type II audits. I'm not familiar with this particular security audit, but some quick research seems to indicate that SAS 70 audit controls are mostly a superset of HIPAA guidelines. However, there are some aspects of HIPAA compliance that seem to be difficult to implement in a distributed database system, so any reassurances from the Google App Engine folks in this regard would be most appreciated. Thanks! Ken -- Quis custodiet ipsos custodes --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
I say go hire a HIPAA consultant who can answer such questions authoritatively. I've been through FIPS before, and you would not believe the odd lawyeresque contrivances used to get certified. With HIPAA you are in the same realm, and so you should hire yourself the appropriate barrister. $.02, Jeff On Tue, Jul 7, 2009 at 7:11 PM, GenghisOnemdkach...@gmail.com wrote: Andy Thanks for the heads-up... The link to that paper is here and it makes for a good read... http://awsmedia.s3.amazonaws.com/AWS_HIPAA_Whitepaper_Final.pdf Unfortunately after I skimmed through it I felt a little unsettled about AppEngine's security model...probably just my limited understanding of what's under the hood, but nonetheless security is kinda important and maybe its time to start asking some plain questions. For instance, here's one thing the Amazon whitepaper had to say about auditing... In designing a HIPAA-compliant system, customers should put auditing capabilities in place to allow security analysts to drill down into detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. This data should be tracked, logged, and stored in a central location for extended periods of time in case of an audit. So can AppEngine enable this and if so how? My gut is telling me yes but there's still a nagging concern...How do I know if someone inside Google looked at my customers data? Is there some kind of *deep* logging mechanism of sorts? Thx much. BTW -- If Google has a comparable whitepaper, I'd very much appreciate the link. Thx much. On Jul 7, 4:01 am, Andrew Badera and...@badera.us wrote: There's a whitepaper by Amazon on the topic. Google it, it's been a few months since I looked at it, don't have a link offhand, sorry. Thanks- - Andy Badera - and...@badera.us - Google me:http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private On Mon, Jul 6, 2009 at 5:17 PM, GenghisOnemdkach...@gmail.com wrote: Does anyone know if Amazon's EC2 platform is HIPAA-compliant? On Jul 6, 12:44 pm, richard emberson richard.ember...@gmail.com wrote: Not going to happen. The IT requirements for Google would cost far more than the couple of applications that might need HIPAA. They would have to have a completely separate group with their own machines, passwords, procedures, etc. with a real wall (both material wall and software/hardware wall) between the group and the rest of Google or all of Google would have to be HIPAA compliant. So, how much is it worth for Google? Not much. RME Ken wrote: Hi, I'm researching the feasibility of running a healthcare app on the AppEngine cloud. I've read through the AE terms of service and they don't say much about the actual security guidelines other than deferring to the boilerplate Google security policy. I have no doubt there are internal documents detailing the exact security guarantees provided by Google's infrastructure, but that information is not readily available to the public. It's been a full year since the last time HIPAA was discussed in this group. Now that SSL support has been enabled, data transfer constraints can be met with ease. So, what's the story today with GAE and HIPAA compliance? Are the App Engine's data storage and transfer mechanisms compatible with the guidelines set out by HIPAA? Google Apps documentation has quite a bit more security information, such as specifying annual SAS 70 Type II audits. I'm not familiar with this particular security audit, but some quick research seems to indicate that SAS 70 audit controls are mostly a superset of HIPAA guidelines. However, there are some aspects of HIPAA compliance that seem to be difficult to implement in a distributed database system, so any reassurances from the Google App Engine folks in this regard would be most appreciated. Thanks! Ken -- Quis custodiet ipsos custodes --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
Not going to happen. The IT requirements for Google would cost far more than the couple of applications that might need HIPAA. They would have to have a completely separate group with their own machines, passwords, procedures, etc. with a real wall (both material wall and software/hardware wall) between the group and the rest of Google or all of Google would have to be HIPAA compliant. So, how much is it worth for Google? Not much. RME Ken wrote: Hi, I'm researching the feasibility of running a healthcare app on the AppEngine cloud. I've read through the AE terms of service and they don't say much about the actual security guidelines other than deferring to the boilerplate Google security policy. I have no doubt there are internal documents detailing the exact security guarantees provided by Google's infrastructure, but that information is not readily available to the public. It's been a full year since the last time HIPAA was discussed in this group. Now that SSL support has been enabled, data transfer constraints can be met with ease. So, what's the story today with GAE and HIPAA compliance? Are the App Engine's data storage and transfer mechanisms compatible with the guidelines set out by HIPAA? Google Apps documentation has quite a bit more security information, such as specifying annual SAS 70 Type II audits. I'm not familiar with this particular security audit, but some quick research seems to indicate that SAS 70 audit controls are mostly a superset of HIPAA guidelines. However, there are some aspects of HIPAA compliance that seem to be difficult to implement in a distributed database system, so any reassurances from the Google App Engine folks in this regard would be most appreciated. Thanks! Ken -- Quis custodiet ipsos custodes --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: HIPAA requirements vs. AppEngine security guidelines
Does anyone know if Amazon's EC2 platform is HIPAA-compliant? On Jul 6, 12:44 pm, richard emberson richard.ember...@gmail.com wrote: Not going to happen. The IT requirements for Google would cost far more than the couple of applications that might need HIPAA. They would have to have a completely separate group with their own machines, passwords, procedures, etc. with a real wall (both material wall and software/hardware wall) between the group and the rest of Google or all of Google would have to be HIPAA compliant. So, how much is it worth for Google? Not much. RME Ken wrote: Hi, I'm researching the feasibility of running a healthcare app on the AppEngine cloud. I've read through the AE terms of service and they don't say much about the actual security guidelines other than deferring to the boilerplate Google security policy. I have no doubt there are internal documents detailing the exact security guarantees provided by Google's infrastructure, but that information is not readily available to the public. It's been a full year since the last time HIPAA was discussed in this group. Now that SSL support has been enabled, data transfer constraints can be met with ease. So, what's the story today with GAE and HIPAA compliance? Are the App Engine's data storage and transfer mechanisms compatible with the guidelines set out by HIPAA? Google Apps documentation has quite a bit more security information, such as specifying annual SAS 70 Type II audits. I'm not familiar with this particular security audit, but some quick research seems to indicate that SAS 70 audit controls are mostly a superset of HIPAA guidelines. However, there are some aspects of HIPAA compliance that seem to be difficult to implement in a distributed database system, so any reassurances from the Google App Engine folks in this regard would be most appreciated. Thanks! Ken -- Quis custodiet ipsos custodes --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---