Would love to get a response to this. We are required to be HIPAA compliant and started out on Heroku. We basically only had a prototype built and didn't have any clients yet, so we didn't really care. After a weeks of paying for Heroku we got a very standard sales call from Heroku. They were checking-in/trying to up-sell us on some stuff.
They asked us what we needed, and I responded with, "We need to be HIPAA compliant - what do we need to do to make that happen on Heroku?"
The sales rep immediately replied along the lines, "We don't do that."
He ended the call shortly after that, clearly uninterested in our money.
Since then, we started using Aptible (https://www.aptible.com)and they are AWESOME. The biggest difference for us is that they also provide the legal documentation and advice to working through HIPAA compliance. They're totally willing to go beyond just being a PaaS and really start to blend into a moderate level of legal counsel. Only downside is that their premium service entails a premium price.
HIPAA compliance is 99% paperwork, policies, and procedures. There are technical safeguards, but they're things you'd be irresponsible not to do anyway: have individual user accounts, encrypt things, lock workstations after periods of inactivity, have reasonable password policies, etc. And it's pretty dated - as far as I know 2FA isn't even mentioned. It also doesn't include things you'd think it might: no medical practice is actually using PGP. Microsoft Exchange as far as they eye can see. Maybe, if you're lucky, a central gateway so that outgoing emails show up as a link to a web portal where you can log in and view the message.
Most of HIPPA compliance (from an IT perspective) is having a comprehensive security policy and documenting that you're doing certain activities with the appropriate frequency: risk analysis, security audits, auditing user accounts and privileges, security training for users, etc.
I think the biggest barrier to getting HIPPA compliance on more infrastructure providers is that infrastructure providers are engineering organizations, and HIPAA is mostly a CYA activity for lawyers (plus some easy, obvious OPSEC).
Aptible CEO here - thanks for the Aptible love! I imagine Heroku will offer a BAA at some point for this product, but you're right that the hybrid compliance/technical services will remain the most valuable part of platform services like these, at least for regulated industries.
I talked to them out at AWS re:invent in November and it was implied but not confirmed that HIPAA compliance was being worked on. Maybe things have changed since then.
There are many things in AWS that are not HIPAA-compliance yet, so I am not sure how Herkou (if that's the one you are referring to) can be HIPAA compliance in everything.
Much like how 95% of brewing beer involves cleaning, 95% of compliance involves paperwork and audits. A ton of it. In a world where setting up a VPC (or its equivalent) is the table stakes for compliance, achieving the rest of your compliance takes a lot more work than setting up a private VPC. That's true on Amazon or any other service.
The biggest thing to consider when adding another layer onto your compliant stack is how easily you can prove compliance when your customers ask. Whether it's BAAs, SSAE 16 documentation or access to HIPAA or HITRUST audits, you need your partners to be able to provide you with not only the documentation but the expertise to discern what that documentation needs. When your partner decides to build something as an add-on to a stack like `Your product > Heroku > AWS`, you need to guarantee that the middle man can either answer all of your questions or can find the person downstream who can when it's relevant. As we've needed to work with partners and considered doing add ons with compliance, this has been the #1 question we've needed to answer first. In a world where your customers should be willing to pay for compliance, the person you call on the phone with questions about what it takes to achieve compliance on their stack should be able to tell you from experience what it's like going through a HIPAA, HITRUST or PCI audit.
Most of the documentation we've provided where I work on the subject is free online: http://catalyzeio.github.io/policies. You can see through the forks that folks have used the documentation to prove compliance not only on our platform at Catalyze but also on other stacks like AWS.
Addon provider here: haven't heard anything official from Heroku on this, so this is my own personal speculation based on the current public Provider API. It seems that Heroku Postgres and Redis are available, and while they're _technically_ addons, they naturally have access to somewhat privileged APIs and architectural information that other addons do not have.
Currently, when an addon is provisioned, we're given a region identifier for the US East and EU public regions. My uninformed guess is that Private Spaces amounts to "your dynos run on servers in a private VPC." IF the Postgres and Redis integrations were "quick 'n dirty," they could very well get provisioned within the same VPC. However, it also seems plausible that AWS VPC peering can be used for other addons to provide their own Private Spaces support.
So it seems to me the question comes down to whether Heroku can (and/or _wants_ to) support VPC pairing with addons via their Provider API, so that other providers can provide their own private spaces.
> So it seems to me the question comes down to whether Heroku can (and/or _wants_ to) support VPC pairing with addons via their Provider API, so that other providers can provide their own private spaces.
Deploy anywhere, with hybrid deployments (Aptible + Heroku + AWS + whatever) and still have automated compliance evidence would be the holy grail. It's still difficult to extract all of the control information you need from many (any?) providers, which is why we built our container service.
How close does it come to making PCI-DSS Level 1 attainable on Heroku? What about HIPAA?