Introducing Heroku Private Spaces (opens in new tab)

HIPAA compliance is 99% paperwork, policies, and procedures. There are technical safeguards, but they're things you'd be irresponsible not to do anyway: have individual user accounts, encrypt things, lock workstations after periods of inactivity, have reasonable password policies, etc. And it's pretty dated - as far as I know 2FA isn't even mentioned. It also doesn't include things you'd think it might: no medical practice is actually using PGP. Microsoft Exchange as far as they eye can see. Maybe, if you're lucky, a central gateway so that outgoing emails show up as a link to a web portal where you can log in and view the message.

Most of HIPPA compliance (from an IT perspective) is having a comprehensive security policy and documenting that you're doing certain activities with the appropriate frequency: risk analysis, security audits, auditing user accounts and privileges, security training for users, etc.

I think the biggest barrier to getting HIPPA compliance on more infrastructure providers is that infrastructure providers are engineering organizations, and HIPAA is mostly a CYA activity for lawyers (plus some easy, obvious OPSEC).

Aptible CEO here - thanks for the Aptible love! I imagine Heroku will offer a BAA at some point for this product, but you're right that the hybrid compliance/technical services will remain the most valuable part of platform services like these, at least for regulated industries.

Also an Aptible customer, went down a similar route from Heroku to Aptible. Like it so far!

Also have had impressively short conversations with SaaS product companies after the acronym HIPAA or BAA is brought up.

I talked to them out at AWS re:invent in November and it was implied but not confirmed that HIPAA compliance was being worked on. Maybe things have changed since then.

I too have used Aptible and been very impressed. Seems like Aptible would be avery smart acquisition for Salesforce.

Much like how 95% of brewing beer involves cleaning, 95% of compliance involves paperwork and audits. A ton of it. In a world where setting up a VPC (or its equivalent) is the table stakes for compliance, achieving the rest of your compliance takes a lot more work than setting up a private VPC. That's true on Amazon or any other service.

The biggest thing to consider when adding another layer onto your compliant stack is how easily you can prove compliance when your customers ask. Whether it's BAAs, SSAE 16 documentation or access to HIPAA or HITRUST audits, you need your partners to be able to provide you with not only the documentation but the expertise to discern what that documentation needs. When your partner decides to build something as an add-on to a stack like `Your product > Heroku > AWS`, you need to guarantee that the middle man can either answer all of your questions or can find the person downstream who can when it's relevant. As we've needed to work with partners and considered doing add ons with compliance, this has been the #1 question we've needed to answer first. In a world where your customers should be willing to pay for compliance, the person you call on the phone with questions about what it takes to achieve compliance on their stack should be able to tell you from experience what it's like going through a HIPAA, HITRUST or PCI audit.

Most of the documentation we've provided where I work on the subject is free online: http://catalyzeio.github.io/policies. You can see through the forks that folks have used the documentation to prove compliance not only on our platform at Catalyze but also on other stacks like AWS.

PCI and HIPAA are on the roadmap for Private Spaces - stay tuned for updates.

> Can add-ons be launched inside a private space?

Addon provider here: haven't heard anything official from Heroku on this, so this is my own personal speculation based on the current public Provider API. It seems that Heroku Postgres and Redis are available, and while they're _technically_ addons, they naturally have access to somewhat privileged APIs and architectural information that other addons do not have.

Currently, when an addon is provisioned, we're given a region identifier for the US East and EU public regions. My uninformed guess is that Private Spaces amounts to "your dynos run on servers in a private VPC." IF the Postgres and Redis integrations were "quick 'n dirty," they could very well get provisioned within the same VPC. However, it also seems plausible that AWS VPC peering can be used for other addons to provide their own Private Spaces support.

So it seems to me the question comes down to whether Heroku can (and/or _wants_ to) support VPC pairing with addons via their Provider API, so that other providers can provide their own private spaces.

Deploy anywhere, with hybrid deployments (Aptible + Heroku + AWS + whatever) and still have automated compliance evidence would be the holy grail. It's still difficult to extract all of the control information you need from many (any?) providers, which is why we built our container service.

Aren't you still building your own compliant environment on the application side with a heroku like model?

I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application, and general settings fields. Most of the problems will come from the Application architecture. You can have a prebuilt envorionment for everything but if you're code is garbage then good luck.

Not sure how hosting in AWS is any different from hosting on Heroku, considering you're ultimately still responsible for the Application side. Does Heroku manages your logs in someway that AWS cannot?

Even with an agreement with a merchant, aren't you still responsible for your application code? Isn't that still subject to HIPAA requirements?

Also AWS is HIPAA compliant and they will do a Business Associate Agreement, and has been HITRUST certified iirc.

They do in fact launch Tokyo as a region in combination with this announcement! (together with Frankfurt, Germany and two US regions) As all these places are AWS regions and this service most likely is built upon VPC I don't think it's a too wild guess that this service will eventually be available in all AWS regions (https://aws.amazon.com/about-aws/global-infrastructure/)

Or anyone creating apps for companies in industries where the data generated/stored by the app is regulated by the government.

Healthcare is the main concern here with HIPAA but it should also apply to insurance, finance, and some industrial use cases.

No, but those attending the webinar will likely get precedence.

Heroku Enterprise (required for Orgs, Private Spaces, etc) requires an annual agreement paid upfront ($18K/year minimum) for pre-allocated resources with a 20% premium for the included premium services (Org Account, Customer Solutions Architect and 24/7 Premium Support SLA).