undefined | Better HN

0 pointsharryh9y ago0 comments

Some HIPAA regulations that pre-date the rise of shared virtual servers in "the cloud" are quite outdated and cause quite a bit of trouble for no real benefit.

0 comments

dragonwriter9y ago

> Some HIPAA regulations that pre-date the rise of shared virtual servers in "the cloud" are quite outdated and cause quite a bit of trouble for no real benefit.

What HIPAA regulations are you talking about? Other than HITECH guidance (which can sort-of be seen as a "HIPAA regulation"), HIPAA regulations don't generally specify technologies at all, and I can't think of any that I would describe as outdated or troublesome due to the rise of shared virtual servers and "the cloud", whether they predate it or not.

harryhOP9y ago

The biggest thing is that we can't run software with unencrypted PHI on physical hardware that is simultaneously running other people's code. In practical terms this means that we have to pay AWS some $ to get dedicated instances and also we can't use ELBs in the standard (easy) way. There are some other things as well.

eropple9y ago

> In practical terms this means that we have to pay AWS some $ to get dedicated instances

This is a feature, not a bug. It also is neither HITECH nor HIPAA; it is instead AWS's requirement in order to sign your BAA.

> we can't use ELBs in the standard (easy) way

Also neither HITECH nor HIPAA. ELBs are used in a PHI-related scenario identically to any other scenario. Unless you are referring to using it as an SSL terminator, in which case I would say "the standard (easy) way is always wrong".

dragonwriter9y ago

> The biggest thing is that we can't run software with unencrypted PHI on physical hardware that is simultaneously running other people's code.

There is no, AFAICT, no regulation under HIPAA or related law that requires this. Certain service providers may have determined that they cannot provide guarantees of privacy/security without this technical restriction.

throwaway7299y ago

That seems like a fairly reasonable thing given you're talking about encrypted PHI... it's some extra $ for a considerable reduction to overall attack surface when processing the most sensitive type of personal data.

I don't think this meets OP's definition of "wrong".

harryhOP9y ago

In practical terms I don't agree that the threat of someone doing all of the following things is worth worrying about (in comparison to many other more likely failures):

1) determine what physical hardware in aws the target is running code on

2) somehow get the aws virtual machine manager to let the attacker run their malicious code on the same hardware

3) somehow pierce the protections of the virtual machine to read memory being used by the target application

4) figure out how the data is stored in memory in order to make sense of anything that was read

2 more replies

lotu9y ago

I asked my doctor to email me my records and was told it is illegal due to HIPAA it makes no fucking sense but that's what it is.

dragonwriter9y ago

It isn't illegal to email records under HIPAA. But your doctor probably doesn't have a system set up to securely email records (such things do exist), and their practice has probably adopted privacy policies that don't allow emailing for that reason. Doctors aren't generally compliance experts, and are much more likely to know what the policies of their place of work allow than the distinctions between what HIPAA allies and what their place of employment has adopted as policy based on the particular technology they've decided to adopt and their particular level of risk tolerance and other factors.

emodendroket9y ago

Such as? HIPAA generally has to do with organizational access controls and not specific technologies.

rayiner9y ago

Also, certain provisions of FERPA precluding use of cloud accounts for holding student data. I think those may be the archetypal examples.

j / k navigate · click thread line to collapse

0 comments

dragonwriter9y ago

> Some HIPAA regulations that pre-date the rise of shared virtual servers in "the cloud" are quite outdated and cause quite a bit of trouble for no real benefit.

harryhOP9y ago

eropple9y ago

> In practical terms this means that we have to pay AWS some $ to get dedicated instances

This is a feature, not a bug. It also is neither HITECH nor HIPAA; it is instead AWS's requirement in order to sign your BAA.

> we can't use ELBs in the standard (easy) way

dragonwriter9y ago

> The biggest thing is that we can't run software with unencrypted PHI on physical hardware that is simultaneously running other people's code.

throwaway7299y ago

I don't think this meets OP's definition of "wrong".

harryhOP9y ago

In practical terms I don't agree that the threat of someone doing all of the following things is worth worrying about (in comparison to many other more likely failures):

1) determine what physical hardware in aws the target is running code on

2) somehow get the aws virtual machine manager to let the attacker run their malicious code on the same hardware

3) somehow pierce the protections of the virtual machine to read memory being used by the target application

4) figure out how the data is stored in memory in order to make sense of anything that was read

2 more replies

lotu9y ago

I asked my doctor to email me my records and was told it is illegal due to HIPAA it makes no fucking sense but that's what it is.

dragonwriter9y ago

emodendroket9y ago

Such as? HIPAA generally has to do with organizational access controls and not specific technologies.

rayiner9y ago

Also, certain provisions of FERPA precluding use of cloud accounts for holding student data. I think those may be the archetypal examples.

j / k navigate · click thread line to collapse