Question

How can I achieve HIPAA compliance on a DigitalOcean hosted solution?

Let me start by saying this isn’t a trivial ask of a very complex question, I’m already deep into this and I’m looking to see if anybody else has encountered this challenge and perhaps found a solution.

To start off, we have a solution already running on digitalocean and a new client would like to add some data that would be considered Protected Health Information (PHI), which would make us a Business Associate to their organization as a HIPAA covered entity. The general approach here is that we need to get a Business Associate Agreement (BAA) signed by our hosting provider, but DigitalOcean will not sign BAA agreements (Amazon will, but don’t want to go there). I didn’t want to give up, so I did some more digging.

I’ve gone through the HIPAA security requirements and it seems that having a BAA signed by the hosting provider is typically required to cover physical protection of the PHI stored on the hosting provider’s servers. My assertion is that if physical access to our servers cannot provide access to PHI, then we don’t need a BAA signed by DigitalOcean. Has anybody else had to dig into this and come to the same conclusion?

The physical risks I have identified so far include:

  1. A system could be shut down and access to PHI limited.
  2. A system could be destroyed and PHI lost.
  3. A drive could be remove from a system and PHI copied from it.
  4. A drive could be removed from a system and security measures disabled.
  5. A system could be accessed by somebody at the hosting provider (back door) and data removed.
  6. A system could be accessed by somebody at the hosting provider (back door) and security measures disabled.

Any thoughts on risks that might be missing here?

I already have some thoughts on a number of these risks:

  1. Our solution has fail over to a different physical location, so covered.
  2. Data is replicated in real time to another physical location and backed up off-site.
  3. I’m not sure if a drive can be removed and data left intact on the DigitalOcean platform, but I think MariaDB 10.1 with encryption at rest may address this as long as I keep the encryption key off of the server.
  4. Remotely check for changed configuration files?
  5. Can I assume there is no backdoor into our servers without a signed agreement to that affect?
  6. Can I assume there is no backdoor into our servers without a signed agreement to that affect?

If I can build a solid list of risks and mitigation strategies, I’ll pull it together in a DigitalOcean Tutorial and hopefully our shared knowledge and expertise can make DigitalOcean a viable platform for HIPAA compliant solutions.

Thanks in advance for any help you might be able to offer.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Contrary to your initial statement, I do believe DigitalOcean will sign a BAA, however they are not explicitly HIPAA/HITECH certified. You mentioned AWS meeting your requirements, but not wanting to migrate there — I’m assuming due to their outrageous pricing for their HIPAA compliant servers under a BAA.

Have you looked at LiquidWeb? Perhaps you could use DigitalOcean for development, testing & pre-prod, then a solution like LiquidWeb for production & actual patient data storage. This article explains the various HIPAA compliant hosting options available. Perhaps one of those will meet your needs right out of the box.

The HHS HIPAA Privacy & Security rules keep changing, so it may be best to go with a certified provider and leave the compliance to their security team.

Just my $0.02.

Cheers!

Unfortunately, there’s a lot more to HIPAA compliance than just having solid IT and security controls. In order to sign a BAA, the company has to have policies and procedures for handling of PHI and has to train all of their staff on HIPAA regulations. There are also mandatory risk assessments and other procedures that have to be performed and documented.

There are other implications as well, such as insurance costs (breach insurance is on the rise) and the risk of stiff fines (up to $1.5M per incident) for non-compliance. For this reason, many hosting providers cannot or will not sign a BAA without significant fee increases. Even Amazon charges a penalty by forcing you to run dedicated instances, at an additional cost of $1500+ per month.

You might consider looking at one of the specialized healthcare cloud providers, such as Healthcare Blocks.

According the hhs.gov, the data storage provider must still be HIPAA compliant even if they never see unencrypted data:

  1. Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.