DigitalOcean

Report this

What is the reason for this report?
Question

How can I achieve HIPAA compliance on a DigitalOcean hosted solution?

Posted on September 15, 2016
Security
CentOS
David Nusbaum

By David Nusbaum

Let me start by saying this isn’t a trivial ask of a very complex question, I’m already deep into this and I’m looking to see if anybody else has encountered this challenge and perhaps found a solution.

To start off, we have a solution already running on digitalocean and a new client would like to add some data that would be considered Protected Health Information (PHI), which would make us a Business Associate to their organization as a HIPAA covered entity. The general approach here is that we need to get a Business Associate Agreement (BAA) signed by our hosting provider, but DigitalOcean will not sign BAA agreements (Amazon will, but don’t want to go there). I didn’t want to give up, so I did some more digging.

I’ve gone through the HIPAA security requirements and it seems that having a BAA signed by the hosting provider is typically required to cover physical protection of the PHI stored on the hosting provider’s servers. My assertion is that if physical access to our servers cannot provide access to PHI, then we don’t need a BAA signed by DigitalOcean. Has anybody else had to dig into this and come to the same conclusion?

The physical risks I have identified so far include:

  1. A system could be shut down and access to PHI limited.
  2. A system could be destroyed and PHI lost.
  3. A drive could be remove from a system and PHI copied from it.
  4. A drive could be removed from a system and security measures disabled.
  5. A system could be accessed by somebody at the hosting provider (back door) and data removed.
  6. A system could be accessed by somebody at the hosting provider (back door) and security measures disabled.

Any thoughts on risks that might be missing here?

I already have some thoughts on a number of these risks:

  1. Our solution has fail over to a different physical location, so covered.
  2. Data is replicated in real time to another physical location and backed up off-site.
  3. I’m not sure if a drive can be removed and data left intact on the DigitalOcean platform, but I think MariaDB 10.1 with encryption at rest may address this as long as I keep the encryption key off of the server.
  4. Remotely check for changed configuration files?
  5. Can I assume there is no backdoor into our servers without a signed agreement to that affect?
  6. Can I assume there is no backdoor into our servers without a signed agreement to that affect?

If I can build a solid list of risks and mitigation strategies, I’ll pull it together in a DigitalOcean Tutorial and hopefully our shared knowledge and expertise can make DigitalOcean a viable platform for HIPAA compliant solutions.

Thanks in advance for any help you might be able to offer.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
benrebla the man
benrebla the man
September 15, 2016

great waiting for Experts

0
David Nusbaum
David Nusbaum
September 15, 2016

So the answer is to move to our solution to AWS? I’m not ready to accept that.

I’ve gone through every line item in the security rule, that would pertain to being a SaaS provider, and I haven’t seen anything that I don’t think could be addressed with some thought and quality IT work. Has the DigitalOcean security team researched and found a deal breaker? If so, can they share their status so we can work together on this.

I realize our 8 virtual servers are pretty small right now, but I cannot believe the answer is simply “go away”.

0
douglasj
douglasj
September 15, 2016

Unfortunately, there’s a lot more to HIPAA compliance than just having solid IT and security controls. In order to sign a BAA, the company has to have policies and procedures for handling of PHI and has to train all of their staff on HIPAA regulations. There are also mandatory risk assessments and other procedures that have to be performed and documented.

There are other implications as well, such as insurance costs (breach insurance is on the rise) and the risk of stiff fines (up to $1.5M per incident) for non-compliance. For this reason, many hosting providers cannot or will not sign a BAA without significant fee increases. Even Amazon charges a penalty by forcing you to run dedicated instances, at an additional cost of $1500+ per month.

You might consider looking at one of the specialized healthcare cloud providers, such as Healthcare Blocks.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.