Is DigitalOcean HIPAA or PCI compliant?

September 17, 2014 9.6k views

Just trying to figure out where to host an app. I have a healthcare app but it is subject to HIPAA compliance standards. Not sure if DigitalOcean can handle this yet.
Thanks.

1 comment
  • I'm also in the process of making our application HIPAA compliant. @devin, have you gotten any answers about DO's willingness to sign a BAA when contacting DO support directly?

    Follow up question: how was AWS? It looks like they're willing to sign BAA's. Why are you looking to switch?

4 Answers

As I understand it, DO doesn't sign agreements. They won't sign a BAA towards HIPAA and they won't sign anything towards PCI either. I believe that DO has the security in place, they just won't sign the agreements. Joyent is in the same situation.

AWS is fine and they sign BAA's, which is great. Azure, Rackspace and Google do too. Our app is still hosted on AWS.

We were looking to switch to DO because the price to performance ratio is significantly better on DO than on AWS (for our application).

Hi @devin774507,

Digital Ocean may adhere to some of HIPAA's technical guidelines, but probably not hit all of them. I could be wrong though. Ultimately, signing a BAA with them is what's important, and if they won't sign, you're out of luck.

If you are an application developer, you will have many other concerns to worry about that DO does not address at all. At a high level, they are:

  • dedicated logging
  • dedicated monitoring
  • intrusion detection
  • vulnerability scanning
  • encryption in transit and at rest
  • and a whole slew of company policies

As a disclaimer, I'm a designer at Catalyze, which is a platform as a service (think Heroku) that is built entirely from the ground up to be HIPAA compliant. What we provide might be what you are looking for if HIPAA compliance is a concern of yours. I'd be happy to chat if you have any questions; you can reach me at kris@catalyze.io

One major value of someone like Catalyze is you only have to sign one BAA and you can trust that everything is covered for compliance. Going from managing a dozen BAAs to just one is quite nice :).

Something we recently built was this handy self assessment checklist. If you have a few minutes, you might want to walk through it and either answer for yourself or for the vendor you're currently using. You will likely get a better understanding of the high level things it takes for compliance:

https://catalyze.io/hipaa-self-assessment-checklist/

Lastly, for anyone reading this, we recently open sourced our internal company policies. If you're a digital health company and are handling PHI, you need your own set. Feel free to use ours to get started.

https://catalyzeio.github.io/policies

@bruins.nicholas,

Quick note - just signing a BAA with a vendor does not necessarily make someone fully HIPAA compliant. There are so many requirements for compliance, that generally you'll need many BAA's with vendors who do different things. Even if DO did sign a BAA, they wouldn't necessarily cover everything you'd need in it for full compliance.

I had asked the same question, and here is what I got back..

Hello,

Thank you for your question. All of our datacenters have been certified by national and/or international security standards.

  • Our NYC1 facility is SSAE16 SOC-1 Type II certified.
  • Our NYC2 facility is SSAE16 SOC-2 Type II certified.
  • Our NYC3 facility is SSAE16 SOC-2 and SOC-3 compliant.
  • Our AMS1 and AMS2 facilities are ISO27001:2005 and ISO9001 certified.
  • Our AMS3 facility is ISO9001, ISO27001, and SSAE16 Type II certified
  • Our SFO1 facility is SSAE16 SOC-1 Type II certified.
  • Our SGP1 facility is ISO27001:2005 certified.
  • Our LON1 facility is ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.

Please let us know if we can provide any additional information.

Thank you.
DigitalOcean Support

I believe, no matter what, you still have to do some things yourself. DO can make sure the infrastructure has proper IDS setup. It cannot ensure you are not using default passwords, for example.

  • Right. There are a number of things we will need to do on our end. My question should have been more specific. My question should have been: "Will DigitalOcean sign Business Associate Agreements as mandated by HIPAA so that app developers can achieve regulatory compliance on the DigitalOcean platform?"
    I am currently on AWS and was looking to move.

  • I see. I for one would love more support for compliance regulations like this. We have clients who often have strict payment requirements, and often competitors to DO appear more tempting due to this.

    With regards to PCI, someone has achieved level 1 on DO.
    http://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3715574-pci-compliance

Have another answer? Share your knowledge.