Heroku Shield Private Spaces: HIPAA-Compliant Application Development
Heroku Shield Private Spaces allows efficient development of HIPAA-compliant solutions. With the addition of Heroku’s newest developer option, Shield Private Spaces, there are now three ways to host an application on Heroku, the Heroku Common Runtime, Heroku Private Spaces, and Heroku Shield Private Spaces.
What is the Difference Between Heroku Common Runtime, Private, and Shield Private Spaces
The Heroku Common Runtime is perfect for applications that are not required to meet the mandates of HIPAA. Applications built in the Common Runtime are secured by the power of AWS and can securely handle non-HIPAA data while providing access to all of the great benefits of building on Heroku.
For increased control and the ability to allow your applications to communicate securely and directly via a private network behind your dedicated proxy server, opt for Heroku Private Spaces. Data is not shared with any application outside of the Private Space. Although Private Spaces offers increased security control in comparison to the Common Runtime, applications built in a traditional Private Space are not HIPAA-compliant.
Heroku Shield Private Spaces allows businesses to build secure, HIPAA-compliant applications at a much lower cost than building from scratch. Heroku Private Spaces are available exclusively to Heroku Enterprise customers and include special functionality to secure both the applications and the data they contain.
“If you think compliance is expensive — try non-compliance.” ~ Former U.S. Deputy Attorney General Paul McNulty
Heroku Shield Provides HIPAA-Compliant Security
Applications built for use in the healthcare field often contend with the regulations imposed by HIPAA, a governmental regulation that protects the privacy of patient data. In order for an application to be considered HIPAA-compliant, it must meet be built to include TLS 1.0 SSL termination, meaning that it must comply with security standards that are later than TLS 1.0, such as TLS 1.1 or TLS 1.2.
Building within a Shield Private Space on Heroku ensures that this mandate is met by requiring all dynos to terminate requests that utilize TLS 1.0 SSL or earlier. Only Shield dynos are permitted to run within a Shield Private Space to confirm that all data stored in the dyno is encrypted. Data within secured dynos can be relocated without leaving a trail that could identify where that information is stored on the dyno.
Within a Shield Private Space, all data is encrypted all the time, both at rest and in transit. Encrypting communications using the most modern standards for HTTPS communication guarantees that no one can listen in on either side of the communication, whether sending or receiving data. Along with the TLS 1.0 SSL termination requirement is the assurance that every action is logged to verify that users are not acting maliciously and to provide a compliant audit trail to government officials in the event of an investigation. All administrative functions and command line interactions are logged.
To prevent developers from inadvertently creating connections to non-compliant servers, and thereby jeopardizing the compliance status of their application, connections to a Shield database from outside of a Shield Private Space are prevented by platform level intrusion inspections.
“Quality means doing it right when no one is looking.” ~ Henry Ford
Heroku Shield Is Not Just for Healthcare
While those within the healthcare field know that HIPAA compliance is a must, enterprise-level businesses outside of the healthcare field may be attracted to the security provided by a Shield Private Space. While applications built in Heroku Private Spaces provide enough security for most needs, building in a Private Space still allows you to resolve older security standards (TLS 1.0, 1.1, SSL 3.0).
If you already have a substantial stack built on TLS 1.0 an upgrade is probably in order even if your application does not require HIPAA compliance. Heroku Private Spaces supports builds in older security standards while providing increased security and control over the Common Runtime. However, if you are operating in an industry where data security is paramount (financial services) or where even a portion of your business must be secured to the highest standards (military contract data), building in a Heroku Shield Private Space, where the upgrade is mandatory, may be the answer.
“Stolen health information can go for $10 each, up to 20 times the value of credit card information.” ~ Reuters, 2014
Supporting Innovation in Healthcare
The purpose of developing Heroku Shield Private Spaces is to support innovation within the healthcare field. Developing HIPAA-compliant applications without investing in a dedicated IT staff to manually build-out compliant infrastructure allows your team to focus on convenient application development that solves your business needs.
Heroku Add-ons simplify app development; however, not all add-ons are available in Shield Private Spaces. Like all Private Spaces, Shield Private Spaces are regionally hosted. The first step to finding the right Add-on is to verify that it is available in the region in which your Private Space is running, since not all Add-ons are available globally.
Second, to ensure HIPAA compliance, the Add-on must be installed within your Shield Private Space. SaaS Add-ons may communicate with servers via the public internet that are not HIPAA compliant. As an example, Sendgrid, the popular email gateway, would allow your application to send data from your Shield Private Space via the public internet to Sendgrid’s own servers, which may not be HIPAA compliant.
Alternatively, a Shield Postgres Database is installed within your Shield Private Space and data is never exposed to the public internet. Everything installed within your Shield Private Space is protected behind a firewall and is not exposed to the public internet.
Heroku Shield Private Spaces simplifies building HIPAA-compliant applications and brings all of the benefits of traditional Heroku development to the healthcare industry enabling faster, more cost-effective innovation.
Michael Rockford, CEO and Founder of Radialspark, a registered Salesforce partner and leader in custom software development and implementations.Originally published on www.radialspark.com
