1. 19

https://blog.heroku.com/announcing-heroku-shield

  1.  

  2. 9

    This has been 5 years in the making for me. We first started when I joined the company around 5+ years.

    1. 7

      I’ve only been at Heroku for a year but this has been more-or-less the only project I’ve worked on. So happy to see it live and I’m excited to help improve healthcare vendor app development. The healthcare industry in my hometown (Pittsburgh) is pretty large and I really hope local projects adopt this as an alternative to their more traditional deployment models.

      I’ve worked at a few shops that had to be HIPAA compliant. Having PaaS/IaaS as a viable alternative would have been huge for us back then. We spent so much time and money reinventing the wheels of other projects/products because they were deemed as a security risk.

      1. 5

        You should request a Heroku hat.

        1. 1

          As a Heroku hat wearer, I second this.

        2. 2

          As a mental health worker turned software engineer, HIPAA compliance is both near to my heart and a very difficult (but important!) problem for software. Thank you for this.

          1. 1

            So cool. Congrats ya’ll, this is a gamechanger for sure.

            1. 1

              Great news! Being in a city with a large Health IT and Medtech ecosystem (Houston), I’ve felt bad for those companies when they find themselves at some tech talks and some startup-y-leaning events. I remember one particular talk that focused heavily on “work your team shouldn’t be doing” and described a handful free-tier and affordable SaaS tools for every imaginable need, plus a smattering of IaaS and PaaS, basically to help engineers focus more time on their company’s core product.

              About a third of the audience was in Healthcare and so a third of the Q&A boiled down to “So how is this data stored?” and “Oh, I guess we can’t use that.”

              1. 1

                This is really cool! Would you mind my asking a few questions?

                1. What was involved in making this service HIPAA compliant? As an addendum, was LetsEncrypt integration related? Sounds like a huge project!
                2. Are there any common development patterns that shouldn’t be used on Shield?
                3. And maybe a question for a lawyer, but, say Heroku had a bug that made the service non-compliant with HIPAA, would that expose me as the app developer/company to legal difficulties?

                I read through the blog post, but I didn’t click through to the more detailed docs. My apologies if these questions are answered there.

                1. 1

                  Hey, the project touched all teams and orgs. My involvement was fairly minimal as I didn’t directly work on Shield.

                  What was involved in making this service HIPAA compliant?

                  A ton of stuff. One thing you can see on the Heroku buildpack is when someone makes a PR there is a section there for “compliance”. This is where another engineer has to check that they’ve reviewed the change and that it won’t introduce a security vulnerability and guards against someone slipping in some kind of a backdoor.

                  There are quite a few other things, but that one touched all engineers and codebases. HIPAA is as much about having a papertrail and being able to prove that you’re compliant as much as actually being compliant.

                  Someone who worked more on the actual details might be able to say more, or maybe not depending on our policies, but since that one is publicly visible I figure it’s fine to mention.

                  Would you mind my asking a few questions?

                  I would say that these would be better answered by one of our specialists from https://www.heroku.com/private-spaces#contact.

              2. 4

                Suggest release tag here. :)

                Also, fuck healthcare IT so very very hard. Good work Heroku.