0

I'm working with an android app sending data to a service hosted on AWS. The provider specifies that AWS in itself isn't HIPAA compliant.

In which way should this by a source of worry? Regardless of the nature of the data, what specific elements makes this a problem? It seems to me that it not so specific from a cyber security perspective?

EDIT: This is not for a health care application. However the service provider mention it is not compliant on its website - therefore I want to know what practically this compromises (or not) from a security perspective. I know that some clients in some applications (or governement agencies) will not use services not compliant with certain standards (such as HIPAA). However, to me it doesn't mean that being non-HIPAA is unsafe - for all I know it could easily be mostly about PR and not so much about security of the service/data on the server.

Francky_V
  • 103
  • 3
  • 2
    HIPAA is specific to processing health care data. Your app will not be processing health data. I'd say you're in the clear. – user3244085 Dec 21 '16 at 20:55
  • 4
    FWIW, as a former lawyer who did a little work with HIPAA on the legal side, and who is now a tech consultant who has done some partly HIPAA-driven work for a few health care providers on the technical end: For lawyers and compliance personnel HIPAA statutes & regs are a valuable source of employment security. In terms of practical effect on security they are just this side of meaningless. HIPAA makes PCI and some other, uh, problematic compliance regimes look like veritable geysers of security wisdom, relevance, and specificity. (But that's just, like, my opinion, man. YMMV.) – mostlyinformed Dec 21 '16 at 21:04
  • 1
    "Isn't HIPAA compliant" doesn't mean anything in terms of cybersecurity. My online banking web site isn't HIPAA compliant either, probably because it never underwent the audit. It could probably pass. – John Wu Dec 21 '16 at 23:10
  • @JohnWu & mostlyinformed that's exactly the kind of things I wanted to know. – Francky_V Dec 21 '16 at 23:50

1 Answers1

3

All the comments posted before this are correct - unless this is a healthcare application, it probably shouldn't make a difference. The statement you're talking about is probably just to help prospective customers choose one service over another.

Also, if this is any large organization, it's highly likely that they're already auditing their infrastructure and I'd even dare say a larger company might pass an HIPAA compliance audit.

tl;dr: It doesn't matter unless you're dealing with patient's data

thel3l
  • 3,384
  • 11
  • 24