We're in the healthcare space so we have to own our hardware and co-locate. Being a small outfit, sometimes it's so frustrating trying to find the right resources online these days related to racking and configuring your own bare metal! I can definitely appreciate the 6 weeks to 6 seconds. We recently added a new database server because we were really struggling at peak times. The 5 weeks it took between ordering the $25k server, configuring base os, racking it, replicating current data to it, and then choreographing the switch was brutal. Due to the nature of our product, it had to be a zero-downtime switch. Somedays, I wish it was as simple as clicking upgrade instance on AWS RDS. Other days, I make myself feel better by calculating the thousands I'm saving a month.
We're in the healthcare space so we have to own our hardware and co-locate.
Vendors will say all manner of things regarding how HIPAA compliance requires you to buy their most expensive services, but the HIPAA legislation and related rules are almost silent with regards to implementation requirements that map to actual technologies you could actually use. "Quote me the subsection of the Security Rule you are referring to; it will look like 164.308(a)(5)(ii)(D)." is dispositive of this sort of thing.
That's a real thing, by the way. The requirement, in its entirety: "Do you have procedures for creating, changing, and safeguarding passwords?" Did you see the point where it requires hashing the passwords? No, you didn't, because HIPAA doesn't require hashing passwords. It requires you to have some method of "safeguarding" passwords written down somewhere.
[Edit: Parent has clarified that they're dealing with standard paperwork at clients rather than the legislation itself, which makes sense (and, also, oww).]
Pertaining to your edit, apologies for over-simplifying originally. You are absolutely correct that the Security Rule is very very vague. Many HIPAA audits barely reference the Security Rule and instead use stronger rule sets. Unfortunately, HIPAA is generally documentation of policies as opposed to true technical guidance and requirements. We're also an 8 year old SaaS company so many of our agreements pre-date the "cloud" catching up from a complicance perspective. At the speed of healthcare, I imagine it'll take another decade for the industry to realize that an AWS cloud is probably more secure than something a 10 person organization can cobble together.
A running joke for me is the healthcare providers which are worried whether our firm will use "a database" which "could be hacked" instead of, to make up something which clearly has never been said by anyone regulated in the United States, saving all patient information as drafts in the office manager's hotmail account.
Not so much HIPAA directly, but the business associate agreements that many customers make use of. In order to meet the requirements of many of the agreements we have in place, we have to own any and all hardware that PHI data lives on. They don't exactly accept redlines on those kinds of agreements.
Unfortunately, many standard business associate agreements with clients have yet to catch up to cloud offerings having better compliance guarantees. Many of our agreements with customers, both more recent and legacy, are the reason for the requirement.
