We wrote a book! Complete Cloud Compliance explains global compliance on the cloud

Why we wrote a book

In 2013, when Datica was founded as Catalyze, the cloud was a simpler place. AWS was the only public cloud that signed a meaningful Business Associate Agreement (BAA), but they only had a handful of services (or “primitives”) within scope. Even so, to sign the BAA, which was under NDA, required customers use dedicated instances which meant digital health companies had to spend a minimum $1,400 per month just to get started — and that doesn’t even account for the cost to solve the remaining 9/10ths of compliance. Docker wasn’t yet version 1.0, and Kubernetes wasn’t even a thing yet. The term “microservices” meant nothing. Modern container-based cloud architectures that were fully HIPAA compliant and could be HITRUST CSF Certified were impossible on the public cloud until Catalyze’s first platform-as-a-service product came along.

Fast forward to 2018, and the cloud is a very different place. We are now living in a post-cloud world. That post-cloud world is built on managed services. AWS is now up to hundreds of these services and dozens within scope of their BAA. Azure and GCP sign rock-solid BAAs consisting of just as many world-class services and all three are competing to be a viable destination for digital health workloads. Many independent managed services, like MongoDB’s Atlas, sign BAAs now, too. The typical cloud architecture is a constellation of managed services using a microservices-based scheme. Just the other day, I was speaking to a digital health developer who mentioned his company uses the basics like Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon Simple Simple Storage Service (Amazon S3), AWS Lambda, and Amazon API Gateway, but is using BigQuery on GCP for machine learning and investigating Azure Kubernetes Service (AKS) and Azure Cosmos as an eventual Kubernetes destination, while also incorporating MongoDB Atlas, Auth0, and a handful of independent logging and monitoring services. Whew. This is not manic decision making. This is the new normal.

Compliance has not kept up. We know this first hand.

The issues are foundational, from our experience. Compliance officers are often attorneys and not technologists so they have a hard time grasping how fast abstraction on the cloud is moving. Likewise, engineers are not legal scholars, so they have a tough time wrapping their heads around a proper compliance program that is the difference between their app being adopted by hospitals or dying on the vine. I still personally have about one conversation a day with a developer where I have to coach them that HIPAA is a government regulation while HITRUST is a certification framework.

In 2013, the cloud was built for an operator archetype, the type of employee who could secure Virtual Machines (VMs) and contribute to a compliance program. After five years, the cloud is now designed for developers who can easily interchange services with a few clicks. What we are seeing is this new archetype is not ready for security and compliance in a managed services world. All we have to do is look around to find news stories of the situation. Just last month, an improperly configured AWS S3 bucket lead to 31,000 GoDaddy servers to be exposed.

These foundational challenges are why we wrote Complete Cloud Compliance. Our goal is always to help the healthcare community, but educating people on such heady topics extended beyond a blog post or online knowledge base. A book proved to be the right medium. Travis Good (Datica CEO) and I started the writing process earlier this year with the first edition printed last month.

Structure of the book

The book starts out with a basic introduction then flows into the following chapter setup:

1. The Business Case for Compliance — an examination on why compliance actually matters to regulated companies like digital health.
2. What Really is Compliance? — We tried very hard to be simple and concise while also educating complex topics to those who are fresh to the respective domains. Consequently, this chapter breaks down critical compliance concepts with a developer reader in mind, meaning compliance officers will find the content familiar. Feedback from developers has been fantastic, however.
3. What Really is the Cloud? — The cloud is not a computer in somebody else’s data center. It’s software-enabled infrastructure services built for software developers. This chapter was written for this post-cloud world, but it does lay some basic foundational concepts to help educate business folks. Feedback from engineers to compliance officers to business users has been very positive.
4. Why Data Interoperability Matters — Readers will find a consistent theme throughout the book: data is splintering, not consolidating, which makes compliance even harder. This chapter uses healthcare to explain how interoperability matters to compliance.
5. Complete Cloud Compliance — After the context is set, we give a detailed overview on how regulated companies can employ a compliance program that genuinely gives them dynamic, continuous compliance on an ever-changing cloud. We call the program Complete Cloud Compliance, as the book title implies, and 3C for short throughout.
6. Best Practices for Complete Cloud Compliance — With the 3C program in mind, we then provide a few dozen best practice pieces of advice for managing compliance on the cloud.
7. The Achievable Mandate — Readers within regulated companies should not fear the future, but embrace it because it’s critical for survival. The good news is controlling compliance on the cloud is possible.

Visually explaining compliance

The book is purposefully very visual. The reasoning is pretty simple. Ultimately, this is a very boring and very complex topic. We don’t pretend that this is the most exciting domain just because we live in it everyday. No, compliance is mind-numbingly boring.

But it is critical to the future success of regulated companies, and by extension digital health. We fundamentally believe that unless healthcare can get on the cloud, it is at grave risk of falling even further behind, to which compliance is a blocker.

To combat the boring nature of our lovable domain, we went heavy on visual storytelling. Readers will find sprinkled throughout the book several infographics geared as simplifying extremely complex topics. We think it worked well.

Take this image for example. In chapter two (which is downloadable at the end of this post), we break down the differences between regulations, standards developing organizations, standards themselves, and frameworks. When we get to the frameworks section, we wanted to make clear that it is wise to work with frameworks that are built for the future, to which HITRUST is a good choice. When demonstrating the point, we charted the lineage of influences dating back almost a century that went into HITRUST’s CSF. We thought it told an interesting story.

The 9 Big Ideas

Woven throughout the book are nine big ideas, many of which are brand-new ways of thinking by Datica that we are thrilled to start to share with the community. They are:

1. When controlled, compliance is actually a competitive edge.
2. The cloud is no longer other people’s computers. It is managed services.
3. As cloud services get more abstract to improve developer experience (a good thing), more control is being taken away from the user making compliance attestation harder (a bad thing).
4. Compliance is only as strong as the weakest link in the abstraction chain.
5. Frameworks are the best way to manage regulations. The best frameworks are built for a dynamic future, not a dated past.
6. Complete cloud compliance is hard because technologists struggle to understand compliance while compliance officers struggle to understand the cloud.
7. The cloud is global, so compliance is now global.
8. Cloud compliance comes down to data management. The three verbs of data are store, compute, and transmit.
9. Data sources are splintering instead of unifying, making compliance more complex.

You will see us publish more about these big ideas throughout 2018.

How to get a copy

Travis and Datica CSO Christopher Gerg will be giving away free copies at the HITRUST 2018 this week. Come find our book signing table in the expo hall. If we run out, we are happy to collect your name and address to mail a copy. Similarly, free copies will be given away at the Microsoft Ignite and AWS re:Invent conferences. Come find us for a free copy. We’ll blog more about those events as they get closer.

General purchase will eventually be available later this year via Amazon.com fulfillment.

Until then, you can download a free PDF copy of chapter two in order to get a feel for the book and you’ll be notified when it is formally available.