When it comes to building and launching a website, there are countless options and approaches available. For people who aren't familiar with servers, code, and web design, companies like Squarespace, Weebly, and Wix provide easy-to-use site design tools. But for people who are steeped in web technologies (or who have technical staff), outfits like Fortinet provide a blank slate upon which almost any site or application can be built. Finding the right webhost is more complicated for healthcare organizations, however, as covered entities need to have a HIPAA compliant website. And some of the most popular web hosting companies are not HIPAA compliant.
What is Platform.sh?
The approach that Platform.sh takes to web hosting is in its name. Founded in 2010 by serial entrepreneur Frédéric Plais, the French technology company positions itself as a "platform as a service" company that "delivers everything your team needs to build, run, and scale sites and apps." The company has raised over 30 million Euros and today serves more than 65,000 developers working for over 5,000 clients worldwide, including Unity, Pinterest, Orange, and The Economist. "With Platform.sh, organizations can focus 100 percent of their time on building amazing experiences—and zero time managing infrastructure," the company says. Instead of promoting a proprietary design interface, Platform.sh supports WordPress and Drupal content management systems.
The company provides:
- Production cloud hosting
- Multicloud support: AWS, Microsoft Azure, Orange, Google, and regional partners
- The ability to run code without modifications between regions and clouds
- The ability to scale on-demand with 99.99% uptime
What does Platform.sh say about security?
Platform.sh advertises "24x7 data security and privacy" and has a web page dedicated to security and compliance. "We’re compliant with the European GDPR, German BDSG, Canadian PIPEDA, and the Australian Privacy Act," the company notes, adding that it uses TLS encryption for data in transit and conducts an annual SOC 2 Type 2 examination for security and availability. Platform.sh also says it maintains PCI DSS Level 1 compliance for its platform when hosted on Amazon Web Services, Microsoft Azure, or Google Cloud Platform.
What about HIPAA?
Unfortunately, the company's impressive list of security credentials does not include HIPAA. And while Platform.sh will provide a data processing agreement under GDPR and BDSG, it does not offer a business associate agreement. HIPAA is mentioned in a 2018 blog post by its CEO titled "What does it take to adapt your SaaS offering to meet enterprise requirements?" "Every enterprise organization comes with its own requirements: ISO 27001, GDPR in Europe, SOC1, SOC2, PCI for e-commerce/transactions, HIPAA for healthcare, FedRAMP for government," Plais writes. "These are critical, mandatory, or reassuring quality points for large enterprise customers currently managing businesses in a world where security threats have never been so pervasive and challenging to combat." But as far as HIPAA compliance from Platform.sh itself, the only information we can find is a PDF titled, "Platform.sh White Label Cloud Experience for Agencies & Software Vendors." "In Q1 2018 we will achieve GDPR and PCI level 1 compliance, followed by ISO 9000, ISO 27001, SOC 2, HIPAA and FedRAMP," the document reads. Unfortunately, it doesn't appear as if that goal was fully achieved.
Is Platform.sh HIPAA compliant?
Although the company and its leadership are familiar with international security and privacy requirements and complies with various European laws, Platform.sh does not appear to be a HIPAA compliant web host. We should also note that the email options available from Platform.sh are fairly limited, and are not suitable for sending HIPAA compliant email.