Challange for amazeball developers (Virgil Security, HIPAA)

Challange for amazeball developers.

No disrespect. I’d like to offer $100 to the answer that gets the most hearts.

I’m looking to build a HIPAA compliant app. Basically, it is Slack but on a HIPAA compliant SDK. I’ll use Twilio and Virgil security. https://virgilsecurity.com/end-to-end-encryption-for-twilio/

Can this be done on Bubble with all the HIPPA goodies? Think Telemedicine.

That is the challenge, guys. If you know how to make it happen, post your opinion and hopefully you’ll get those hearts.

Now, if you know you can build it for SURE, DM me with a simple yes or no.

Respectfully, no " I can do many good job for you, sir. I can guarantee many satisfactions for you, sir."!

Anyways, I think you get my drift.

Alright, who’s down for a little challenge? Don’t be shy!

Hi @hi14

The service of virgil sounds great to encrypted both side.

I think the first challenge will be with Bubble to get the JWT (Json Web Token).

image1314×82 19 KB

Unless Bubble states that they are HIPAA compliant and will sign a BAA with you, you cannot store healthcare data with them (even if it is encrypted).

John, thank you so much for that excellent answer.

However, I believe lottamint has provided me with a definite response. I will grant him the $100 prize.

If I remember, JWT is already handled by api connector. No?

Thank you, lottemint. You have crushed my Bubble dreams. You won!!!

Bubble team, stop crushing people’s dreams. Become HIPAA compliant.!!

Still stuck

I’m not sure how I need to react to this one.
Thanks!

I hope that @Bubble will provide that option soon.

Not a Hippa expert but I believe that the focus is on encrypted data transmisión and Hippa compliant storage. While Bubble storage may not be compliant you are able to build on Bubble and store with a 3rd party that is compliant as long as you encrypt the transfer of data.

Aha, sure.
Bubble saves output actions in your app’s logs.

Check out the following link, please:
https://developer.virgilsecurity.com/docs/use-cases/v5/encrypted-communication

image916×777 90.3 KB

Your vision could be achived using Firebase Firestore, it’s HIPAA complient and using the Data Layer plugin writing to your database avoids Bubble logs as it uses the Firebase JavaScript Client SDK so no server side log or usage. Just a thought.

@PWC That is an interesting thought. However, it still makes me wonder about the need for a BAA from Bubble. At the same time, apps that are HIPAA compliant that use services like Stripe, they don’t require Stripe to sign a BAA. Since we wouldn’t be saving logs on Bubble, I wonder if that makes us like Stripe. I believe Firebase will sign that BAA.

Do you have any examples of this, or is it merely a thought?

@neerja What do you know about this HIPAA compliancy? Are you aware of any apps on Bubble that have HIPAA compliance in their veins of some sort?

By extention, Google will providing your product selection from them is in this list,

Covered Products

The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence), and the following products:

• App Engine
• Cloud Armor
• Cloud AutoML Natural Language
• Cloud AutoML Translation
• Cloud AutoML Vision
• BigQuery
• BigQuery Data Transfer Service
• Cloud Bigtable
• Cloud Console
• Cloud Composer
• Cloud Data Loss Prevention
• Cloud Dataflow
• Cloud Datalab
• Cloud Dataproc
• Cloud Datastore
• Cloud Deployment Manager
• Cloud DNS
• Cloud Endpoints
• Cloud Filestore
• Cloud Firestore
• Cloud Functions
• Cloud Genomics
• Cloud Healthcare
• Cloud Identity
• Cloud Identity-Aware Proxy
• Cloud IoT Core
• Cloud Key Management Service
• Cloud Load Balancing
• Cloud Machine Learning Engine
• Cloud Memorystore
• Cloud Natural Language API
• Cloud NAT
• Cloud Pub/Sub
• Cloud Resource Manager
• Cloud Router
• Cloud Source Repositories
• Cloud Spanner
• Cloud Speech API
• Cloud SQL for MySQL
• Cloud SQL for PostgreSQL
• Cloud Service Consumer Management API
• Cloud Storage
• Cloud Translation API
• Cloud Video Intelligence API
• Cloud Vision API
• Cloud VPN
• Compute Engine
• Container Registry
• Dialogflow
• Google Service Control
• Google Service Management
• Identity Platform
• Kubernetes Engine
• Persistent Disk
• Stackdriver Debugger
• Stackdriver Error Reporting
• Stackdriver Logging
• Stackdriver Profiler
• Stackdriver Trace
• Transfer Appliance Service
• Virtual Private Cloud (VPC)

You may also want to have a look at https://cloud.google.com/healthcare/

& if you havent already, HIPAA Compliance on Google Cloud  |  GCP Security

@PWC Yes, I do understand that Google Cloud BAA covers GCP’s entire infrastructure. However, those are all Google’s components. The mear fact that we are using Bubble, does that present a problem with HIPAA compliance even though we would be storing logs on firebase firestore?

I mean, it seems obvious to me that it would be in compliance, but I am just trying to find a resounding YES from someone.

If you use the Firebase Client JavaScript SDK to auth your user, then read write using the Client JavaScript SDK to the Cloud Firestore, Then as far as I am concerned you have used Google’s product for the complete solution making the data transacted within (as long as you use the data as a state in Bubble) compliant.

Using this method you can also write native Java apk’s later for the app store, or node, python or what ever your flavour later should your app scale outside of the bubble sphere or should you decide to allow external entities to build from your data enviroment.

This was why I made the Data Layer plugin include sign in/out not just read write.

@PWC I actually purchased the plugin and it really seems amazing add on to speed up things and bring more options especially if you are thinking about the future and where data is being stored location wise.

What I would like to see is editor view about how to actually use it with repeating groups to filter records etc… And basic examples about rules on firestore side. For example if ”current users list X contains Y then user can access to that info. How does the username and password access needs to work in sync with bubble?

I will put something together when i get some time, to get you started though consider the following.

You sign a user in using the action available (meaning the user has a Firebase Auth credential in your Firebase Console).

Now lets say your Firestore DB is set like this, users/USER’S UID/USERS DATA

In the above case a write operation would be something like this,

image341×686 27.9 KB

Making this users favourite number the value of that input.

Your Firestore rules would reflect something like this,

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

  match /users/{uid} {
    allow read, write: if request.auth.uid == uid;
   }
  }
}

Because the user is signed in using the SDK and has the UID that your using as the data path your pushing a field or JSON to the data will write and can be read by that user also.

You can get fancy with your rules or keep them neat, they are granular and can be very flexible.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

//Example of wide open read only data path no auth - remove this comment!
   match /public/assets {
    allow read: if true;
   }


//Example of anyone thats authed can read data path - remove this comment!
  match /everyone/stuff {
    allow read: if request.auth.uid != null;
   }

//Example of only user matching current users UID can read/write  - remove this comment!
  match /users/{uid} {
    allow read, write: if request.auth.uid == uid;
   }

  }
}

Hello @PWC ,

May I know how you will work with things on the server-side?

Please take into account that you can’t store private keys as well.

This is good info! It takes time to set things up but I will get there. Some kind of tutorial would be helpful for sure especially from security point of view.

How about set up for this kind of Rule

• Bubble user has a list of of company’s
• A, B and C
• Under each company there are contacts with a company field

How can I restrict users with a rule accessing it only if contacts company is in their list of company’s?
I guess in that case I need to send there data?