Prescriptive Compliance is how Healthcare Adopts the Cloud


If you are big...

Large healthcare organizations are hesitant to migrate to AWS or Azure because they are concerned compliance requirements aren't being met. When they can't be sure, they stick with old infrastructure.

If you are new...

Emerging digital health products can't break through to their hospital, pharma, or payer market unless they demonstrate compliance and security credibility from Day 1. Compliance is central to the business model.

Datica solves your problem

The Datica Platform is a prescriptive way for any healthcare technology team to manage compliance on the cloud, giving healthcare the assurances it needs to adopt the benefits of the cloud.

Understanding Shared Responsibility

Shared Responsibility

Required Compliance Controls

  • Block-level encryption
  • Network encryption between existing processes or services
  • Sub-network segmentation
  • Intrusion detection
  • Vulnerability scanning
  • Systems monitoring
  • System-level logging
  • App-level logging
  • Log storage in an encrypted fashion
  • Disaster recovery protocols
  • Business continuity
  • Patch management
  • Breach management
  • Daily backups
  • Penetration testing
  • Business Associate management
  • Access control management

Compliance is not magic, it's just a lot of work

None of it is impossible for you to figure out. But configuring, integrating, documenting, auditing, and managing it across a fleet of containers or VMs with every deployment is how continuous compliance happens.

Datica does all this for you. We are compliance on the cloud. Customers of Datica pass these Shared Responsibility obligations to us and are left with compliance in the cloud, which are company-level and application-level responsibilities.

AWS and Azure are the world's best clouds at addressing compliance and security of the cloud: physical controls and network controls. The rest is your responsibility.

In their Shared Responsibility models, you must address the following on top of them in order to approach complete continuous compliance. The following list maps to a specific control in the HIPAA Omnibus, HITRUST CSF, GxP regulations, or GDPR articles.

Datica is HITRUST CSF Certified.

Customers benefit from serious credibility and accelerated audits with customers like hospitals, payers, and pharma.

HITRUST is the most important prescriptive compliance framework in healthcare. It helps give enterprises assurances that they can use the cloud as if compliance didn't exist, while giving digital health companies a shortcut to credibility.


General Data Protection Regulation

Good practices for Life Sciences on the Cloud

GDPR Ready

The European Union has created a new authoritative regulation on consumer data called GDPR. Fines start being handed out on May 25th, 2018. The regulation applies to all EU citizens regardless of service or where the data lives. Protected Health Information (PHI) is scoped within GDPR, so any healthcare organization who might service European Union citizens will be affected by it.

Are you ready? Datica has gone through the necessary audits to ensure it is compliant with the regulation.

Learn more about GDPR.


GxP stands for “Good Practice” and is a set of operational controls for Life Sciences organizations working within the confines of the FDA.

The FDA publishes its regulations on the back of NIST, which is why GxP largely follows NIST standards. There is no one authoritative documentation source for GxP, like we have the 2013 Omnibus for HIPAA or Articles from the European Union on GDPR. Instead, GxP is an industry-accepted definition of best practices mapped to FDA regulations.

Learn more about GxP.

GxP Ready

Open sourced company policies give healthcare organizations a headstart

What people are saying about Datica’s Open Source Policies

"We believe that for Datica to open source these documents is truly ground breaking in healthcare IT.

In the past we’ve spent an enormous amount of funds creating & updating our policies. We have yearly evaluations of our policies in October and this past October (2014) we were able to update and implement a number of improvements to our existing policies all based off the information we gathered from Datica's policies. This cost us zero dollars in comparison to our expensive updating of policies in prior years.

This is definitely the first time we have seen policies open sourced and we applaud the use of tools like GitHub to manage version control of all policies.

I think this could be revolutionary in helping the industry as a whole collaborate to improve privacy and security practices by gathering information from the highest level security/privacy experts in the field and making it available via similar open source methods.”

Katelyn Gleason

Katelyn Gleason

CEO & Cofounder, Eligible Inc.

We’re dedicated to making the industry better

In 2014 Datica open sourced our company policies under a a CC BY-SA 4.0 license. Since then the response has been overwhelmingly positive—we have had more activity on GitHub than governmental institutions like the FDA. Along the way we’ve helped hundreds of businesses get started by eliminating this portion of HIPAA compliance as a burden.

Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy examples that fit our company, and couldn’t find any. So we wrote our own. Importantly, these policies have been through multiple external audits—two HIPAA audits and one HITRUST audit.

Do you handle PHI and not yet have your own company policies in place? Then you’ll find our content useful.

Policies Overview chevron-right