In our blog post about Innovating Healthcare with Drupal, we talked about using Drupal to deliver an application that improves the healthcare experience for palliative care patients.  Our application was a resounding success.  The global COVID-19 pandemic hits and the need to keep people out of the Emergency Rooms to stop the spread of the Coronavirus suddenly becomes urgent.  To move the Drupal application out of tightly controlled pilots to a more widely distributed application requires adherence to HIPAA (USA) and PIPEDA (Canada) guidelines to safeguard patient information.  Unfortunately, the tried and tested Drupal DevOps and hosting environments we’ve become accustomed to don’t come close to providing the level of security required as a platform to become compliant with HIPAA or PIPEDA.  This is where the MedStack hosting service comes in to save the day.


MedStack is an application hosting platform that provides ISO 27001 compliance for the environment in which your application resides, but not for the application itself.  The interesting feature of MedStack is that their environment can spin up any Docker image, producing a hosting platform that conforms to privacy requirements while giving you the freedom to write your application in any language that can be run on a Docker image.  It is up to you, the application developers, to ensure you adhere to security best practices within your application to keep it secure.  Among the application security items to consider are password policies, two-factor authentication, private vs. public files, permissions and keeping up with the Drupal security patches. Privacy Impact Assessments (PIA) and Threat and Risk Assessments (TRA) will still have to be done on your applications to ensure they meet the requirements for your healthcare application and what steps are required to remedy any deficiencies.


Docker-based solutions such as Drupal VM, DDev or Lando are widely used in the Drupal development community.  These solutions are excellent for spinning up a feature-rich development environment, eliminating the need for developers to use specific operating systems or to create locally-running LAMP development stacks.  Unfortunately, you can’t use Drupal VM out of the box on Medstack.  MedStack uses its own MySQL Database service to provide the proper HIPAA/PIPEDA compliance and you should streamline your Docker images to be production-configured environments.


The following screenshots should give you some insight into what Medstack provides.

Showing Medstack Control - Container management

With some identifying information removed, shown is Medstack Control which allows you to set up new clusters, manage the existing Docker services, create new nodes and manage your database servers. What you should note are the details shown in this screenshot:  Encryption on the network, encryption at rest and encryption in transit. Safeguarding patient data is paramount and encryption of data at rest and on the network is mandatory. Likewise, this particular application is for a Canadian healthcare network, therefore we have to run in the Central Canada region.  We are able to spin up a new cluster in the US or EU, thus satisfying in-country hosting requirements.


Medstack Control - Container properties

Drilling into the docker service, you’re able to update the service’s configuration, shell or exec commands in your container and see the history of events and tasks performed on your environment.  Need Drush?  No problem.  You can execute drush commands in the shell to manage your environment.  Just configure Drush in your Docker image.


Coupling a properly configured Drupal application with Medstack has allowed us to move Drupal into a HIPAA and PIPEDA compliant environment, satisfying the underlying privacy requirements demanded by our healthcare institutions.  We can now focus on the application and leave Medstack to worry about compliance issues.  Working with our healthcare partners, we continue to evolve our Drupal application in the healthcare space.