Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Is there anywhere I can read about (or anyone who has an opinion on) the viability of Ory as a platform for identities associated with HIPAA-protected healthcare applications?

Hey <@U02LXKWB7T3> , glad to have you. We have no public documentation on HIPAA yet but would be more than happy to understand and discuss your needs wrt to HIPAA. If you want, please reach out to <@U0393MW030T> here or via email: <mailto:stephan.reinartz@ory.sh|stephan.reinartz@ory.sh>

Sure! Should I message in this thread or DM, <@U010F2N7G2X>?

I am not actually sure how much, if at all, the Ory user auth has anything to do with the HIPAA data. I guess the idea is that medical professionals will access our system and, through that access, they will be able to see HIPAA-protected medical data.

In the first iteration, at least, I don't think that patients themselves would have accounts or data that lives in Kratos... However, if there was some sort of issue that made it so people could authenticate as the medical professionals, then all the patient data would be then at risk, and that would be very bad.