Is Amazon RDS HIPAA Eligible?
This cloud service is HIPAA-eligible
Amazon RDS is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use RDS to store and transmit protected health information (PHI).
What is Amazon RDS?
Amazon Relational Database Service (Amazon RDS) is Amazon’s managed database offering. RDS allows cloud users to implement and scale a production level database without major database configuration and administration. Users can utilize RDS native database engines including Amazon Aurora, PostgreSQL, MySQL, Oracle Database, and SQL Server. RDS scales on-demand, with users only paying for their overall use of the service. RDS can be connected to other cloud services to build robust healthcare applications. For raw file and data storage, AWS clients may consider Amazon S3 for HIPAA compliant cloud storage.
Amazon RDS Compliance Requirements
AWS RDS can be used to store production data and protected health information (PHI) but must be configured to comply with HIPAA regulations and be used as a HIPAA compliant database. Organizations must manage permissions and system access, encryption standards, audit logging, and overall services availability. These compliance controls should be built around the organization’s set System Access Policy, Data Integrity and Auditing Policies.
RDS manages many database operational concerns and has many options for security configuration, it is the cloud user’s responsibility to properly configure HIPAA administrative and technical safeguards.
Encryption and Amazon RDS
HIPAA requires that organization implement encryption for PHI. AWS clients that utilize RDS with PHI should ensure that RDS data is encrypted at-rest as well as in-transit via SSL. Backups and log data should also be treated as PHI and encrypted as well.
System Access and Amazon RDS
HIPAA follows the principle of “Granting Least Privilege”, meaning that only necessary staff members should have access to PHI. Organizations should follow this principle when providing users with access to RDS. Only the minimal necessary staff should have access to production RDS services. Organizations should use separate RDS databases for development environments and avoid storing PHI inside development environments.
Availability and Amazon RDS
HIPAA requires that PHI must account for potential service outages and must be available in case of emergency. This means that organizations should have a disaster recovery policy and plan for incidents leading to RDS unavailability. Organizations should create backups of RDS databases in-case of data loss or error. Additionally, RDS services should be configured for high availability across multiple availability zones (AZs) to minimize the impact of a service outage.
Audit Logging and Amazon RDS
HIPAA requires that organizations collect and analyze audit logs related to PHI access. For RDS databases containing PHI, organizations must collect access logs. Collecting these logs allows security teams the ability to detect suspicious activity and respond to potential security threats. Audit logging should be dictated alongside an Audit Logging Policy, with logs being reviewed periodically to analyze compliance issues.
Potential Threats to Compliance
- RDS Databases open to the public could allow unauthorized users to access to PHI
- Unencrypted RDS storage is vulnerable to unauthorized users
- RDS Databases without backup processes could lose PHI data
- RDS Databases not setup across multiple availability zones (AZ) could become unavailable
Security and HIPAA Compliance Controls
Dash Compliance Automation – RDS Security Controls
164.308(a)(1)(ii)(B) Risk Management
Dash Administrative Controls
System Access Policy
Configuration Management Policy
Dash Technical Controls
RDS backup is disabled
RDS backup retention period is too short
RDS snapshots are publicly accessible
RDS instances with unencrypted storage
RDS instances with security groups allowing ALL IPs
RDS instances with single availability zone (AZ)