AWS HIPAA Architecture
Organizations can utilize AWS for running HIPAA compliant services in the cloud. After signing the AWS Business Associate Addendum (AWS BAA), organizations build on HIPAA eligible services. After signing the BAA, it is the organization’s responsibility to manage all Administrative and technical safeguards required under the Shared Responsibility Model. Just signing a BAA with AWS does not automatically make an organization HIPAA compliant.
An essential part of building and executing on a HIPAA security plan is to create a secure cloud architecture. This means determining account structure, selecting cloud services, and building around availability, scalability, and security.
Multiple VPC Architecture
One approach to architecting secure and compliant cloud infrastructure is to build AWS services around multiple Virtual Private Clouds (VPCs). VPCs are logically isolated sections of the AWS Cloud, with individual networking settings. This makes it simple to scope networking, permissions and data governance for different segments of your application.
For applications that will utilize PHI, organizations should use separate VPCs should be used for PHI and non-PHI data. Additionally, “Production” and “Development” environments should be separated by VPC. Cloud users may treat the “Production” VPC as their PHI data environment. AWS customers may also consider creating additional VPCs around organizational units or different use cases. For example, marketing websites and other unrelated AWS services may be grouped in a “Marketing” VPC or similar. Consider the following architecture guidelines.
- Separate development and production environments using VPCs.
- Keep protected health information (PHI) out of development environments.
- Scope user permissions around individual VPCs and limit access to Production VPCs and any VPCs containing PHI or sensitive data.
- Utilize only AWS HIPAA-eligible services for VPCs that utilize PHI.
AWS provides a cloud reference architecture or AWS HIPAA Quickstart to help organizations start architecting AWS cloud services around best security and compliance practices.
Multiple AWS Account Architecture
Another approach to building a HIPAA compliant AWS architecture is to structure multiple AWS cloud accounts. AWS accounts are completely isolated from each other for added security. Cloud users may manage all AWS accounts and use multiple accounts together using AWS Organizations.
Under this approach, cloud users should create separate AWS accounts for PHI and non-PHI data. “Production” and “Development” environments may be separated as well by AWS account or by VPC. Cloud users may isolate non-essential functions to another AWS account to minimize insider threats and potential compliance issues. Consider the following guidelines for architecting around multiple accounts:
- Separate AWS accounts that are used for protected health information (PHI) from non-PHI AWS accounts.
- Utilize only AWS HIPAA-eligible services in AWS Accounts that utilize PHI.
- Utilize AWS Organizations to simplify account management.
AWS provides multiple services to deploy a highly available, scalable, secure application stack, which can serve a limitless variety of healthcare applications and use cases. After making general architecture decisions, cloud users must manage HIPAA administrative and technical safeguards for individual cloud services. Individual AWS Services must address technical controls including encryption, audit logging, backup and recovery, and vulnerability scanning. In the following sections of this guide, you can read about implementing security controls.