AWS HIPAA Architecture
Organizations can utilize AWS for running HIPAA compliant services in the cloud. After signing the AWS Business Associate Addendum (AWS BAA), organizations build on HIPAA eligible services. After signing the BAA, it is the organization’s responsibility to manage all Administrative and technical safeguards required under the Shared Responsibility Model. Just signing a BAA with AWS does not automatically make an organization HIPAA compliant.
An essential part of building and executing on a HIPAA security plan is to create a secure cloud architecture. This means determining account structure, selecting cloud services, and building around availability, scalability, and security.
Multiple VPC Architecture
One approach to architecting secure and compliant cloud infrastructure is to build AWS services around multiple Virtual Private Clouds (VPCs). VPCs are logically isolated sections of the AWS Cloud, with individual networking settings. This makes it simple to scope networking, permissions and data governance for different segments of your application.
For applications that will utilize PHI, organizations should use separate VPCs should be used for PHI and non-PHI data. Additionally, “Production” and “Development” environments should be separated by VPC. Cloud users may treat the “Production” VPC as their PHI data environment. AWS customers may also consider creating additional VPCs around organizational units or different use cases. For example, marketing websites and other unrelated AWS services may be grouped in a “Marketing” VPC or similar. Consider the following architecture guidelines.
- Separate development and production environments using VPCs.
- Keep protected health information (PHI) out of development environments.
- Scope user permissions around individual VPCs and limit access to Production VPCs and any VPCs containing PHI or sensitive data.
- Utilize only AWS HIPAA-eligible services for VPCs that utilize PHI.
AWS provides a cloud reference architecture or AWS HIPAA Quickstart to help organizations start architecting AWS cloud services around best security and compliance practices.
AWS provides multiple services to deploy a highly available, scalable, secure application stack, which can serve a limitless variety of healthcare applications and use cases. After making general architecture decisions, cloud users must manage HIPAA administrative and technical safeguards for individual cloud services. Individual AWS Services must address technical controls including encryption, audit logging, backup and recovery, and vulnerability scanning. In the following sections of this guide, you can read about implementing security controls.