Learn how healthcare companies use cloud platform database services to build HIPAA compliant databases
For organizations building healthcare applications and software, developers must ensure that they have implemented all necessary administrative, technical, and physical safeguards to maintain HIPAA compliance. This means that protected health information (PHI) and sensitive data need to be stored in a HIPAA compliant database and teams must implement all necessary security controls.
With many cloud services providing file storage and hosted database services, there are many options for HIPAA compliant databases. No single solution is automatically HIPAA compliant, so healthcare developers should work to build a HIPAA security program and consider the following requirements for implementing a HIPAA compliant database:
Signed Business Associates’ Agreement (BAA): Healthcare vendors must sign a business associates’ agreement (BAA) with the public cloud provider. This agreement dictates how HIPAA security responsibilities are managed by the cloud provider and the cloud customers.
Access Control: Any databases that will be used with protected health information (PHI) must have necessary access control security implemented. This means that user authentication and roles must be in place.
Backup and Disaster Recovery (DR): HIPAA requires that organizations implement backup and around disaster recovery (DR) procedures in-case of service outage.
Audit Logging: HIPAA compliant databases must log queries and access to PHI to detect potential malicious activity.
Encryption: PHI must be encrypted both at-rest and in-transit. This means that data must be stored on encrypted volumes and transmitted over TLS/SSL.
Staff Training: Organizations set compliance roles and provide HIPAA training for staff members.
Most public cloud platforms, including Amazon Web Services (AWS) operate under a shared responsibility model. This means that HIPAA compliance and cloud security controls are the responsibility of both cloud platforms and cloud customers.
AWS provides several hosted database services that are “HIPAA eligible” and may be configured as a HIPAA compliant database.
Amazon Relational Database Service (Amazon RDS) is Amazon’s managed database offering. RDS allows cloud users to implement and scale a production level database without major database configuration and administration. Users can utilize RDS native database engines including Amazon Aurora, PostgreSQL, MySQL, Oracle Database, and SQL Server.
Amazon EC2 instances are virtual machines that can be configured to run different operating systems and software. Healthcare companies that are utilizing a specific database or plan to manage all database configuration may deploy a database or cluster on EC2. The AWS marketplace also provides many EC2 based databases that may be deployed in your AWS environment.
Amazon DynamoDB is AWS’ fully managed key-value and document database. Healthcare developers can use DynamoDB to build low-latency, highly scalable HIPAA compliant database services all without managing individual servers. DynamoDB can be utilized for mobile backends, serverless apps, and various microservices.
Selecting and utilizing a HIPAA compliant database is often one part of a HIPAA compliant architecture. Organizations often utilize file storage, virtual machines (VMs), containers, and other cloud services when developing healthcare solutions.
Dash ComplyOps enables healthcare organizations to configure, monitor, and maintain HIPAA compliance in Amazon Web Services (AWS). Healthcare developers turn to Dash to build HIPAA compliant solutions on AWS and leverage the 100+ cloud services provided by Amazon.
Build HIPAA compliant applications in the cloud