AWS HIPAA Compliance Overview
Amazon Web Services (AWS) makes it possible to build and architect HIPAA compliant applications and solutions in the cloud. Teams can easily build scalable healthcare solutions and get-to-market faster by using Amazon’s 100+ cloud services. The Dash Compliance Automation Platform makes it easy for teams to configure HIPAA compliant AWS services and monitor compliance across your cloud environment.
Public cloud platforms such as AWS, offer a lot of flexibility in terms of technologies and system architecture. Development teams can utilize traditional virtual machines (VMs), server-less infrastructure, or container-based infrastructure. For teams that are building applications and services that utilize protected health information (PHI) and must be HIPAA/HITECH compliant there are a number of concerns that security teams need to keep in mind. Below is a heuristic approach to architecting HIPAA compliant infrastructure on AWS.
Architecture Principles and AWS Services
When developing your organization’s security program and configuring cloud services there are several fundamental security principles teams should build around. A proper AWS architecture for HIPAA compliance should be built around the following principles:
High Availability – Minimize core service interruptions
Backup and Recovery – Minimize potential data loss
Continually Assess Security – Detect and manage compliance issues
Amazon provides a list of HIPAA eligible services that can be configured in a HIPAA compliant manner. Your team must implement proper technical controls for each AWS service. The Dash Compliance Automation Platform provides AWS service specific technical controls so your team can manage compliance across all AWS cloud services.
Steps for Creating A HIPAA Compliant Architecture In AWS
For security programs and HIPAA compliance, AWS follows the Cloud Shared Responsibility Model. Under this model, both the cloud provider and the end customer are responsible for specific security safeguards. Organization’s must follow the following steps to maintain compliance in the Cloud:
- AWS clients inherit AWS Security Certifications and Security Programs.
- Sign the AWS Business Associates Addendum (BAA).
- Set HIPAA administrative policies for your organization.
- Setup HIPAA technical controls for individual AWS infrastructure.
- Monitor your cloud environment for security and compliance issues.
Your HIPAA Requirements In AWS:
Policies – Organization’s must develop their own set of HIPAA administrative policies. Policies should detail standard operating procedures and be based around the organization’s staff and technologies. Dash allows teams to generate custom compliance policies based around your organization.
Risk Analysis and Review – Organization’s must conduct a risk assessment at minimum at least once a year. It is also important that teams evaluate policies, procedures, and security risks on and ongoing basis and adjust the Security Plan appropriately.
Data Encryption – Organizations must encrypt sensitive data, particularly PHI, at-rest and in-transit to comply with HIPAA. For AWS this means utilizing SSL/TLS and encrypting data in EC2, S3 and other cloud services.
Backup & Disaster Recovery – Organizations must implement a backup solution and disaster recovery plan to comply with HIPAA.
Audit Logging – Organizations must collect logs related to access to PHI. System access logs should be collected and analyzed for malicious behavior.
Network/Firewall Protection – Organizations must implement firewalls and utilize security groups to limit access and comply with HIPAA.
Security Monitoring and Scanning – Organizations must conduct vulnerability scanning and implement intrusion detection to comply with HIPAA.
Best Practices for Service Configuration:
When utilizing AWS services for your team should consider the settings and configuration of each AWS service. Below is a list of best practices to consider when constructing AWS architecture for high availability and security:
- Setup a separate “development” and “production” environment. Create separate access policies and permissions for development and do not use protected health information (PHI) in the “development” environment.
- Utilize only AWS HIPAA eligible services for storing PHI
- Utilize multiple availability zones (AZs) to insure high availability
- Isolate instances between private/public subnets
- Create IAM security groups for limiting access to only necessary services
- Utilize Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security
- Utilize a VPN or secured bastion host instance to facilitate restricted login access for system administrator actions
- Create standard IAM policies with associated groups and roles, exercising least privilege
- Setup monitoring and logging, alerts and notifications for security events
- Utilize S3 buckets (with security features enabled) for storing logs and archiving application data
- Implement proper load balancing and Auto Scaling capabilities
- HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security policy
- Setup database backup and encryption for Amazon RDS
- HTTPS to the endpoint. Traffic is carried encrypted to the ELB load balancer, and then sent encrypted to the instance.
Continuous Compliance Monitoring
Continuous Compliance Monitoring is the latest process for managing HIPAA compliance. Risk assessments only account for a single point in time and cloud environments are constantly changing. Teams need to build robust systems for monitoring policies and infrastructure and responding to compliance issues.
One approach is for security teams can work with DevOps teams to develop internal security controls for regulations and security frameworks and implement configurations and monitoring across the organization’s cloud services. The Dash Compliance Automation Platform is the latest compliance solution which allows teams to create administrative policies and continuously monitor all of your organization’s AWS services and cloud infrastructure for compliance issues.