Resources

HIPAA and HITRUST On AWS

HIPAA and HITRUST On AWS



About HITRUST

The Health Information Trust Alliance (HITRUST) is a standards development organization that develops and maintains a healthcare compliance framework called the HITRUST Common Security Framework (CSF).

The goal of the HITRUST Cybersecurity Framework is to set a baseline for healthcare security controls. HITRUST and HIPAA are related but are not interchangeable. HITRUST is one of many security frameworks that can be used to evaluate an organization’s security profile.

 

HIPAA vs HITRUST

HIPAA (Health Insurance Portability and Accountability Act of 1996) is US legislation that requires covered entities (BA) and business associates (BA) such as hospitals, healthcare vendors, and digital health companies to implement administrative, technical, and physical safeguards. HIPAA is enforced by Health and Human Services (HHS) Office of Civil Rights (OCR) and does not have an official certification.

HITRUST is proprietary security framework validated via a privately held company and encompasses a set of security frameworks including HIPAA. HITRUST includes PCI DSS, Control Objectives for Information and Related Technologies (COBIT) and International Organization for Standardization (ISO) security frameworks. These security frameworks can make the HITRUST CSF heavier solution for smaller covered entities (CEs) and business associates (BAs).

 

Becoming HITRUST Certified On AWS

Organization’s must follow the following process to achieve HITRUST compliant:

  1. Utilize the HITRUST CSF to identify applicable HITRUST Controls
  2. Determine controls related to AWS services per the Shared Responsibility Model and compliance policies
  3. Complete HITRUST CSF assessment and engage a third-party HITRUST auditor to test controls
  4. Organization and auditor both submit their assessment to HITRUST for review via the MyCSF Portal
  5. Achieve HITRUST certification

After certification, organizations must continue to maintain security standards to continue meeting HITRUST requirements. Like HIPAA Compliance, HITRUST is not a once and done process, it is an ongoing process. Becoming HITRUST certified is a long and dubious process.

Learn how Dash ComplyOps can help you prepare for HITRUST.

 

HITRUST Eligible AWS Services

AWS has recently announced that it has achieved HITRUST CSF v9.1 certification for a a number of AWS cloud services. This means that a HITRUST CSF Assessor has validated the security and management of these services under the HITRUST 9.1 standards. AWS cloud customers may utilize these services to build HITRUST compliant applications, but must ensure all necessary administrative and technical controls are implemented for cloud resources.

The following AWS cloud services currently fall under HITRUST certification and may be configured by cloud customers:

  • Amazon API Gateway
  • Amazon AppStream 2.0
  • Amazon Athena
  • Amazon Aurora [MySQL, PostgreSQL]
  • Amazon Cloud Directory
  • Amazon CloudFront
  • Amazon CloudWatch
  • Amazon CloudWatch Events [includes Amazon EventBridge]
  • Amazon CloudWatch SDK Metrics
  • Amazon Cognito
  • Amazon Comprehend Medical
  • Amazon Connect
  • Amazon DocumentDB (with MongoDB compatibility)
  • Amazon DynamoDB
  • Amazon Elastic Block Store
  • Amazon Elastic Compute Cloud
  • Amazon Elastic Container Registry
  • Amazon Elastic Container Service [both Fargate and EC2 launch types]
  • Amazon Elastic Container Service for Kubernetes (EKS)
  • Amazon Elastic File System
  • Amazon ElastiCache for Redis
  • Amazon Elasticsearch Service
  • Amazon EMR
  • Amazon FreeRTOS
  • Amazon FSx
  • Amazon GuardDuty
  • Amazon Inspector
  • Amazon Kinesis Data Analytics
  • Amazon Kinesis Data Firehose
  • Amazon Kinesis Data Streams
  • Amazon Kinesis Video Streams
  • Amazon Lex
  • Amazon Macie
  • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
  • Amazon MQ
  • Amazon Neptune
  • Amazon Personalize
  • Amazon Pinpoint
  • Amazon Polly
  • Amazon QuickSight
  • Amazon Redshift
  • Amazon Rekognition
  • Amazon Relational Database Service [includes Amazon Aurora]
  • Amazon Route 53
  • Amazon S3 Glacier
  • Amazon S3 Transfer Acceleration
  • Amazon SageMaker [excludes Public Workforce and Vendor Workforce]
    Amazon Simple Email Service (SES)
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • Amazon Simple Storage Service
  • Amazon Simple Workflow Service
  • Amazon Transcribe
  • Amazon Translate
  • Amazon Virtual Private Cloud
  • Amazon WorkDocs
  • Amazon WorkSpaces
  • Amazon WorkLink
  • AWS Amplify
  • AWS Amplify Console
  • AWS AppSync
  • AWS Auto Scaling
  • AWS Backup
  • AWS Batch
  • AWS Certificate Manager
  • AWS CloudFormation
  • AWS CloudHSM
  • AWS CloudTrail
  • AWS CodeBuild
  • AWS CodeCommit
  • AWS CodeDeploy
  • AWS CodePipeline
  • AWS Config
  • AWS Control Tower
  • AWS Data Exchange
  • AWS Database Migration Service
  • AWS DataSync
  • AWS Direct Connect
  • AWS Directory Service [excludes Simple AD and AD Connector]
  • AWS Elastic Beanstalk
  • AWS Elemental MediaConnect
  • AWS Elemental MediaConvert
  • AWS Elemental MediaLive
  • AWS Fargate
  • AWS Firewall Manager
  • AWS Global Accelerator
  • AWS Glue
  • AWS Identity and Access Management
  • AWS IoT Core [includes AWS IoT Device Management]
  • AWS IoT Greengrass
  • AWS IoT Things Graph
  • AWS Key Management Service
  • AWS Lambda
  • AWS [email protected]
  • AWS Managed Services
  • AWS OpsWorks for Chef Automate
  • AWS OpsWorks for Puppet Enterprise
  • AWS OpsWorks Stacks
  • AWS Organizations
  • AWS RoboMaker
  • AWS Secrets Manager
  • AWS Security Hub
  • AWS Server Migration Service (SMS)
  • AWS Serverless Application Repository
  • AWS Service Catalog
  • AWS Shield
  • AWS Snowball
  • AWS Snowball Edge
  • AWS Snowmobile
  • AWS Step Functions
  • AWS Storage Gateway
  • AWS Systems Manager
  • AWS Transfer for SFTP
  • AWS WAF
  • AWS X-Ray
  • Elastic Load Balancing
  • VM Import/Export

 

Is A HITRUST Certification Necessary?

For startups and digital health organizations focused on getting to market quickly, the cost and administrative overhead for HITRUST can be unfeasible. Without a designated Security Team it can be difficult to continually manage HITRUST certification. There are a number of AWS Security Certifications and Security Programs, and it should be noted that HITRUST is a proprietary compliance framework, and at the end of the day HIPAA may not be officially verified.

It is recommended that smaller teams not equipped to manage a compliance framework such as NIST, ISO, or HITRUST, focus on creating strong administrative and technical controls. More importantly, organizations should build HIPAA administrative policies that are understandable and can be followed. Healthcare providers place higher priority on the general security profile and an awareness and maintenance of compliance standards healthcare vendors.

 

Compliance In Amazon Web Services

As an AWS Advanced Technical Partner, Dash Solutions makes it easy to set technical and administrative controls and  Security Plan. Dash maps custom compliance policies, and constant compliance monitoring to compliance safeguards, meaning that your organization is able to get a view of your compliance state.

Amazon Web Services customers are able to take advantage of the numerous certifications from the established cloud provider. In following client security responsibilities, A number of HIPAA eligible services can be configured and used in a compliant manner. By addressing responsibilities under the shared responsibility model, organization’s can build a strong security profile and manage compliance for multiple security frameworks. Dash ComplyOps provides organizations with administrative policies, security controls and monitoring for building a robust security program in AWS.

Learn how Dash ComplyOps can help you prepare for HIPAA and HITRUST.