Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC304) Architecting for HIPAA Compliance on AWS

6,426 views

Published on

"This session brings together the interests of engineering, compliance, and security as you align healthcare workloads to the controls in the HIPAA Security Rule. We'll discuss how to architect for HIPAA compliance using AWS, and introduce a number of new services added to the HIPAA program in 2015, such as Amazon Relational Database Service (RDS), Amazon DynamoDB, and Amazon Elastic MapReduce (EMR). You'll hear from customers who process and store Protected Health Information on AWS, and how they satisfied their compliance requirements while maintaining agility.

This session helps security and compliance experts see what's technically possible on AWS, and how implementing the Technical Safeguards in the HIPAA Security Rule is simple and familiar. We map the Security Rule's Technical Safeguards to AWS features and design patterns to help developers, operations teams, and engineers speak the language of their security and compliance peers."

Published in: Technology

(SEC304) Architecting for HIPAA Compliance on AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bill Shinn, AWS Principal Security Solutions Architect Haddon Bennett, Emdeon Chief Information Security Officer October 2015 SEC 304 Architecting for HIPAA Compliance on AWS
  2. 2. What to expect from this session • Review AWS Health Insurance Portability and Accountability Act (HIPAA) Program and Business Associate Agreement. • Learn how Emdeon is architecting for HIPAA requirements on AWS. • Learn how to architect for key HIPAA Security Rule “implementation specifications” when using AWS Eligible Services.
  3. 3. AWS HIPAA Program • Strong presence in healthcare and life sciences from our roots • Business Associates and the January 2013 Omnibus Final Rule • Started signing Business Associate Agreements (BAA) in Q2 2013 • Program is based on Shared Security Responsibility Model AWS HIPAA Program is aligned to NIST 800-53 and FedRAMP Authorizations
  4. 4. Alignment to HIPAA Security Rule HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) NIST 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST 800-53 Moderate baseline + FedRAMP controls
  5. 5. AWS HIPAA Eligible Services – 2014 • Customers may use all services within a “HIPAA Account.” • Customers may process, store, or transmit ePHI using only Eligible Services. Amazon EC2 Elastic Load Balancing (TCP-mode only) Amazon S3Amazon EBS Amazon Glacier Amazon Redshift
  6. 6. AWS HIPAA Eligible Services – 2015 • Customers may use all services within a “HIPAA Account” • Customers may process, store, or transmit ePHI using only Eligible Services. EC2 Elastic Load Balancing (TCP mode only) S3EBS Amazon Glacier Amazon Redshift Amazon DynamoDB Amazon RDS for MySQL Amazon RDS for Oracle Amazon EMR
  7. 7. AWS BAA configuration requirements • Customers must encrypt ePHI in transit and at rest. • Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI. • Customers must record and retain activity related to use of and access to ePHI.
  8. 8. Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSGWebSG
  9. 9. WebSG Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG PHI
  10. 10. WebSG Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG PHI
  11. 11. WebSG Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG S3 PHI
  12. 12. WebSG Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG Amazon Glacier PHI S3
  13. 13. WebSG Using Eligible Services for PHI Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG Web Tier ASG App Tier ASG WebSG Amazon DynamoDB PHI
  14. 14. WebSG Using Eligible Services for PHI with other services Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG Amazon Route 53 AWS Config AWS CloudTrail AWS IAM AWS CloudFormation Non-PHI
  15. 15. WebSG Using Eligible Services for PHI with other services Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG Amazon Route 53 CloudWatch Non-PHI
  16. 16. WebSG Using Eligible Services for PHI with other services Availability Zone Availability Zone Patient Web Tier ASG App Tier ASG RDS MySQL Web Tier ASG App Tier ASG RDS MySQL WebSG Amazon Route 53 AWS CodeDeploy Non-PHI
  17. 17. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/ Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 ELB
  18. 18. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 TCP-only Session TLS w/ PHI ELB
  19. 19. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 TCP-only Session TLS w/ PHI ELB
  20. 20. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 TCP-only Session TLS w/ PHI New TLS Session ELB
  21. 21. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/ Public SSL/TLS HAProxy/ Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 Terminating TLS on ELB (April 2015+) VPC Public Subnet 10.40.1.0/24 AZ A Web Server/Private TLS Web Server/Private TLS VPC Private Subnet 10.40.3.0/24 TCP-only Session TLS w/ PHI New TLS Session ELB ELB
  22. 22. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/ Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 TCP-only Session TLS w/ PHI New TLS Session Terminating TLS on ELB (April 2015+) VPC Public Subnet 10.40.1.0/24 AZ A Web Server/Private TLS Web Server/Private TLS VPC Private Subnet 10.40.3.0/24 ELB ELB
  23. 23. Terminating TLS on EC2 (May 2013 – April 2015+) Managing PHI in load-balanced applications VPC Public Subnet 10.40.1.0/24 AZ A HAProxy/Public SSL/TLS HAProxy/ Public SSL/TLS Web Server/ Private SSL/TLS Web Server/ Private SSL/TLS VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.5.0/24 TCP-only Session TLS w/ PHI New TLS Session Terminating TLS on ELB (April 2015+) VPC Public Subnet 10.40.1.0/24 AZ A Web Server/Private TLS Web Server/Private TLS VPC Private Subnet 10.40.3.0/24 ELB ELB
  24. 24. Emdeon
  25. 25. Emdeon Overview People  6,000+ team members Our customers  Payers  Providers  Pharmacies  Laboratories  Physicians  Hospitals  Dentists Assets  The single largest financial and administrative health information network in the nation  Emdeon Intelligent Healthcare Network™
  26. 26. Emdeon Overview  17 months  2,000+ instances  10K application deployments People AWS footprint  6,000+ team members Our customers  Payers  Providers  Pharmacies  Laboratories  Physicians  Hospitals  Dentists Assets  The single largest financial and administrative health information network in the nation  Emdeon Intelligent Healthcare Network™
  27. 27. Top compliance and security initiatives Encryption Patching Build standard Logging Incident investigation Disaster recovery Asset management Configuration management Vulnerability scanning
  28. 28. Top reasons compliance and security initiatives fail Not enough memory/CPU/out-of-date hardware Unknown impact to performance Can’t incur downtime No test environment No legacy knowledge to properly test application No way to roll back change (with assurance) No deployment tools Length of time to patch Encryption Patching Build standard Logging Incident investigation Disaster recovery Asset management Configuration management Vulnerability scanning
  29. 29. Traditional data center • Manually touch 10K servers • Server and network impact • Misconfiguration due to manual efforts • Result = Several months Logging AWS • Modify build scripts • Unnoticed due to auto-scaling • Consistent and compliant config due to automation and testing • Result = Several minutes Technical safeguards 164.312 (b). Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. CloudTrail (API logs); CloudFormation (for hardened AMI system logs); S3
  30. 30. • Set up alert on root logon. • Attempt to get logs from 3 different groups (network, systems, and database)…and wait. • Perform live forensics and impact integrity, or take system down and incur revenue loss. • Result: Time to mitigate, investigate, resolve, and downtime is significant. Incident investigation • Automate a task to quarantine existing environment and bring up fresh noncompromised environment when you see a root logon in production. • View all logs on quarantined system (create another snapshot first for forensic preservation). • Result: Time to mitigate and investigate reduced dramatically with zero downtime. Traditional data center AWS Security Incident Procedures 164.308(a)(6) (ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. ELB; security groups
  31. 31. • Acquire/deploy expensive patching tool and push out. • Patch 10K servers, schedule downtime, reboots; not sustainable. • Patch damages server; attempts to roll back fail. • No proper testing environment. •Result = Instability, high effort; minimal compliance assurance. Patching • Follow standard release process. • Patch base AMI and redeploy. • Redeploy previous release. • Redeploy production as a dev environment. • Result = Stability, tested, and compliant. Traditional data center AWS Organizational requirements 164.314 (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits
  32. 32. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. The Code of Federal Regulations
  33. 33. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. The Code of Federal Regulations Source: http://www.nasa.gov/centers/dryden/multimedia/ imagegallery/Shuttle/EC94-42789-2.html
  34. 34. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. The Code of Federal Regulations Source: http://www.nasa.gov/centers/dryden/multimedia/ imagegallery/Shuttle/EC94-42789-2.html Source: http://www.seaway.dot.gov/sites/seaway.dot.gov/files/docs/SLSDC%20System%20Brochure%202014.pdf
  35. 35. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare
  36. 36. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services
  37. 37. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
  38. 38. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements
  39. 39. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy
  40. 40. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy Subpart C - Security Standards for the Protection of Electronic Protected Health Information
  41. 41. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.308 - Administrative Safeguards Section 164.310 - Physical Safeguards Section 164.312 - Technical Safeguards Section 164.314 - Organizational Safeguards
  42. 42. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.308 - Administrative Safeguards Section 164.310 - Physical Safeguards Section 164.312 - Technical Safeguards 164.312(b)(2) – Standard: Audit Controls Section 164.314 - Organizational Safeguards
  43. 43. Audit Controls 164.312(b)(2) – Security Rule 164.312 (b)(2) Standard: Audit Controls Implement hardware, software, and/or procedural mechanisms that *record and examine activity* in information systems that contain or use electronic protected health information.
  44. 44. Audit Controls 164.312(b)(2) – OCR Audit Protocol §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Audit Procedures Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI. Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information.
  45. 45. Audit Controls 164.308(b)(2) – OCR Audit Protocol §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Audit Procedures Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI. Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. Something you have to do.
  46. 46. Audit Controls 164.308(b)(2) – OCR Audit Protocol §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Audit Procedures Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI. Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. Something you have to do. Something you have to do.
  47. 47. Audit Controls 164.308(b)(2) – OCR Audit Protocol §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Something you have to do. .
  48. 48. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 CloudTrail Events AttachVolume AuthorizeSecurityGroupIngress CopySnapshot CreateNetworkAclEntry CreateSnapshot DeleteSnapshot DeleteTags DeleteVolume TerminateInstance
  49. 49. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 CloudTrail Events AttachVolume AuthorizeSecurityGroupIngress CopySnapshot CreateNetworkAclEntry CreateSnapshot DeleteSnapshot DeleteTags DeleteVolume TerminateInstance RDS CloudTrail Events AuthorizeDBSecurityGroupIngress CopyDBSnapshot CreateDBSnapshot DeleteDBInstance DeleteDBSnapshot ModifyDBInstance
  50. 50. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 CloudTrail Events AttachVolume AuthorizeSecurityGroupIngress CopySnapshot CreateNetworkAclEntry CreateSnapshot DeleteSnapshot DeleteTags DeleteVolume TerminateInstance RDS CloudTrail Events AuthorizeDBSecurityGroupIngress CopyDBSnapshot CreateDBSnapshot DeleteDBInstance DeleteDBSnapshot ModifyDBInstance Amazon Glacier CloudTrail Events DeleteArchive DeleteVault
  51. 51. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 CloudTrail Events AttachVolume AuthorizeSecurityGroupIngress CopySnapshot CreateNetworkAclEntry CreateSnapshot DeleteSnapshot DeleteTags DeleteVolume TerminateInstance RDS CloudTrail Events AuthorizeDBSecurityGroupIngress CopyDBSnapshot CreateDBSnapshot DeleteDBInstance DeleteDBSnapshot ModifyDBInstance DynamoDB CloudTrail Events DeleteTable UpdateTable Amazon Glacier CloudTrail Events DeleteArchive DeleteVault
  52. 52. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 CloudTrail Events AttachVolume AuthorizeSecurityGroupIngress CopySnapshot CreateNetworkAclEntry CreateSnapshot DeleteSnapshot DeleteTags DeleteVolume TerminateInstance RDS CloudTrail Events AuthorizeDBSecurityGroupIngress CopyDBSnapshot CreateDBSnapshot DeleteDBInstance DeleteDBSnapshot ModifyDBInstance DynamoDB CloudTrail Events DeleteTable UpdateTable Amazon Redshift CloudTrail Events AuthorizeClusterSecurityGroupIngress CopyClusterSnapshot CreateClusterSnapshot DeleteCluster DeleteClusterSnapshot DisableLogging Amazon Glacier CloudTrail Events DeleteArchive DeleteVault
  53. 53. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited CloudTrail CloudTrail Events CreateTrail DeleteTrail UpdateTrail StopLogging
  54. 54. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited CloudTrail CloudTrail Events CreateTrail DeleteTrail UpdateTrail StopLogging S3 CloudTrail Events (New in Sept 2015) Delete Bucket Delete Bucket lifecycle Delete Bucket tagging Put Bucket acl Put Bucket lifecycle Put Bucket policy Put Bucket replication
  55. 55. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Determine the Activities §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited EC2 Instance Events /var/log/messages /var/log/audit /var/log/<whatever> </your/application/logs> RDS Instance Events MySQL – DDL/DML general_log = 1 log_output = TABLE | FILE DynamoDB Application-Level Events (SDK and/or DynamoDB Streams) BatchGetItem BatchWriteItem DeleteItem GetItem PutIItem Query Scan UpdateItem Amazon Redshift Database Events Connection Logging (STL_CONNECTION_LOG) Query Text Logging (STL_QUERY & STL_QUERYTEXT)
  56. 56. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Document Implementation §164.312(b): Audit Procedures Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ePHI. Something you have to do. .
  57. 57. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Document Implementation §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Capture CloudTrail Configuration (CLI Example) $ aws cloudtrail describe-trails { "trailList": [ { "IncludeGlobalServiceEvents": true, "Name": "Default", "S3KeyPrefix": ”CloudTrail", "S3BucketName": "us-east-1.logging", "CloudWatchLogsRoleArn": "arn:aws:iam::663354267581:role/CloudTrail_CloudWatchLogs_Role", "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:663354267581:log- group:CloudTrail/us-east-1-LogGroup:*" } ] }
  58. 58. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Document Implementation §164.312(b): Key Activity Determine the Activities that Will be Tracked or Audited Capture CloudTrail Trusted Advisor Report
  59. 59. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Select the Tools §164.312(b): Key Activity Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. Something you have to do.
  60. 60. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Select the Tools CloudTrail CloudWatch Logs Amazon Kinesis CloudWatch Logs subscription consumer (KCL-based) ELK CloudWatch Logs subscription Amazon EC2 + CloudWatch Logs agent
  61. 61. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Select the Tools CloudWatch Logs Amazon Kinesis CloudWatch Logs subscription LogGroup-CloudTrail/Stream1 LogGroup-CWL-syslog/instance-1 LogGroup-CWL-syslog/instance-2 LogGroup-CWL-customApp/instance-3 […]
  62. 62. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Document Implementation §164.312(b): Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures […] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. $ aws logs describe-log-groups --log-group-name-prefix "CloudTrail" { "logGroups": [ { "arn": "arn:aws:logs:us-east-1:663354267581:log-group:CloudTrail/us-east-1-LogGroup:*", "creationTime": 1439155915783, "metricFilterCount": 0, "logGroupName": "CloudTrail/us-east-1-LogGroup", "storedBytes": 411573 } ] }
  63. 63. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Document Implementation §164.312(b): Audit Procedures […] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. $ aws logs describe-subscription-filters --log-group-name CloudTrail/us-east-1-LogGroup { "subscriptionFilters": [ { "filterPattern": "", "filterName": "cwl-cfn-es-CWL-Elasticsearch-KinesisSubscriptionStream-1KSJUFTUP6K5K", "roleArn": "arn:aws:iam::663354267581:role/CWL-Elasticsearch-CloudWatchLogsKinesisRole- 4DVR5UWI4QBR", "creationTime": 1439157386140, "logGroupName": "CloudTrail/us-east-1-LogGroup", "destinationArn": "arn:aws:kinesis:us-east-1:663354267581:stream/CWL-Elasticsearch- KinesisSubscriptionStream-1KSJUFTUP6K5K" } ] }
  64. 64. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Activity Reviews §164.312(b): Key Activity Key Activity Select the Tools that Will be Deployed for Auditing and System Activity Reviews Audit Procedures Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. Something you have to do.
  65. 65. Audit Controls 164.312(b)(2) – OCR Audit Protocol – Activity Reviews
  66. 66. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.312 - Technical Safeguards 164.312(a)(1) – Standard: Access Control 164.312(a)(2) - Implementation Specification 164.312(e)(1) – Standard: Transmission Security 164.312(e)2) – Implementation Specification
  67. 67. HIPAA Security Rule – Fine print explained … or “How do I derive engineering from regulation?” The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Title 45 of the Code of Federal Regulations – Public Welfare Subtitle A - Health and Human Services Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS Part 160 - General Administrative Requirements Part 164 - Security and Privacy Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.312 - Technical Safeguards 164.312(a)(1) – Standard: Access Control 164.312(a)(2) - Implementation Specification (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. 164.312(e)(1) – Standard: Transmission Security 164.312(e)2) – Implementation Specification (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
  68. 68. Encryption Controls – 164.312(a)(2)(iv) 164.312 (a)(2)(iv) Standard: Access Control Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
  69. 69. Encryption Controls – 164.312(a)(2)(iv) Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
  70. 70. Encryption Controls – 164.312(a)(2)(iv) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.
  71. 71. Encryption Controls – 164.312(a)(2)(iv) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.
  72. 72. Encryption Controls – 164.312(a)(2)(iv) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. “Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi” – Auguste Kerckhoffs, “La Cryptographie Militaire,” Journal des Sciences Militaires, January, 1883
  73. 73. Encryption Controls – 164.312(a)(2)(iv) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. “Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi.” – Auguste Kerckhoffs, “La Cryptographie Militaire,” Journal des Sciences Militaires, January, 1883 The system must not require secrecy and can be stolen by the enemy without causing trouble.
  74. 74. Encryption Controls – 164.312(a)(2)(iv) – OCR Audit Protocol §164.312(a)(2)(iv): Key Activity Encryption and Decryption Audit Procedures Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to: - Type(s) of encryption used. - How encryption keys are protected. - Access to modify or create keys is restricted to appropriate personnel. - How keys are managed.
  75. 75. Encryption Controls – 164.312(a)(2)(iv) – OCR Audit Protocol §164.312(a)(2)(iv): Key Activity Encryption and Decryption Audit Procedures Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to: - Type(s) of encryption used. - How encryption keys are protected. - Access to modify or create keys is restricted to appropriate personnel. - How keys are managed. Something you have to do.
  76. 76. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS HIPAA Eligible Services integrations Amazon Elastic Block Store Amazon Relational Database Service – MySQL Amazon Relational Database Service – Oracle Amazon Simple Storage Service (SSE-K) Amazon Redshift Amazon Elastic MapReduce (client-side EMRFS)
  77. 77. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS – EBS example EBS volume
  78. 78. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS – EBS example EBS volume Volume encryption key
  79. 79. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS – EBS example EBS volume Volume encryption key KMS customer master key
  80. 80. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS – EBS example EBS snapshot EBS volume Volume encryption key KMS customer master key
  81. 81. Encryption Controls – 164.312(a)(2)(iv) – Using Amazon KMS – EBS example EBS snapshot EBS volume Volume encryption key KMS customer master key region 1 us-west-2 us-east-1 EBS snapshot KMS customer master key region 2 Volume encryption key
  82. 82. Remember to complete your evaluations!
  83. 83. Thank you!

×