HIPAA Workloads on AWS (Amazon Web Services)

www.sourcefuse.com | Copyright © 2018 SourceFuse | Private and Confidential
HIPAA workloads on AWS
Susovan Panja | Sr. DevOps EngineerPREPARED
BY:

</What is HIPAA ?>
Health Insurance Portability and
Accountability Act
❏ We are here to talk about the HIPAA compliance and not
about the act itself.
❏ What HIPAA compliance means to us as an industry.
❏ How can we achieve this (with AWS infra) ?
❏ Are we compliant ? How to measure this ?
www.sourcefuse.com | Copyright 2019 SourceFuse | Private and Confidential©

</What is PHI?>
3
Protected Health Information
● Any health information that can be used to individually identify a person is considered as PHI.
● Information like diagnosis, prescriptions, treatment, national identification number, contact
number, emergency contact number, gender, ethnicity, names are considered as protected
information under PHI.
● Information like education details or employment records are not considered as PHI.
● You can go to the below link to see what all information is considered as PHI.
https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/

</What is HIPAA compliance? >
4
● It is designed to ensure the availability and protection of PHI.
● It can be broken down into two rule sets:
HIPAA Security Rule: It demands that safeguards be implemented to ensure the confidentiality, integrity, and
availability of PHI
HIPAA Privacy Rule: It places limits on the uses and disclosures of PHI.
● It requires the entities to notify patients in case of a data breach that included their PHI as well as the OCR (Office
for Civil Rights) and the media if the breach affects more than five hundred patients.
● Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in
2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy
of PHI.
● Health Information Trust Alliance (HITRUST) Common Security Framework (CSF): The HITRUST CSF serves
to unify security controls from federal law (such as HIPAA and HITECH), state law, and non-governmental
frameworks (such as the PCI Security Standards Council) into a single framework that is tailored for healthcare
needs.

</AWS as HIPAA compliant service provider>
5
● There is no HIPAA certification for a cloud service provider (CSP) such as AWS.
● The Business Associate Addendum (BAA) is an AWS contract that is required under HIPAA rules to
ensure that AWS appropriately safeguards protected health information (PHI).
● Customers may use any AWS service in an account designated as a HIPAA account, but they should
only process, store, and transmit protected health information (PHI) in the HIPAA-eligible services
defined in the Business Associate Addendum (BAA).
● Just by utilizing HIPAA eligible services on AWS you product/service does not become
automatically HIPAA compliant.
● If you are selling your SaaS service to other companies/entities, you need a separate BAA with each
of them individually.

</How to achieve HIPAA compliance on AWS ?>
6
(Database
service): Multi-AZ
setup with read
replica in a
different AZ also
we can have read
replicas in
different region.
RDS
(Application
servers): Enable
Auto-Scaling
Group with AZ-
Rebalance.
EC2
S3 (for static files
/ frontend UI):
Multi region sync
buckets
S3 Use Cluster mode
with multi-AZ
Use Cluster mode
with multi-AZ
Elasticache
Use ALB in front of
app servers to
have uninterrupted
availability of your
service.
ALB
Availability

7
Security
● IAM: Use IAM to create users/roles with least privileges who can access your infrastructure.
● VPC/Subnets: Create custom VPC and private subnets and put your PHI processing/storing
resources inside private subnets (like app servers, database).
● NACL: Create NACL rules to filter what traffic can flow into your subnets.
● SG: Use S to restrict which resource can interact with which service.
● Encryption in Transit: Use secure endpoints (TLS enabled) for all services like S3, RDS, elastic-
cache, ALB, ALB to EC2, API gateways.
● Encryption at rest: The location where PHI information is stored should be encrypted too. Like S3
bucket, EBS volumes, RDS, elastic-cache (enable default encryption).

8
Enable VPC flow
logs, it provides us
a audit trail of
accepted or
rejected
connections.
VPC Flow logs
It records and monitors all
the changes made on your
infrastructure. Its enabled by
default but data retention is
only 7 days. The S3 bucket
used to store cloudtrail
should be encrypted.
Preferability the bucket
should be in another
account with very restricted
access.
It provides a
detailed view of all
the resources
associated with a
AWS account like
number of EC2
instances, RDS,
VPC, subnets etc.
Application logs
can be stored in
Cloudwatch Logs
for application
auditing purposes.
Cloudtrail AWS Config Cloudwatch Logs
Auditability

</Are we HIPAA compliant?>
9
Benchmarking our infrastructure

Thank You

HIPAA Workloads on AWS (Amazon Web Services)

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

HIPAA Workloads on AWS (Amazon Web Services)

Editor's Notes