HIPAA Compliance on AWS – Cheatsheet
The Health Insurance Portability and Accountability Act of 1996, commonly called HIPAA, deals with the privacy and security of medical data in the United States. In order to deal with the protected health information (PHI) of an individual, a covered entity or its business associates service providers must fulfill the regulatory requirements of HIPAA and its subsequent amendments such as the Health Information Technology for Economic and Clinical Health Act of 2009. Since there is no authorized standard certification mechanism, there is no such thing as HIPAA certified and complying with HIPAA is an organization’s prerogative subject to an audit carried out by the HSS Office for Civil Rights (OCR).
In the absence of a standardized framework, HITRUST – a privately held company with abundant support from healthcare, technology, and security experts – has established a Common Security Framework (CSF) which helps service providers prove that they fulfill the regulatory requirements of HIPAA and its subsequent amendments. If you have developed an application on AWS, then you are following a shared responsibility model where Amazon basically looks after the physical layer which includes storage, database, networking, and computing. For everything else, a covered entity is responsible. Although fulfilling the requirements of HIPAA is a complex process, here is a 10-point cheat sheet helping you ensure compliance for your AWS application with HIPAA.
1. Business Associate Addendum (BAA)
In its own capacity, AWS is a HIPAA compliant service but this does not mean that your application developed on AWS is also compliant with HIPAA. As per the provisions of HIPAA, service providers like AWS are called business associates of covered entities. BAA is a contract between AWS and the covered entity which ensures that AWS has implemented appropriate safeguards to protect PHI. It also specifies the extent of liability, permissible disclosure of usage of stored PHI by AWS, and other such activities and services to be performed. Amazon has a standard BAA which is presented to a customer for signing.
2.PHI Data Locations
A covered entity shall map the locations where PHI data of individuals is stored. Mapping the stored data presents an overview of what is where and accordingly, dealing with security breaches becomes easier. It must be noted that PHI data must be stored on AWS systems and/or storage that is compliant with HIPAA.
3. De-identified Development Process
For developing any new application or testing a developed application, the developers shall not use PHI data with personal identifiers. The stored PHI data must be de-identified before it is being used in the development or testing process. De-identification of data is a process to remove identifiers which may connect an individual to a certain piece of data.
In EC2-Classic, instances used to run in a single and flat network which respectively shared with other customers. After the introduction of EC2-VPC wherein VPC stands for Virtually Private Cloud, instances now run on a single VPC which are logically isolated and related to only one AWS account.
5. VPC Security
VPC has three primary security features that you can implement in order to enhance overall security
- Security groups, who control both inbound and outbound traffic at the instance level
- ACLs (Network Access Control Lists) control both inbound and outbound traffic and acts as a firewall at the subnet level
- Flow Logs capture information about incoming and outgoing internet traffic via your VPC’s network interface.
6. Data Storage Encryption
As per the provisions of HIPAA, stored data must be encrypted irrespective of whether data is stored as backup data, or cache/temp files, etc. Depending on the amount of data and its value in business continuity management, appropriate data encryption algorithm should be used. AES, MD5, etc. are some of the algorithms that are used to encrypt the stored data.
7. Data Transport Encryption
In the last bullet point, it is clear that data must be protected. This point extends data encryption even when data is in transit from a sender to a receiver or vice versa. As a covered entity, it is your responsibility to ensure that data remains encrypted whether it is inside or outside of the private network.
8. Cryptographic Key Security
AWS features CloudHSM which is a cloud-based hardware security model (HSM) enabling a covered entity to easily generate and use encryption keys on the AWS cloud on its own. CloudHSM complies with various standards and being a fully-managed service, it automates time-consuming tasks such as hardware poisoning, backups, availability, etc.
9. SSL Certificate Security
SSL certificates are proof that a particular website performs secure network communication and establish its identity as a secure identity. Along with meeting the requirements of HIPAA, a covered entity does not have to go through the manual process of purchasing a certificate, uploading and renewing SSL certificates because of AWS Certificate Manager.
10. High Availability
AWS is present in multiple geographical locations across the globe. In each predefined regions, there are isolated locations which are called Availability Zones. Hence, in order to maximize the availability of our software, applications, and data, stored data should span over multiple Availability Zones or Regions so that redundancy is maintained.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019