Guide for Implementing HIPAA Compliant Software on AWS
Access control plays an important part of any system, it is cloud-agnostic. As per HIPAA guideline, our application should ensure that only authenticated users will be able to access the resources which are granted for them. AWS has a great service called IAM – Identity and Access Management which helps us to grant specific access to specific users in easy steps. IAM enables you to manage access to AWS services and resources securely. With its help, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
Disposal as a Requirement
Each account owner on AWS has the ability to install and configure retention for all services he uses, to prevent unnecessary data from being stored as well also to delete data from the service upon request, the application should give users a way to delete the data. Any company that collects health information must ensure it’s properly destroyed.
HIPAA requires that media has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
Data backup and Storage
AWS Backup is a managed solution for automatic backup application data for all AWS services. It is a faster and easier backup solution for AWS customers. In the old era backup and recovery was a nightmare but AWS has made it pretty easy. It can be set up on a regular basis or carried out on request. It also monitors the status of current backups, searches/restores backups to ensure compliance with corporate and regulatory requirements. Most AWS services like RDS, Elasticache, S3 have native backup functionality.
Security – Encryption and Decryption
To ensure data integrity AWS offers a very robust security feature for encrypting the data stored in different services. Amazon S3 is used for object storage and has great data encryption options. Each S3 object is encrypted with a unique key that is encrypted and rotated on a regular basis. Amazon S3 uses the strongest block cipher available – 256-bit Advanced Encryption Standard (AES-256).
As far as other services are concerned, to encrypt PHI data, Amazon offers KMS service which is a HIPAA compliant solution for managing encryption keys with other AWS services. KSM has a concept of Master keys that can be used to encrypt/decrypt the keys used for encrypting/decrypting the PHI data inside the application.
AWS has given an easy way to encrypt an RDS database or your block storage devices like EBS with few button clicks. The rest of the things are taken care of by AWS. For security in transit, we can use SSL layer in order to encrypt all network traffic, AWS also offers a service called certificate manager to manage all your SSL certificates at free of cost.
To achieve network level security, it is best practise to separate out the PHI data VPC with other non-phi data VPC, though its not compulsory, most large organisations follow it. Following diagram shows an standard architecture on AWS for HIPAA security.
Auditing and Monitoring is an essential part of HIPAA compliance. Amazon introduced AWS Config for the same purpose. It is a fully managed service that provides you with AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
AWS Config allows discovering existing and deleted resources, compliance against rules. The solution simplifies auditing, security analysis, change management, and operational troubleshooting.
HIPAA rules require covered entities to track login attempts and report errors. CloudTrail provides an event history of your AWS account activity. It helps to identify log entries related to sign-ins, including the IP address and Multi-Factor authentication. CloudTrail also determines successful sign-ins by users in IAM and root. These features allow customers to simplify operational analysis and troubleshooting.