Building HIPAA Compliant Software Using AWS Cloud

Loading…

As we see the advent of Healthtech, a question that every entrepreneur has in mind while building the platform is whether it is HIPAA compliant or not. While we do recommend having your software audited for compliance by an expert, here are some of the things that you can get done when you use AWS as a backend for any healthcare app.

To increase operational efficiency a lot of businesses are using cloud providers like Amazon Web Services to manage their IT infrastructure. A huge number of healthcare providers today use the AWS cloud to store, process, and send protected health information (PHI) under HIPAA regulations.

HIPAA compliance in AWS makes a secure environment for the maintenance and retention of sensitive health information under the Health Insurance Portability and Accountability Act (HIPAA). To start using AWS HIPAA-compliant cloud storage, a healthcare company must sign a Business Associate Agreement (BAA) with AWS. It covers the security, control, and administrative processes mentioned in HIPAA.

AWS offers an extensive AWS HIPAA services list to develop scalable, secure, and fault-tolerant HIPAA solutions that can serve an unlimited number of healthcare use cases. In this article, we will cover aspects of building HIPAA-compliant software.

Where To Start?

It’s very important to understand HIPAA compliance and things that can go wrong if we don’t follow it properly. Check the list of fines/penalties imposed by authorities, one can see how much serious damage it can make to your business if you don’t build your software correctly. Undoubtedly, building HIPAA-compliant software is one of the important concepts for healthcare service providers.

Major components of a 3 tier architecture of any software are Client interface, Web or Mobile app, Server interface, APIs, and Database which stores the data. When it comes to HIPAA we have to make sure that all these 3 tiers are secured by following all best practices and guidelines provided by HIPAA.

Free AWS infrastructure audit for compliance and optimization

Why AWS?

As far as operational and physical security is concerned, AWS has multiple layers to provide the integrity and safety of customer data. But just using AWS services doesn’t ensure HIPAA compliance of your solution. When your AWS-based system deals with ePHI, you must follow the AWS HIPAA technical requirements and regulations.

The AWS HIPAA compliance efficiency is dependent on how it is used. AWS is building HIPAA compliant software with high-load systems that process vast amounts of ePHI under HIPAA. But, AWS only assumes responsibility for physical hardware security controls of a limited number of covered services listed here.

Shared Responsibility

AWS has a shared responsibility model to increase the total security level of Amazon’s cloud infrastructure.

Amazon handles managing infrastructure components and the physical security of the AWS data centers at different geographic locations. The AWS customers are responsible for the security and HIPAA-compliant architecture of cloud services that are being used. Let’s discuss the shared responsibility model in a more detailed manner. Here is a quick glance into the shared responsibility of Amazon and the Customer.

shared-responsibility-of-amazon-and-customer

Amazon’s Responsibility

Amazon is in charge of the physical security of AWS cloud infrastructure. They manage the following areas:

  1. Computing
  2. Storage
  3. Databases
  4. Networking
  5. Regions
  6. Availability Zone
  7. Edge locations

Customer’s Responsibility

Customers are responsible for the security of AWS services being used and configured according to HIPAA-compliance solutions. Customers manage the security of the following areas

  1. Platform
  2. Applications
  3. Identity and access management tools and processes (IAM)
  4. Operating systems
  5. Networking traffic protection
  6. Firewall configurations
  7. Client and Server-side encryption

Telemedicine ebook

Free eBook on Telemedicine Platform Development

The ebook answers everything from platform architecture, challenges, technology, launch plans, and anything else that we ever got questioned about.

Guide For Implementing HIPAA Compliant Software On AWS

1. Access Control

Access control plays an important part in any system, it is cloud-agnostic. As per HIPAA guidelines, our application should ensure that only authenticated users will be able to access the resources which are granted to them. AWS has a great service called IAM – Identity and Access Management which helps us to grant specific access to specific users in easy steps.

IAM enables you to manage access to AWS services and resources securely. With its help, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

2. Disposal As A Requirement

Each account owner on AWS has the ability to install and configure retention for all services he uses, to prevent unnecessary data from being stored as well also to delete data from the service upon request, the application should give users a way to delete the data. Any company that collects health information must ensure it’s properly destroyed.

HIPAA requires that media has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

3. Data Backup And Storage

AWS Backup is a managed solution for automatic backup application data for all AWS services. It is a faster and easier backup solution for AWS customers. In the old era backup and recovery was a nightmare but AWS has made it pretty easy. It can be set up on a regular basis or carried out on request.

It also monitors the status of current backups, and searches/restores backups to ensure compliance with corporate and regulatory requirements. Most AWS services like RDS, Elasticache, and S3 have native backup functionality.

4. Security – Encryption And Decryption

To ensure data integrity AWS offers a very robust security feature for encrypting the data stored in different services. Amazon S3 is used for object storage and has great data encryption options. Each S3 object is encrypted with a unique key that is encrypted and rotated on a regular basis. Amazon S3 uses the strongest block cipher available – 256-bit Advanced Encryption Standard (AES-256).

As far as other services are concerned, to encrypt PHI data, Amazon offers KMS service which is a HIPAA compliant solution for managing encryption keys with other AWS services. KSM has a concept of Master keys that can be used to encrypt/decrypt the keys used for encrypting/decrypting the PHI data inside the application.

AWS has given an easy way to encrypt an RDS database or block storage devices like EBS with few button clicks. The rest of the things are taken care of by AWS. For security in transit, we can use the SSL layer in order to encrypt all network traffic, AWS also offers a service called certificate manager to manage all your SSL certificates free of cost.

To achieve network-level security, it is best practice to separate out the PHI data VPC from other non-phi data VPC, though it’s not compulsory, most large organizations follow it. The following diagram shows a standard architecture on AWS for HIPAA security.

standard-architecture-on-AWS-for-HIPAA-security

5. Audit Control

Auditing and Monitoring are an essential part of HIPAA compliance. Amazon introduced AWS Config for the same purpose. It is a fully managed service that provides you with AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

AWS Config allows discovering existing and deleted resources, and compliance against rules. The solution simplifies auditing, security analysis, change management, and operational troubleshooting.

AWS-configuration-for-security

 

HIPAA rules require covered entities to track login attempts and report errors. CloudTrail provides the event history of your AWS account activity. Building HIPAA compliant software helps to identify log entries related to sign-ins, including the IP address and Multi-Factor authentication. CloudTrail also determines successful sign-ins by users in IAM and root. These features allow customers to simplify operational analysis and troubleshooting.

Mindbowser Improved Performance Of Rest APIs By 233% For A Healthcare Startup

6. Automatic Session Logouts

It’s really important to implement inactivity session logouts as per HIPAA guidelines. Using REST APIs along with frontend and backend combinations, one can easily implement the same. Though there is no global standard for timeout duration, It is important to understand that the risk of an “open” connection on an unattended workstation largely depends on the physical surroundings.

On an open floor in a hospital or in a busy emergency room accessible to the public, the risk is high and the timeout should be shorter than 15 minutes.

coma

Conclusion

AWS provides everything to set up a HIPAA-compliant telehealth platform. But, you still need to follow HIPAA security rules, maintain data confidentiality, and follow industry best practices for data protection. As mentioned in the shared responsibility part, both parties are equally responsible for HIPAA compliance.

Pravin Uttarwar

CTO, Mindbowser

Pravin has 16+ years of experience in the tech industry. A high energy individual who loves to use out of the box thinking to solve problems. He not only brings technical expertise to the table but also wears an entrepreneurial hat – benefiting any project with cost savings and adding more value to business strategy. Pravin is also chapter director of StartupGrind Pune, hosting events and startup conferences.
Reach out to Pravin at pravin.uttarwar@mindbowser.com

Get in touch for a detailed discussion.

Hear From Our 100+ Customers
coma

Mindbowser helped us build an awesome iOS app to bring balance to people’s lives.

author
ADDIE WOOTTEN
CEO, SMILINGMIND
coma

We had very close go live timeline and MindBowser team got us live a month before.

author
Shaz Khan
CEO, BuyNow WorldWide
coma

They were a very responsive team! Extremely easy to communicate and work with!

author
Kristen M.
Founder & CEO, TotTech
coma

We’ve had very little-to-no hiccups at all—it’s been a really pleasurable experience.

author
Chacko Thomas
Co-Founder, TEAM8s
coma

Mindbowser is one of the reasons that our app is successful. These guys have been a great team.

author
Dave Dubier
Founder & CEO, MangoMirror
coma

Mindbowser was very helpful with explaining the development process and started quickly on the project.

author
Hieu Le
Executive Director of Product Development, Innovation Lab
coma

The greatest benefit we got from Mindbowser is the expertise. Their team has developed apps in all different industries with all types of social proofs.

author
Alex Gobel
Co-Founder, Vesica
coma

Mindbowser is professional, efficient and thorough. 

author
MacKenzie R
Consultant at XPRIZE
coma

Very committed, they create beautiful apps and are very benevolent. They have brilliant Ideas.

author
Laurie Mastrogiani
Founder, S.T.A.R.S of Wellness
coma

MindBowser was great; they listened to us a lot and helped us hone in on the actual idea of the app.” “They had put together fantastic wireframes for us.

author
Bennet Gillogly
Co-Founder, Flat Earth
coma

They're very tech-savvy, yet humble.

author
Uma Nidmarty
CEO, GS Advisorate, Inc.
coma

Ayush was responsive and paired me with the best team member possible, to complete my complex vision and project. Could not be happier.

author
Katie Taylor
Founder, Child Life On Call
coma

As a founder of a budding start-up, it has been a great experience working with Mindbower Inc under Ayush's leadership for our online digital platform design and development activity.

author
Radhika Kotwal
Founder of Courtyardly
coma

The team from Mindbowser stayed on task, asked the right questions, and completed the required tasks in a timely fashion! Strong work team!

author
Michael Wright
Chief Executive Officer, SDOH2Health LLC
coma

They are focused, patient and; they are innovative. Please give them a shot if you are looking for someone to partner with, you can go along with Mindbowser.

author
David Cain
CEO, thirty2give
coma

We are a small non-profit on a budget and they were able to deliver their work at our prescribed budgets. Their team always met their objectives and I'm very happy with the end result. Thank you, Mindbowser team!!

author
Bart Mendel
Founder, Mindworks
coma

Mindbowser was easy to work with and hit the ground running, immediately feeling like part of our team.

author
George Hodulik
CEO, Stealth Startup, Ex-Google