HIPAA Compliance in AWS Cloud

A guide on how to build a HIPAA-compliant infrastructure in AWS by using the AWS native services and configure them properly The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that seeks to improve the quality and efficiency of the US healthcare system by encouraging electronic health records (EHR), fast and secure information sharing, as well as security and privacy of protected health information (PHI). These HIPAA provisions were ahead of their time, as now, almost 30 years after HIPAA was enacted, we witness a vast tendency for cloud migration across all industries, including healthcare. The global healthcare cloud infrastructure market was valued at US$ 40 billion in 2022 and is expected to reach over US$ 295.79 billion by 2032. The US is leading the healthcare cloud infrastructure market accounting for $10.80 billion in 2022. Amazon Web Services (AWS) dominates in this area, with a stable market share of 31%, outpassing Microsoft Azure (25%) and Google Cloud (10%).​​ For healthcare, cloud solutions help doctors and hospitals engage more with their patient’s medical records, lab results, and doctor's notes anytime through the availability, and accessibility of cloud solutions and the proliferation of healthcare applications. At the same time, given the rising demand for healthcare cloud infrastructure market in the US and the leading role of AWS in this process, developing a reliable HIPAA-compliant infrastructure in AWS is extremely important.

AWS’s shared responsibility model and its implications for HIPAA compliance

HIPAA compliance is a shared responsibility between AWS and the customer. AWS is responsible for the security of the cloud which includes protecting the infrastructure - hardware, software, networking, and facilities - that runs all of the services offered in the AWS Cloud. Customers are responsible for security in the cloud which includes AWS services they select for utilizing. In practice, this shared responsibility determines the amount of configuration work customers must perform as part of their security responsibilities. In terms of HIPAA, AWS assumes the majority of responsibilities for physical safeguards such as physical server security, employee access to systems, and data center access. On the other hand, cloud customers are responsible for the majority of HIPAA administrative safeguards and technical safeguards. AWS cloud customers must have a set of established administrative policies, operating procedures, and security plans to manage AWS in compliance with HIPAA. Cloud customers must also implement technical controls required under the HIPAA Security Rule including – backup and disaster recovery (DR), audit logging, encryption mechanisms, and firewall configuration.

Top 5 frequently used HIPAA-eligible AWS services

AWS offers more than a hundred HIPAA-eligible services with features that help organizations implement the necessary HIPAA safeguards and controls. However, the responsibility of configuring these services always lies on the customer. Some of the most frequently used AWS services include Amazon S3 (Simple Storage Service) offers secure and scalable data storage with in-built features such as encryption, access controls, and versioning. Amazon RDS (Relational Database Service) - facilitates the creation and management of relational databases, ensuring secure storage and processing of healthcare data. AWS Identity and Access Management (IAM) is essential for managing secure access to AWS services and resources, and implementing role-based access control (RBAC) to safeguard PHI. AWS Key Management Service (KMS), which is crucial for managing encryption keys, and providing robust security for PHI in transit and at rest. Amazon EC2 (Elastic Compute Cloud) - enables scalable and secure computing capacity, allowing healthcare organizations to run applications and services.

AWS Business Associate Agreement (BAA)

Business Associate Agreement (BAA) is the foundation for creating your HIPAA-compliant infrastructure in AWS. As of July 2013, AWS offers a standardized BAA to contractually commit to properly protecting PHI on the AWS cloud. Customers may use any AWS service in an account designated as a HIPAA account. Still, they should only process, store, and transmit (PHI) using the HIPAA-eligible services defined in their BAA.

HIPAA-compliant data encryption in AWS

HIPAA requires implementing strong data encryption mechanisms to encrypt all PHI stored or transmitted across HIPAA-eligible services following HHS encryption guidance. HIPAA-covered entities are flexible in deciding how they meet encryption requirements for PHI. They may use a set of AWS native features and services for data encryption and management, such as AWS Key Management Services (AWS KMS). It enables centralized control over the cryptographic keys used to protect sensitive data and is integrated with other AWS services. AWS enables customers to easily configure encryption of data at rest on their services including EC2, RDS, and S3. Similarly, compliant encryption protocols can be enabled for data in transit on S3, RDS, and Elastic Load balancers. At the same time, customers need to ensure that their applications hosted on AWS are also configured to use secure data transmission protocols. AWS customers may also use any other encryption tools compatible with HIPAA-eligible services and consistent with the HHS encryption guidance. No matter what encryption tools they select, covered entities must ensure all their PHI is encrypted both in transit and at rest and procedures for managing encryption keys are established.

Configuring AWS access controls and identity management for HIPAA compliance

The HIPAA Security Rule requires covered entities to carefully regulate access to PHI to ensure that every action their workforce members take on systems, from logging in to accessing files, can be traced back to their identity. AWS services, specifically, AWS Identity and Access Management (IAM), contain many features that help keep track of access controls and identity management. IAM helps specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS. AWS IAM can be used to generate least-privilege policies, verify external and unused access to resources, and continually analyze access permissions. At the same time, while using AWS IAM, customers should assign unique usernames for each workforce member to access the AWS cloud and various systems. They are also responsible for configuring all their systems to require strong authentication passwords and enabling Multi-Factor Authentication (MFA) as a countermeasure to password-based vulnerabilities.

Implementing data backups and disaster recovery in the AWS environment

HIPAA’s Security Rule has requirements related to data backup procedures, disaster recovery mechanisms, and a contingency plan to protect PHI in case of emergency. AWS offers a centralized backup tool - AWS Backup - to protect customer data and ensure compliance across AWS services for business continuity purposes. AWS Backup is a fully managed service that centralizes and automates data protection across AWS services and hybrid workloads. Customers are responsible for centrally configuring backup policies and monitoring backup activity across AWS resources. AWS services such as RDS and EC2 allow customers to configure snapshot schedules that are aligned with their Recovery Point Objectives (RPOs). AWS S3 also provides a highly available solution for data storage and automated back-ups. By loading a file or image into Amazon S3, multiple redundant copies are automatically created and stored in separate data centers. These files can be accessed at any time, from anywhere (based on permissions), and are stored until intentionally deleted. AWS customers are responsible for properly configuring the S3 policies. Additionally, AWS offers a variety of disaster recovery mechanisms. However, customers are responsible for developing their Disaster Recovery plans and configuring AWS services in line with their business recovery needs. Specific requirements should be identified and configured based on the Business Impact Analysis (BIA) and resulting Recovery Point (RPO) and Recovery Time Objectives (RTO).

Security events monitoring for HIPAA-compliant infrastructure in AWS

HIPAA rules require covered entities to log and monitor activities around PHI. For this purpose, AWS offers CloudTrail, a service that enables governance, compliance, operational auditing, and risk auditing of AWS accounts. With CloudTrail, customers can log, continuously monitor and retain account activity across their AWS infrastructure. The service also provides the event history of their AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. AWS CloudTrail is enabled for use with all AWS accounts and can be used for audit logging, as required by the AWS BAA. Building HIPAA-compliant software helps identify log entries related to sign-ins, including the IP address and multi-factor authentication (MFA). These features allow customers to simplify operational analysis and troubleshooting.

Configuration management is a key to HIPAA-compliant infrastructure in AWS

One of the common challenges on the way to creating HIPAA-compliant AWS infrastructure is maintaining the integrity of secure configuration. Several data breaches were caused by the non-secure configuration of AWS resources due to a lack of knowledge or negligence. AWS Config is one of the tools provided by AWS to help cloud administrators monitor the integrity of the AWS configuration. It provides AWS resource inventory, configuration history, and configuration change notifications to enable security. It continuously monitors and records AWS resource configurations, allowing automated evaluation of resources’ current configurations against the ones defined by the organization.

Conducting Risk Assessments

AWS maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically meet HIPAA requirements. AWS customers, in turn, are required to conduct their own HIPAA risk assessment for the services they use. Covered entities usually conduct risk assessments annually or every time there are significant changes in business processes, AWS environment, and threat landscape. The risk assessment helps identify potential risks and vulnerabilities to PHI, so ensure all AWS-eligible services your company utilizes are included in the assessment scope. Planet 9 is dedicated to assisting businesses in maintaining HIPAA compliance. Whether you require support in ensuring compliance within your cloud infrastructure, conducting risk assessments, or seeking other security and compliance services, we invite you to contact us.