HIPAA Compliance in AWS Cloud

Joint blog post by Vijay Dalimkar, Principal Consultant and  Chandrahas Hukkeri , Principal Consultant at Infosys Cloud Practice unit

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law designed to protect the security and privacy of protected health information (PHI) data and applies to covered entities and Business Associates.

HIPAA was revised in year 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA has certain requirements on

  • How to use and disclosure the PHI information
  • Safeguards to protect PHI
  • Individual rights
  • Administrative responsibilities.

HIPAA required companies to develop regulations for protecting the privacy and security of certain health information. To fulfill this requirement, they need to manage what are commonly known as the HIPAA Privacy and Security Rule.

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes standards for the protection of health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) set up a set of security standards for protecting certain health information that is stored or transferred in electronic form.

Note that if you failed to comply with HIPPA regulation, then there are possibilities of  losing the trust of your client and expose you to legal action as well. There are criminal and civil penalties that could include fines of $250,000, and imprisonment for up to ten years.

1)  HIPAA Compliance top five challenges and How to overcome it?
1.1)  Find out, Is AWS Cloud HIPAA Compliant?

You will usually be wondering with one question, “Is AWS HIPAA compliant, let’s answer this important and mostly thought about by people working on compliance and audit related work.

To answer you briefly, AWS alone doesn’t guarantee HIPAA compliance, but it offers services to meet the HIPAA compliance requirements.

Now Let’s check what does it means. Amazon is supporting HIPAA compliance, and you would utilize its reliable services to create a cloud-based solution that will manage, maintain, and transfer confidential patient information and comply with HIPAA regulation. However, it’s not enough simply to use AWS services for HIPAA compliance. The main idea behind AWS HIPAA compliance is to have excellent knowledge of how to implement HIPAA controls using Amazon services.

So, as a result, to deal with PHI data in a highly protected way, you should keep a note of  the AWS HIPAA security rules and standards and, of course, correctly fit it into your IT infrastructure.

Here is an example:
You are developing an application which is handling PHI data in AWS Cloud environment and your company is looking for HIPAA compliance. So, you would need to check what the AWS services are required, How Enterprise Architect will  design and architect applications to meet HIPAA compliance requirements.

In this blog we will focus on the HIPAA compliance basic requirements for protecting PHI, what is service provider responsibility like signing agreement with AWS and others precaution to run workloads containing PHI.

1.2) How do we find out if I need a Business Associate Addendum for AWS Account?

The first step for HIPAA implementation, you need to sign and execute a Business Associate Addendum (BAA) agreement with Amazon Web Services to use the AWS Services for HIPAA compliance. BAA means Amazon Web Services share some of your legal obligations and guarantee that client will be informed of any data breach. To put it in simply way, you take care your data in cloud platforms, operating systems, apps, and other solutions. For AWS HIPAA compliant services, AWS are responsible for the security of database, cloud server infra, networks, and others infrastructure in the cloud and You are responsible for Security of the Cloud as per Shared Responsibility defined by AWS.

Figure1: Shared Responsibility Model (Source: AWS)

It is up to you how you will use Amazon Web Services (AWS) to run workloads regulated under the HIPAA compliance. We are getting AWS services to securely process, store and transmit PHI data for the Covered Entities and their Business Associates. AWS is offering a standardized BAA for customer and HIPAA eligible Services to use HIPAA AWS account. This is mandatory to enter into an AWS Business Associate Agreement and without that customer suppose to not use the HIPAA eligible services for any purpose or in any manner involving PHI data. Thus AWS BAA agreement is required for an organization that would like to be HIPAA compliance for safeguarding PHI in AWS Cloud. For this you can use AWS Artifact service to Manage the agreements for HIPAA enable accounts in AWS Organization and during audit you can easily provide BAA agreement by using AWS Artifacts to your compliance officer

Example if you are developing an application which is handling PHI, so you need to find where Application is hosted in AWS Account including all infrastructure as per its architecture and must know how application is handling the PHI data (Example – Database, Logs etc). Accordingly, you need to accept the BAA for those AWS account(s). Please note that It is mandatory to accept BAA for the AWS Accounts which handle the PHI data.

As per AWS Organization OU and account structure design, the HIPAA compliance requirement for the application need to check at  AWS account level, you need to accept BAA at OU level or Account level. Before you accept an agreement,  Infosys recommend that you take advise from legal, privacy, and compliance team and get approval from them

1.3) What is Partner’s Platform As Service solution and BAA requirements for HIPAA compliant application?

Many AWS Partners may be hosting Platform As Service (PaaS) applications in AWS. In this case you as Partner has to sign a Business Associate Addendum (BAA) agreement with AWS and client that is using hosted application which we called as Healthcare Provider or Covered entity has to sign a BAA with you.  Please note that Covered entity do not have sign BAA with AWS. Please see below illustration on HIPAA compliance requirement in AWS cloud

1.4)  Implementation of HIPAA Controls in AWS Cloud?

You might be knowing that AWS  is offering  many services to fulfil your application’s high availability, scalability, security  requirements. You can begin with HIPAA compliant architecture of your application that will starting point for building a HIPAA applications. You need to review Application architecture in other layers as well as shown below

  • Authorization and Authentication of application and Infra
  • Application layer security
  • Database layer

The below are some key points for HIPAA compliant application or platform.

a)  Authentication and Authorization of App and Infra

You would use AWS IAM primarily toward the authenticating and authorizing the use of AWS services and you need to setup additional controls for authentication and authorization for healthcare application. You might also want to consider identity federation and that can be extended your existing Identity provider solution like SAML 2.0, or Active Directory to cloud. The below are some considerations to achieve HIPAA compliance

  • Check the authentication and authorization setup that you define for your HIPAA-eligible Application
  • Implement the Multifactor Authentication (MFA) for users
  • Do not create Access key for root account

b)   Application layer Security

Your application may accessible directly from Internet through Load Balancer (AWS ELB). You can enable HTTPS communications to protect PHI data and also enable SSL on Server side as well so that traffic between ELB and Backend servers is encrypted. You make use of additional layer of security  by introducing WAF – Web Application Firewalls in front of web applications and also use intrusion detection/prevention solutions. All these will help to  avoid any possible external malicious attacks to your applications.

c)   Database Layer Security

The PHI data is stored in database and to protect data, you should consider the following best practices for AWS based databases – Oracle, MSSQL, MySQL etc.

  • Enable access to the database only from the application tier by using necessary network security group(s) and Network Access Control List rules.
  • Enable encryption at AWS RDS level for Data at Rest and In-Transit

Note: Earlier before May 2017, the AWS HIPAA compliance program required that customers who are keeping PHI data using Amazon EC2 , they may needed to use dedicated instances or dedicated hosts, but this requirement has been removed now.

1.5)    Do we need to Segregate Prod and Non-Prod Environment?

Every Application may have Production and Non-Production environments as per development Team requirements. This Segregation serves as an obstacle and also limit environment from malicious attack and save it from technical issue. Also, it helps to control the user access as per environment and helps Security Team to gather the logs and enrich the data for Security Monitoring.

Mostly the production environment will contain PHI data. You have to make sure that any non-Production environment must not get any PHI data from Production and there should be mechanism to track it.

Note : If you are using any third part Application Monitoring then you have to see if it is HIPAA compliant before selecting it.  Example – Datadog log Management solution is HIPAA compliant so you can use it in your environment.

2) How Infosys assisted one of the Largest Pharmaceutical company

The Pharma company wanted to deploy their in-house/Third Party developed product in AWS cloud. It is Platform As Service based offering in production and Non-Prod environment which contain Protected Health Information (PHI) data. Infosys has analyzed their overall requirements for below client’s requirements

  1.  Client want to keep PHI data away from their own network
  2. The Platform As Service based solution  hosted  in AWS Cloud  should be completely owned by vendor in term of HIPAA compliance
  3. Client want to have Non-Prod and Prod setup for their application

To meet client requirement, we have suggested the followings

  1. AWS Cloud provider as CSP to host product in Infosys Owned cloud Tenancy.
  2. Infosys Architecture Team has reviewed and deployed AWS HIPAA eligible services
  3. Infosys has signed BAA contract document with AWS
  4. The business entities using the hosted products have signed BAA with Infosys
  5. Infosys architecture team segregated separately Non-Prod and Prod setups and make sure that there is no PHI data reside in Non-Prod setup
  6. Infosys has setup processes for HIPAA compliance and audit involving all stakeholders with RACI

3)   Conclusion:

The HIPAA Compliance is to protect patient PHI data and to follow the standard guideline given by US Department of Health and Human Services (HHS). In this article, we tried to clear the doubt of HIPAA compliance requirements , explained the HIPAA eligible AWS Services and how AWS is helping to maintain HIPAA compliant and also explained what role and responsibility of service provider who is maintaining the cloud hosted application/Infra.

We also touched upon the topic of BAA requirements and what client has to do for AWS Account before storing PHI data in AWS Cloud by hosting HIPAA compliant application . In subsequence topic we discussed what is PaaS provider (Application hosting provider) responsibility to maintain the HIPAA for hosted application. We also explained how company can  implement the HIPAA compliance with help of example of Web, App and DB layer of application with important of segregation of environments.

This way you can assist client to implement the HIPAA compliance in AWS Cloud which will be just start for Security Team to implement the HIPAA controls.

Author Details

Vijay Narayan Dalimkar

Working in Infosys AWS Presales practice as Solution Architect for North America region and helping clients to build solution for Cloud Managed services and Migration solution to bring business value to them

Leave a Comment

Your email address will not be published.