Cloud Posse helps companies achieve HIPAA compliance on AWS.
Companies that handle health data are automatically subject to HIPAA regulations. Attempting to build the technical controls on top of the existing infrastructure is frequently more complicated than a lift-and-shift into a new AWS organization built with compliance in mind. Companies need to architect their infrastructure to meet these standards from the ground up.
To achieve HIPAA compliance on AWS, you will need to follow these steps:
- Review the AWS HIPAA Compliance[1]https://aws.amazon.com/compliance/hipaa-compliance/ documentation to understand the AWS “shared responsibility model” and the specific AWS services currently covered by HIPAA.
- Sign a Business Associate Agreement (BAA) with AWS. This contract outlines the responsibilities of both AWS and the customer concerning HIPAA compliance.
- Follow the AWS HIPAA Implementation Guide [2]https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html to configure your AWS environment in a way that is compliant with HIPAA requirements. This includes setting up appropriate access controls, data encryption, and other security measures.
- Conduct regular audits to ensure your AWS environment complies with HIPAA requirements.
- If you are storing or processing electronically protected health information (ePHI) on AWS, you must follow additional requirements, such as implementing access controls and conducting risk assessments.
- Finally, carefully review and follow all applicable laws and regulations related to HIPAA compliance. This includes federal and state laws that may apply to your organization.
HIPAA is not prescriptive on how the technical controls are implemented. Instead, HIPAA defines a set of high-level expectations, but it’s up to the responsible party (e.g. Customer) to assert what controls are in place for each safeguard.
HIPAA Security Technical Safeguards
- Access control
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
The typical approach to addressing these controls is using a combination of one or more of the compliance standards such as CIS, HITRUST, NIST, ISO27001, etc. Organizationally, this is a decision that has both technical and procedural impacts.
The Technical Benchmark Framework should satisfy the vast majority of requirements for HIPAA, which means most likely selecting more than one framework.
Our strategy is to deploy AWS SecurityHub and enable the conformance packs required to meet HIPAA operational best practices, which provides a framework helpful to meet HIPAA requirements, given its broad scope of security controls. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed across an AWS organization. With AWS Config, we can evaluate whether your AWS resources comply with the standard best practices of a given technical benchmark. Cloud Posse has all the pre-existing Terraform modules to accelerate this implementation.
Our AWS reference architecture for terraform has a Foundational Security & Compliance pillar that addresses the implementation of the technical controls for HIPAA compliance. Choose one of our Jumpstart or Enterprise tracks to implement it.
Useful links:
- https://aws.amazon.com/blogs/security/category/compliance/
- https://aws.amazon.com/compliance/resources/
- https://aws.amazon.com/compliance/services-in-scope/
- https://aws.amazon.com/compliance/customer-center/
- https://aws.amazon.com/blogs/security/frequently-asked-questions-about-hipaa-compliance-in-the-aws-cloud/
- https://aws.amazon.com/blogs/security/aws-adds-12-more-services-to-its-pci-dss-compliance-program/
- https://aws.amazon.com/blogs/mt/how-cloudticity-automates-security-patches-for-linux-and-windows-using-amazon-ec2-systems-manager-and-aws-step-functions/
- https://aws.amazon.com/about-aws/whats-new/2017/08/now-you-can-use-amazon-cloud-directory-to-help-maintain-hipaa-and-pci-compliance-in-the-aws-cloud