HIPAA Compliance in the AWS CloudIndyAWS Meetup – 3/22/2017Justin Kittle, IT Operations Manager, OurHealthNoah Jaehnert, Director of Information Security, OurHealth

One American Square, Suite 2610Indianapolis, IN 46282www.ourhealth.org

Agenda

• What is OurHealth?• Disclaimer• Healthcare Definitions• Requirements• HIPAA-Eligible AWS Services – 13 Total• AWS Shared Responsibility Model• Meeting the AWS Compliance Model• Resources

What is OurHealth?

CUSTOMNEAR-SITEON-SITEHealthcare Clinics

Services We Provide: Adult Primary & Urgent Care

Pediatric Urgent CareWellness Services

On-site Labs & MedicationsReferral Services

Online Tools

People

Passion

Excellence

What is OurHealth’s Mission?

Where are we? – Indianapolis, IN and Charlotte, NC

*and in many different employer buildings/on their campuses

Disclaimer

• Justin and Noah are not lawyers, nor is OurHealth a law firm. All information presented here is our personal interpretation of the HIPAA and AWS requirements, not that of our employer or any law firm.

• In order to ensure compliance with any applicable laws, regulations, etc. for your organization or entity, we strongly suggest consulting with a lawyer first who specializes in cloud security and/or compliance.

• We are not liable for anything you do or do not do. Period.

Healthcare Definitions

• Health Insurance Portability and Accountability Act (HIPAA):• Passed in 1996, designed to make it easier for workers to retain health

insurance coverage when they change or lose their jobs. • Sought to drive adoption of electronic health records to improve the

efficiency and quality of the American healthcare system through improved information sharing.

• Requires protection of the security and privacy of Protected Health Information.

• Health Information Technology for Economic and Clinical Health Act (HITECH):• Passed in 2009, in combination with HIPAA, it. Establishes federal

standards to protect the security and privacy of PHI. • HIPAA and HITECH impose requirements related to the use and disclosure

of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

Healthcare Definitions (continued)

• Business Associate Agreement (BAA)•  A person or entity who performs functions or activities on behalf of, or

provides certain services to, a covered entity and isn’t employed by the covered entity.

• Also includes subcontractors who create, receive, maintain, or transmit protected health information on behalf of another business associate

• Cloud Service Providers like AWS are considered business associates. • Protected Health Information (PHI):

• Any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

• Includes any part of a patient’s medical record and/or payment history.

HIPAA Requirements

• There’s a lot… For full details, see• HHS.gov - HIPAA Security Rule• HHS.gov - HIPAA Privacy Rule

• PHI must be encrypted in transit and at rest• Access to PHI (including the systems that store, process, and/or

transmit it) must be logged and monitored• Business Associate Agreements (BAAs) must be in place between

Covered Entity and Business Associate• Covered Entity: Health Care Provider, Health Plan, and/or Health Care

Clearinghouse• Business Associate: Person or entity that performs certain functions or activities

that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. 

AWS HIPAA Requirements

• Account must be designated as a “HIPAA Account”• Must sign a BAA with Amazon• Customers may only store, process, and/or transmit ePHI through

eligible services• Must encrypt ePHI in transit and at rest• Must use dedicated EC2 instances for processing, storing, or

transmitting ePHI• Must record and retain activity related to use and access to ePHI• Unique user identification required• Strong authentication required

HIPAA-Eligible AWS Services – 13 Total

• Amazon API Gateway • Excluding the use of Amazon API

Gateway caching• AWS Direct Connect• AWS Snowball• Amazon DynamoDB• Amazon EBS• Amazon EC2• Amazon Elastic MapReduce (EMR)

• Amazon Elastic Load Balancing (ELB)• Amazon Glacier• Amazon 

Relational Database Service (RDS)• MySQL, Oracle, and PostgreSQL engines

only• Amazon Aurora

• MySQL-compatible edition only• Amazon Redshift• Amazon Simple Storage Service (S3)

• Excluding the use of Amazon S3 Transfer Acceleration

AWS Shared Responsibility Model

Resources

• AWS Resources:• AWS - Compliance Portal• AWS - Shared Responsibility Model• AWS - HIPAA Compliance• 2016 AWS Blog Series: Automating HIPAA Compliance• AWS Re:Invent 2016: Embracing DevSecOps While Improving your Complia

nce and Security Agility and Posture

• Non-Amazon Resources:• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework• HITRUST Alliance - Common Security Framework• Cloud Security Alliance – Cloud Controls Matrix v3.0.1

Contact Information:

• Noah Jaehnert• njaehnert@ourhealth.org• @njaehner• https://www.linkedin.com/in/noahjaehnert

• Justin Kittle• jkittle@ourhealth.org• @justinkittle• https://www.linkedin.com/in/justin-kittle-25901636