hipaa compliance in the aws cloud
TRANSCRIPT
HIPAA Compliance in the AWS CloudIndyAWS Meetup – 3/22/2017Justin Kittle, IT Operations Manager, OurHealthNoah Jaehnert, Director of Information Security, OurHealth
One American Square, Suite 2610Indianapolis, IN 46282www.ourhealth.org
Agenda
• What is OurHealth?• Disclaimer• Healthcare Definitions• Requirements• HIPAA-Eligible AWS Services – 13 Total• AWS Shared Responsibility Model• Meeting the AWS Compliance Model• Resources
What is OurHealth?
CUSTOMNEAR-SITEON-SITEHealthcare Clinics
Services We Provide: Adult Primary & Urgent Care
Pediatric Urgent CareWellness Services
On-site Labs & MedicationsReferral Services
Online Tools
People
Passion
Excellence
What is OurHealth’s Mission?
Where are we? – Indianapolis, IN and Charlotte, NC
*and in many different employer buildings/on their campuses
Disclaimer
• Justin and Noah are not lawyers, nor is OurHealth a law firm. All information presented here is our personal interpretation of the HIPAA and AWS requirements, not that of our employer or any law firm.
• In order to ensure compliance with any applicable laws, regulations, etc. for your organization or entity, we strongly suggest consulting with a lawyer first who specializes in cloud security and/or compliance.
• We are not liable for anything you do or do not do. Period.
Healthcare Definitions
• Health Insurance Portability and Accountability Act (HIPAA):• Passed in 1996, designed to make it easier for workers to retain health
insurance coverage when they change or lose their jobs. • Sought to drive adoption of electronic health records to improve the
efficiency and quality of the American healthcare system through improved information sharing.
• Requires protection of the security and privacy of Protected Health Information.
• Health Information Technology for Economic and Clinical Health Act (HITECH):• Passed in 2009, in combination with HIPAA, it. Establishes federal
standards to protect the security and privacy of PHI. • HIPAA and HITECH impose requirements related to the use and disclosure
of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.
Healthcare Definitions (continued)
• Business Associate Agreement (BAA)• A person or entity who performs functions or activities on behalf of, or
provides certain services to, a covered entity and isn’t employed by the covered entity.
• Also includes subcontractors who create, receive, maintain, or transmit protected health information on behalf of another business associate
• Cloud Service Providers like AWS are considered business associates. • Protected Health Information (PHI):
• Any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
• Includes any part of a patient’s medical record and/or payment history.
HIPAA Requirements
• There’s a lot… For full details, see• HHS.gov - HIPAA Security Rule• HHS.gov - HIPAA Privacy Rule
• PHI must be encrypted in transit and at rest• Access to PHI (including the systems that store, process, and/or
transmit it) must be logged and monitored• Business Associate Agreements (BAAs) must be in place between
Covered Entity and Business Associate• Covered Entity: Health Care Provider, Health Plan, and/or Health Care
Clearinghouse• Business Associate: Person or entity that performs certain functions or activities
that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
AWS HIPAA Requirements
• Account must be designated as a “HIPAA Account”• Must sign a BAA with Amazon• Customers may only store, process, and/or transmit ePHI through
eligible services• Must encrypt ePHI in transit and at rest• Must use dedicated EC2 instances for processing, storing, or
transmitting ePHI• Must record and retain activity related to use and access to ePHI• Unique user identification required• Strong authentication required
HIPAA-Eligible AWS Services – 13 Total
• Amazon API Gateway • Excluding the use of Amazon API
Gateway caching• AWS Direct Connect• AWS Snowball• Amazon DynamoDB• Amazon EBS• Amazon EC2• Amazon Elastic MapReduce (EMR)
• Amazon Elastic Load Balancing (ELB)• Amazon Glacier• Amazon
Relational Database Service (RDS)• MySQL, Oracle, and PostgreSQL engines
only• Amazon Aurora
• MySQL-compatible edition only• Amazon Redshift• Amazon Simple Storage Service (S3)
• Excluding the use of Amazon S3 Transfer Acceleration
AWS Shared Responsibility Model
Resources
• AWS Resources:• AWS - Compliance Portal• AWS - Shared Responsibility Model• AWS - HIPAA Compliance• 2016 AWS Blog Series: Automating HIPAA Compliance• AWS Re:Invent 2016: Embracing DevSecOps While Improving your Complia
nce and Security Agility and Posture
• Non-Amazon Resources:• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework• HITRUST Alliance - Common Security Framework• Cloud Security Alliance – Cloud Controls Matrix v3.0.1
Contact Information:
• Noah Jaehnert• [email protected]• @njaehner• https://www.linkedin.com/in/noahjaehnert
• Justin Kittle• [email protected]• @justinkittle• https://www.linkedin.com/in/justin-kittle-25901636