HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. This act was created by the United States Congress in 1966, and is an amendment of both the Public Health Service Act (PHSA) and the Employee Retirement Income Security Act (ERISA). It is amended into the Internal Receive Code of 1996, and seeks to protect the health insurance coverage of individuals and groups.
You have 5 titles in HIPAA Compliance, of which Title-II is most applicable for healthcare app development with respect to patient data privacy and preventing healthcare fraud. Title-II HIPAA Compliance has AS or Administrative Simplification provision where national standards are set for electronic health care transactions and health insurance plans, and national identifiers for providers.
It is mandatory for businesses to have HIPAA compliance, especially when it is engaged with patient data. This is specifically required for businesses involving the access to PHI, or Protected Health Information data. PHI information is released by entities that provide patients with the required information, as per their rights. AWS is powerful enough to bring compliance to the process, store and transmit PHI data in a secure manner.
Noted features of HIPAA
The Health Insurance Portability and Accountability Act has set standards on how medical data should be shared among different healthcare systems. The idea is to protect critical patient data, prevent fraud of any kind and to ensure individual health care plans are portable, accessible and easily renewable. Other main features include:
- Safe storage of patient medical information electronically
- Establish national standards and increase efficiency, reduce administrative costs, etc.
- Ensure criminal or civil penalties to those entities (health maintenance organizations, healthcare billing services, health insurers) that don’t comply with HIPAA standards.
If the AWS environment is not HIPAA compliant, then all that protected data will go unprotected, falling into the hands of unauthorised individuals, thereby, making a violation of HIPAA rules.
AWS Supports HIPAA Compliance
In spite of the power of AWS, the fact is that a software service or cloud service can never be completely HIPAA compliant. The compliance is all about how well we know how to use it with AWS, and not merely about the services the platform provides. In this case, it is AWS.
The platform helps you run sensitive workloads as per HIPAA. But in order to do that, you need to first accept AWS Business Associate Addendum or AWS BAA. Post this, you will be able to include PHI according HIPAA rules. This will give you access to the self service portal in the AWS portal, so you can review, accept and check status of your AWS BAA. It covers the security, control and administrative processes mentioned in the act.
Just because AWS is HIPAA compliant, your data isn’t immune to hacks and if you leave the storage buckets (AWS S3 buckets) unprotected, you are clearly violating the rules of the act. Of course, the obvious solution would be limit access to the S3 buckets with PHI, but in spite of doing this, several healthcare organizations have been suspected of leaving their PHI open and vulnerable.
To ensure the rules are followed to the letter, AWS published a 26-page guide for the healthcare organizations. The guide is called Architecting for HIPAA Security and Compliance for Amazon Web Services and aids business enterprises to set up access controls and secure AWS instances.
Amazon S3 buckets are built to be secure by default. Only the resource owner with the administrator credentials will be able to access the information in normal cases. But mistakes and errors happen while configuring permissions to access the resources. This is called misconfiguring the Amazon S3 bucket. In such cases, the data will be accessible to anyone wanting to look for it. Location of the data will also be visible.
Once the entity signs a BAA with AWS, they will be instructed on how to use the service, and when to use the access controls and permissions. In order to ensure that you don’t make mistakes while configuring S3 services, you can refer to their detailed documentation. This documentation would help you set up the access control and other permissions. There are multiple ways to add access and permissions, and this leads to multiple error points,where a tiny error can cost you dearly.
Whenever there are unprotected S3 buckets and the PHI security gets weak, security researchers would note them and alert the concerned healthcare organizations. Unfortunately for you, it is not just the security researches that are watching your applications or data. Hackers and thieves are constantly on the lookout for weak points in the S3 buckets, and at the first instance, they would access the data and steal information.
The weakest point in the S3 buckets is probably where user authentication is performed. This means, anyone with the required credentials can gain access to the data — and such a person would, naturally become an authenticated user. According to Amazon, an authenticated user is a person with an AWS account, and anyone with such an account will get access to the AWS account.
We can use several AWS services for easily achieving HIPAA compliance. Here are some examples: AWS Parameter Store, AWS RDS, AWS VPC, AWS EC2, etc.
AWS Parameter Store
Amazon Web Services come with its own Systems Manager that would let you configure and manage your own Amazon EC2 instances on a number of AWS resources, including virtual machines and on-premises servers. The Systems Manager comes with a unified interface that would help you easily centralize operational data, including finding and resolving problems, and automating most of the tasks.
There is an AWS Systems Manager Parameter Store (SSM) that allows for a hierarchical storage for data management and secret management. The SSM store lets you create Secure String parameter, with both plain text parameter name and a secret parameter value. The Parameter Store can help encrypt and decrypt these parameter values through Secure String parameter. The entire exercise is to ensure that you can create, store and manage data containing parametrical values. You can then use these parameters in a number of applications and services, and you can configure their policies and permissions as well. In this manner, you don’t have to make errors while changing a single parameter value, because only the specific use parameter will be changed.
The parameter store has hierarchical storage for the configuration data including database connection strings, passwords, license codes and so on. This is quite important for companies developing enterprise and small applications. Mission critical and secret information like database connection credentials and other highly critical data must be protected with the help of services like HIPAA compliant AWS because failing to do so would result in serious problems, especially if you are planning to merely embedding these things into the application code directly.
The services provided by AWS Parameter Store are free of cost, can be scaled as and when required, and is entirely managed in the AWS cloud. You can store the data in any available format.
AWS Parameter Store can be found under AWS Systems Manager service.
The Amazon Relational Database Service (RDS) is a Software-as-a-Service offering that helps you build, manage and scale relational databases in the cloud. The service can handle several kinds of standard database management tasks, and offers resizable capacity for industry-standard relational databases. The relational database is somewhat similar to MySQL and Oracle, hosted on Amazon infrastructure.
Amazon RDS works with all AWS cloud products, and mostly works on the pay-as-you-go model as it is based on the conventional cloud utility computing model. Users are billed on the basis of conventional cloud utility computing model.
Amazon RDS is useful among entities because:
- It is gives access to functionalities of several Microsoft SQL, Oracle and MySQL databases.
- It is compatible with applications and tools generally used by developers.
- It helps users scale database, process resources and increase storage as per the user application demands.
- It can be integrated with Simple DB, Amazon’s NoSQL database, containing relational and non-relational database needs.
Amazon RDS database engines are HIPAA eligible. Hence you can use the RDS to build HIPAA compliant applications, store healthcare related information, including PHI under BAA with AWS, and covering the entire healthcare analytics pipeline. The compliance program was extended to include Amazon RDS for MariaDB and Amazon RDS for SQL Server.
While architecting for HIPAA in the AWS, we recommend keeping the database part separate while using RDS. RDS service helps a lot for ensuring security, because that’s what is most important — protection of critical data.
According to Wikipedia, Amazon Virtual Private Cloud or VPC “is a commercial cloud computing service that provides users a virtual private cloud, by “provision[ing] a logically isolated section of Amazon Web Services (AWS) Cloud”.
This service is almost similar to that of private clouds like Open Stack and HPE Helion Eucalyptus, and closely resembles a traditional network. You can also enjoy the benefits of having a scalable infrastructure.
VPC is dedicated to your AWS account, and logically isolated from other networks in the cloud. Being a networking layer of Amazon EC2, you can easily launch its resources into the VPC. You can enjoy complete control over your IP address range, configure network gateways, configure route tables, create subnets and so on. It is possible to maximize the security by having multiple layers of security, adding both IPv4 and IPv6 for high levels of security for accessing resources and applications. Keeping the database instances in the private subnets would keep it protected from the public intranet, thereby making it even more secure.
- Enjoy advanced security features like security groups and network access control lists.
- Both inbound and outbound filtering at instance level & subnet level
- Store data in Amazon S3
- Restrict access in Amazon S3 to make it accessible only from VPC
- Dedicated instances possible so it can be accessed only for a single customer through additional isolation
- Can be connected to other VPCs
- Can connect to SaaS solutions through AWS Private Link
- Secure connection to corporate datacenter
Amazon Elastic Compute Cloud is another web service provided in Amazon’s cloud computing platform. You can launch as many virtual servers as you need, manage storage, configure security and storage. You don’t have to invest in any kind of hardware to manage and deploy applications faster. It is possible to scale up and scale down, whenever there is a rise or fall in traffic.
Amazon ECs comes with different instance (virtual computing environments) types, sizes and pricing plans for different computing requirements, so it is easy to come up with something that suits your budget.
More about Architecting for HIPAA in the Cloud
Amazon Web Services helps you run sensitive workloads once they are regulated under United States HIPAA. To include highly protected health information under AWS, you need to accept the AWS Business Associate Addendum or AWS BAA. This is also where you can legally process PHI.
However, for this to be accepted first, you need to use AWS Artifact Agreements and confirm your account in the AWS. This is used to review, accept and manage all the agreements in your account. Next, you can review the terms of your accepted agreement, and if you don’t feel the necessity to use the agreement, you can always terminate it. There is an AWS Artifact Agreements specifically for this.
You can click on this link to check on the current list of services covered by AWS BAA.
General Architecture Strategies
There are some general strategies to follow when using AWS for HIPAA application. They are:
- Identifying and separating protected and sensitive information from processing or orchestration
- Performing automation to trace the flow of data
- Set logical boundaries between protected information and general data
The number of healthcare providers, IT professionals, insurers, and payers using AWS cloud based services to ensure high levels of protection in patient data and information is growing by the day. AWS aligns itself with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to promise its customers that the processing, maintenance and storage of Protected Health Information is done without errors or possibilities of vulnerabilities. This way you can be assured of HIPAA compliance while using AWS.
Interested in building HIPAA compliant apps using AWS? We’ll be happy to help!
Originally published at Cabot Solutions on November 27, 2018.