HIPAA Workloads on AWS: 10 Point Inspection Checklist

As healthcare becomes increasingly cloud-based, maintaining data compliance requires a modern approach. Everyone in the healthcare industry is required to actively maintain HIPAA compliance to protect the security and privacy of protected health information (PHI). Many healthcare organizations choose to run HIPAA workloads on AWS due to its increased agility, collaboration, security, and innovation potential.

One solution that helps AWS standout is Amazon EC2. EC2 provides secure, reliable compute capacity for the cloud. It gives developers an easy environment for web-scale cloud computing. It provides complete control of computing resources. It’s a scalable, configurable compute service with multiple approaches to data encryption.

Additionally, the following services listed below enhance EC2’s encryption and security.

• AWS CloudFormation allows customers to create and provision infrastructure deployments predictably. Users can leverage AWS products like Amazon EC2 to build reliable, scalable, and cost-effective applications in the cloud without worry.
• AWS CloudWatch provides the ability to monitor, store, and access log files from Amazon EC2 instances, AWS CloudTrail, and other sources. Data from CloudWatch Logs is encrypted in transit and while resting. Thus, users don’t need to re-encrypt PHI emitted by other services.

Maintaining compliance isn’t as simple as implementing these tools, though. Creating the proper infrastructure for a compliant cloud requires a dedicated hands-on approach. With Mission, customers work with expert AWS-certified engineers to build the perfect cloud for their specific needs.

The approach to HIPAA varies from organization to organization. For example, a hospital will require a much different approach than a health insurance provider. To make things easier from the offset, let’s look at a useful checklist you can use to ensure compliance is met.

• Business Associate Agreement: If you choose to work with an AWS partner like Mission, they should have a Business Associate Agreement (BAA) in place with Amazon.
• PHI Data Locations: All PHI data locations are known and PHI data resides on HIPAA compliant AWS systems and storage.
• De-Identified Dev/QA Environments: Development and testing can take place with de-identified PHI data.
• VPC Design: Use private VPC subnets where possible, utilizing a NAT Gateway to facilitate external internet access
• VPC Security: Implement Amazon CloudWatch alarms and AWS Config to provide configuration history, resource inventory, and automated review mechanisms for system changes in near real-time.
• Data Storage Encryption: All data is encrypted at rest in all storage solutions including backups, cache and temp files.
• Data Transport Encryption: Data is encrypted in flight inside and outside of the private network.
• Cryptographic Key Security: Keys are secured with AWS KMS and/or a tamper resistant CloudHSM appliance.
• SSL Certificate Security: SSL certificate use is limited to servers, load balancers and appliances with restricted access.
• High Availability: Production systems span multiple Availability Zones and/or AWS Regions for redundancy.

As the way we use data evolves, the methods of maintaining compliance must as well. Mission helps healthcare organizations create a consistent and reliable cloud environment. We work with you directly to ensure compliant applications and services. With Mission, your team will improve efficiency, security, and agility while fostering innovation throughout your organization.