Ensuring that a business maintains HIPAA compliance is an ongoing and crucial concern for any company owner or manager operating in the healthcare vertical. Penalties for violating HIPAA can include hefty fines, as well as significant criminal charges in some cases. To ensure that all relevant data remains secure, Ibexlabs recommends the use of Amazon Web Services (AWS). In particular, we advise using certain cloud-based services which AWS offers to process or handle HIPAA-protected information and maintain compliance. More on these below. In order to achieve this, it’s crucial to consider HIPAA at every stage of your development process. By building individual services and your overall cloud-architecture with HIPAA in mind, you will find it easier to remain HIPAA-compliant and avoid any potential fines.
The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation which aims to ensure that personal medical data remains private and secure. The act began in 1996, but a lot has changed since then. Globally, we have witnessed an increase in severe cyber attacks, data breaches, and security lapses, in the healthcare sector especially. Most attacks were intended to access personal data—considered very valuable by hackers. One of the most dramatic examples of this recently is the Equifax data breach. This breach saw the personal information of 2.4 million people compromised. When we talk about HIPPA compliance, we are referring specifically to Title II of the HIPAA. This part of the act is known as HIPAA Administrative Simplification. Title II directs the Department of Health and Human Services (DHHS) to standardize processing rules. These rules concern the process and storage of all electronic healthcare transactions, records, and other data. The directive also sets out the HIPAA requirements that all healthcare organizations must adhere to regarding secure access to healthcare data.
HIPAA defines protected health information (PHI) as the following: “Protected health information is information, including demographic information, which relates to:
If you are planning on storing any PHI with an AWS cloud service, take steps to ensure that it is adequately protected. You also have to accept additional terms and conditions with Amazon. These come in the form of the AWS Business Associate Addendum (AWS BAA) through AWS Artifact.
It is possible to use any of the 140+ AWS services to support your healthcare-related application. However, you must ensure that only the services covered under the AWS BAA are used to transmit, process or store PHI. The full list is here. To ensure that you remain HIPAA compliant when processing PHI using AWS cloud services, adhere to the below general strategies. Have compliance at the forefront of your mind as well when thinking about how you implement individual components.
If you plan to process any form of PHI with AWS cloud services, you will need to adopt a more considered approach than most development pipelines. The potential fines and penalties for lapses in HIPAA compliance can be devastating to any size business. Even larger companies that can shoulder the substantial fines will still have to contend with the damage to their reputation which results from failing to safeguard customer data. For example, if you are using AWS to handle both PHI and non-PHI data, you should use two distinct virtual private clouds (VPC). Optimize one to process and handle PHI and the other for regular data. You need to guarantee that PHI data isn’t able to flow from the secure VPC to the general VPC. In addition, configure the PHI VPC in line with Amazon’s HIPAA guidelines, for AWS compliance.
Ibexlabs leverages NIST-based Assurance Frameworks on the AWS Cloud for its clients. Our team does this to create architecture which complies with both HIPAA and NIST considerations. Building architecture that observes the NIST Cloud Computing program guidelines assures the secure and effective adoption of AWS with cost-effectiveness and improved service in mind. This is possible through AWS CloudFormation templates to define infrastructure that aligns with the previously mentioned AWS BAA.As a typical rule of best practice, always aim to separate PHI data from your general data streams. Make use of automation in order to track data flows through your AWS setup. Also, employ logical boundaries to prevent any protected information from slipping into your general data streams.
There are a number of Amazon cloud services available that allow for some degree of automation. Especially when it comes to maintaining AWS HIPAA compliance. Use these tools to automatically identify sensitive data and ensure that it is processed appropriately. (We outline the other services our AWS experts can leverage on your behalf here.) AWS Config is a service that gives you a full AWS resource inventory and configuration history. Crucially, the service allows for periodic in-depth monitoring and auditing of your current data and policies. The deep Config reports it creates, along with other tracked auditing trails, provides information you can use to meet your HIPAA auditing obligations. Using the reports allows for an easy manual review of your compliance policies. Such constant monitoring enables the service to detect and remedy any compliance issues as it detects them. The use of sophisticated AI to provide these services is on the rise. And the results we have seen so far are no doubt impressive. However, you should not rely entirely upon an automated solution. It is important that you and your team understand how to remain compliant with HIPAA. There's a wealth of resources available to leverage your AWS status to facilitate this too.