Ensuring that a business maintains HIPAA compliance is an ongoing and crucial concern for any company owner or manager operating in the healthcare vertical. Penalties for violating HIPAA can include hefty fines, as well as significant criminal charges in some cases. To ensure that all relevant data remains secure, Ibexlabs recommends the use of Amazon Web Services (AWS). In particular, we advise using certain cloud-based services which AWS offers to process or handle HIPAA-protected information and maintain compliance. More on these below. In order to achieve this, it’s crucial to consider HIPAA at every stage of your development process. By building individual services and your overall cloud-architecture with HIPAA in mind, you will find it easier to remain HIPAA-compliant and avoid any potential fines.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation which aims to ensure that personal medical data remains private and secure. The act began in 1996, but a lot has changed since then. Globally, we have witnessed an increase in severe cyber attacks, data breaches, and security lapses, in the healthcare sector especially. Most attacks were intended to access personal data—considered very valuable by hackers. One of the most dramatic examples of this recently is the Equifax data breach. This breach saw the personal information of 2.4 million people compromised. When we talk about HIPPA compliance, we are referring specifically to Title II of the HIPAA. This part of the act is known as HIPAA Administrative Simplification. Title II directs the Department of Health and Human Services (DHHS) to standardize processing rules. These rules concern the process and storage of all electronic healthcare transactions, records, and other data. The directive also sets out the HIPAA requirements that all healthcare organizations must adhere to regarding secure access to healthcare data.

Keeping Protected Health Information Secure on AWS

HIPAA defines protected health information (PHI) as the following: “Protected health information is information, including demographic information, which relates to:

  • the individual’s past, present, or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.” (Source: HHS.gov)

If you are planning on storing any PHI with an AWS cloud service, take steps to ensure that it is adequately protected. You also have to accept additional terms and conditions with Amazon. These come in the form of the AWS Business Associate Addendum (AWS BAA) through AWS Artifact.

AWS Cloud Services

It is possible to use any of the 140+ AWS services to support your healthcare-related application. However, you must ensure that only the services covered under the AWS BAA are used to transmit, process or store PHI. The full list is here. To ensure that you remain HIPAA compliant when processing PHI using AWS cloud services, adhere to the below general strategies. Have compliance at the forefront of your mind as well when thinking about how you implement individual components.

Architectural Strategies

If you plan to process any form of PHI with AWS cloud services, you will need to adopt a more considered approach than most development pipelines. The potential fines and penalties for lapses in HIPAA compliance can be devastating to any size business. Even larger companies that can shoulder the substantial fines will still have to contend with the damage to their reputation which results from failing to safeguard customer data. For example, if you are using AWS to handle both PHI and non-PHI data, you should use two distinct virtual private clouds (VPC). Optimize one to process and handle PHI and the other for regular data. You need to guarantee that PHI data isn’t able to flow from the secure VPC to the general VPC. In addition, configure the PHI VPC in line with Amazon’s HIPAA guidelines, for AWS compliance.

National Institute of Standards and Technology (NIST)

Ibexlabs leverages NIST-based Assurance Frameworks on the AWS Cloud for its clients. Our team does this to create architecture which complies with both HIPAA and NIST considerations. Building architecture that observes the NIST Cloud Computing program guidelines assures the secure and effective adoption of AWS with cost-effectiveness and improved service in mind. This is possible through AWS CloudFormation templates to define infrastructure that aligns with the previously mentioned AWS BAA.As a typical rule of best practice, always aim to separate PHI data from your general data streams. Make use of automation in order to track data flows through your AWS setup. Also, employ logical boundaries to prevent any protected information from slipping into your general data streams.

Automating Compliance

There are a number of Amazon cloud services available that allow for some degree of automation. Especially when it comes to maintaining AWS HIPAA compliance. Use these tools to automatically identify sensitive data and ensure that it is processed appropriately. (We outline the other services our AWS experts can leverage on your behalf here.) AWS Config is a service that gives you a full AWS resource inventory and configuration history. Crucially, the service allows for periodic in-depth monitoring and auditing of your current data and policies. The deep Config reports it creates, along with other tracked auditing trails, provides information you can use to meet your HIPAA auditing obligations. Using the reports allows for an easy manual review of your compliance policies. Such constant monitoring enables the service to detect and remedy any compliance issues as it detects them. The use of sophisticated AI to provide these services is on the rise. And the results we have seen so far are no doubt impressive. However, you should not rely entirely upon an automated solution. It is important that you and your team understand how to remain compliant with HIPAA. There’s a wealth of resources available to leverage your AWS status to facilitate this too.

Securing Data

Amazon offers AWS users a robust privacy policy (for the service to be HIPAA compliant). It also provides a multitude of tools for ensuring the security of their cloud configuration. From Amazon CloudWatch Logs and AWS Shield to Amazon Inspector and AWS Key Management Service. All of which also align with the Security Pillar of AWS Well-Architected Frameworks best practices. The best practices are a set of guidelines Ibexlabs builds all architecture in accordance with on AWS. But, keeping all your PHI separate from your general data streams and implementing a flawless architecture won’t count for much though. Especially if you have gaping holes in your overall general security. This would place you in violation of HIPAA. As you have a duty to ensure that PHI remains secure and private. AWS offers an incredible depth of cloud services and ready-built in compliance measures to safeguard your development pipeline and assure HIPAA compliance when handling PHI. However, you still need to take steps to ensure you’re optimizing these in a secure and compliant manner. Don’t forget to check out Ibexlabs’ Case Studies. You can discover how we’ve migrated and provided custom-built cloud solutions for our healthcare clients here. Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.