HIPAA on AWS: Requirements and Best Practices

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. regulation to safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI). HIPAA includes a series of standards and requirements that organizations handling such data must adhere to. Businesses, known as covered entities, and their associates must ensure that appropriate administrative, physical, and technical safeguards are in place.

HIPAA has two main components: the Privacy Rule and the Security Rule. The Privacy Rule sets national standards for the protection of individuals’ medical records and personal health information. The Security Rule establishes standards to protect electronically stored and transmitted health information.

Is AWS HIPAA Compliant? 

Amazon Web Services (AWS) offers a secure infrastructure for healthcare providers and business associates that require HIPAA compliance. 

Many AWS services are HIPAA eligible (here is an updated list), and in addition, AWS provides tools and services that help organizations meet HIPAA requirements, including access control, auditing, and monitoring capabilities.

AWS’s compliance with HIPAA is formalized through its Business Associate Addendum (BAA), which must be executed by any AWS customer before storing or processing ePHI in the AWS environment. The BAA sets forth AWS’s obligations concerning the safeguarding of data, ensuring that AWS, as a business associate, adheres to the HIPAA standards. However, the responsibility for compliance remains shared between AWS and the customer.ith legitimate educational interests or in response to a subpoena.

Key Aspects and Requirements for HIPAA Compliance in AWS 

Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is a critical document in HIPAA compliance for any organization that manages ePHI. When utilizing AWS services, customers must sign a BAA with AWS. This agreement outlines the responsibilities of both parties regarding the protection and control of ePHI. The BAA ensures that AWS adheres to HIPAA requirements, maintaining secure hosting environments that meet compliance standards.

Without a signed BAA, it would not be legal to use AWS for storing or processing ePHI. This agreement isn’t just a formality but a legally binding document that sets AWS’s role in ensuring HIPAA compliance.

Access Control

In the context of HIPAA, access control ensures that only authorized personnel can access ePHI. AWS Identity and Access Management (IAM) enables granular control over who can access what resources within an AWS environment. By enforcing policies, organizations can restrict access based on the principle of least privilege, significantly reducing the risk of unauthorized access.

IAM allows detailed access controls to be set, ensuring that users can perform only the actions necessary for their roles. Organizations must regularly review and adjust these access controls to respond to changes in their operational environment or personnel roles.

Security Incident Procedures

HIPAA mandates procedures to handle security incidents effectively, ensuring that any breaches affecting ePHI are promptly and properly managed. AWS provides several tools and services to help organizations detect, respond to, and resolve security incidents. AWS CloudTrail and AWS Config, for example, offer detailed logging and configuration tracking to help monitor and audit AWS resource usage.

Incident response involves pre-defined policies that dictate how to handle breaches. Organizations must ensure that they have incident response plans that identify roles, responsibilities, and actions to be taken when a security incident occurs.

Transmission Security

Transmission security, another HIPAA requirement, ensures that ePHI is protected during its transfer across networks. AWS supports multiple mechanisms for secure data transmission, including HTTPS, VPNs, and dedicated direct connections. These measures protect data against interception, alteration, and unauthorized access during transit.

Securing data in transit is essential for preventing man-in-the-middle attacks and ensuring that sensitive information is not exposed during communication between systems. AWS’s encryption mechanisms leverage industry-standard protocols, ensuring high levels of security. Organizations should use these tools to encrypt traffic between AWS services and other components of their infrastructure to maintain end-to-end security.

Data Encryption

Data encryption is vital for maintaining the confidentiality and integrity of ePHI. AWS provides encryption options both for data at rest and in transit. Services like AWS Key Management Service (KMS) allow organizations to create and manage cryptographic keys easily, facilitating encryption for their data stored in AWS.

Encryption ensures that only authorized personnel can access the data. Even if encrypted data is intercepted or accessed without authorization, it would be useless without the correct decryption keys.

Data Backup and Recovery

HIPAA regulations require that ePHI is backed up and can be recovered after a data loss incident. AWS offers multiple backup solutions, such as AWS Backup, which centralizes and automates data backup across AWS services. These backups ensure that data can be restored quickly in the event of accidental deletion, corruption, or ransomware attack.

Having a data backup and recovery strategy is essential for protecting against data loss incidents and ensuring the continuity of healthcare operations. Regularly testing backup and recovery procedures is necessary to confirm these processes work as intended when needed. AWS provides various options to customize backup retention policies and automate the backup lifecycle.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you improve HIPAA compliance on AWS:

Leverage Amazon Macie for ePHI discovery and classification: Use Amazon Macie to automatically discover, classify, and protect sensitive data like ePHI within your S3 buckets. This helps ensure that you’re not only aware of where ePHI is stored but also that appropriate protective measures are in place.

Utilize AWS Secrets Manager for managing access credentials: Securely manage and rotate access credentials, such as API keys and database passwords, using AWS Secrets Manager. This reduces the risk of unauthorized access to ePHI by ensuring that credentials are not hard-coded or left unmanaged.

Implement VPC endpoints for private connectivity: Use VPC endpoints to connect to AWS services without leaving the Amazon network. This limits exposure to the public internet, reducing the attack surface and better securing ePHI data in transit.

Conduct regular penetration testing and vulnerability assessments: Schedule regular penetration testing and vulnerability assessments, specifically focused on your AWS environment, to identify and mitigate potential weaknesses that could expose ePHI to unauthorized access.

Use AWS Service Catalog to standardize compliant configurations: Create a catalog of pre-approved, HIPAA-compliant configurations using AWS Service Catalog. This helps ensure that teams deploy resources consistently in line with compliance

Best Practices for HIPAA Compliance on AWS

Use HIPAA-Eligible Services on AWS

AWS designates specific services as HIPAA-eligible, meaning they can be configured to store, process, and transmit ePHI in a compliant manner. Examples of HIPAA-eligible services include Amazon S3, Amazon RDS, and Amazon EC2.

When designing and deploying applications, it’s essential to verify that only HIPAA-eligible services are used for handling ePHI. AWS provides documentation and guidance for configuring these services securely, ensuring that they meet the necessary compliance standards.

Implement Strict Access Controls Using AWS IAM

Implementing strict access controls using AWS Identity and Access Management (IAM) is essential for HIPAA compliance. IAM policies should limit user access based on their roles and responsibilities, adhering to the principle of least privilege. This approach minimizes the risk of unauthorized access to ePHI.

Regular audits of IAM policies are necessary to ensure they align with current organizational needs. Revoking unnecessary permissions and maintaining detailed logs of access changes enhance security and compliance. AWS provides tools like IAM Access Analyzer to help monitor and validate access configurations actively.

Implement Automated Backup with AWS Backup

Automated backup solutions are essential for ensuring data resilience and complying with HIPAA’s data backup requirements. AWS Backup offers a centralized service to manage backups across AWS services, automating backup scheduling, retention, and lifecycle management.

Regularly testing backup and recovery procedures confirm that data can be restored promptly during a failure. AWS’s automated solutions ensure that backups are consistent and up-to-date, reducing manual intervention and the likelihood of errors that could compromise data integrity and HIPAA compliance.

Use AWS Config Rules to Enforce Compliance with HIPAA Policies

AWS Config Rules allows organizations to automatically enforce compliance with HIPAA policies by continuously monitoring and evaluating AWS resource configurations. These rules can trigger alerts or remediation actions when configurations deviate from compliant states, helping maintain security and compliance.

By using AWS Config Rules, organizations can proactively manage their compliance posture. Automated compliance checks and remediation actions reduce the time and effort required to audit and correct non-compliant resources, ensuring continuous adherence to HIPAA standards.

Use AWS CloudTrail and CloudWatch for Logging and Monitoring

Logging and monitoring are critical for detecting and responding to security incidents, as mandated by HIPAA. AWS CloudTrail and CloudWatch provide logging and monitoring capabilities, capturing detailed activity logs for AWS account actions and resource usage.

By leveraging these services, organizations can maintain an auditable trail of activities, which is vital for investigating incidents and proving compliance. Setting up alerts for suspicious activity and regular log reviews help ensure that potential breaches are identified and addressed promptly, safeguarding ePHI.

HIPAA Compliance with Exabeam

Noncompliance with HIPAA can result in heavy fines from OCR and other consequences. When patch management, access controls, and monitoring are not fully implemented with the right solution stack, it leaves the organization vulnerable to ransomware and other attack vectors that can impact patient care. 

Exabeam Security Operations Platform telemetry combines logs with context, security intelligence feeds, and AI analysis to identify anomalous behaviors that indicate potential attacks. Pre-built Dashboards make HIPAA Compliance reporting easier. Whether you are using a framework like NIST or MITRE ATT&CK^Ⓡ, Exabeam offers a clear path to track your compliance and governance request needs — while all establishing what normal looks like in your environment and for every entity logged in. 

The Outcomes Navigator offers continuous visualization and insight into your detection coverage and improvements made, which provides suggestions for improvements in log parsing as well as showing which sources and detections are most effective against which parts of the ATT&CK framework and use cases are most indicative of network penetration, persistence, and lateral movement.