Check For Non Compliant Hipaa Aws Resources
Topics on this page
Ensure that all the resources created within your AWS account are HIPAA compliant (i.e. are covered in the HIPAA BAA) in order to be able to run HIPAA-regulated workloads on AWS cloud. Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. HIPAA legislation includes procedures to protect the security and privacy of Protected Health Information (PHI). PHI includes a wide set of personally identifiable health and health-related data, including diagnosis data, clinical care data, lab results such as images and test results, insurance and billing information. The HIPAA security rules apply to covered entities, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that manage patient data. Any resource provisioned within your AWS account, designated as a HIPAA account, can be used but you can only process, store and transmit Protected Health Information (PHI) using the HIPAA-eligible services and resources covered under the AWS Business Associate Addendum (BAA).
To qualify as a HIPAA compliant resource, an Amazon Web Services resource must meet the HIPAA requirements for auditing, back-ups and disaster recovery, and must include implementation specifications for the protection and encryption of PHI in transit and at rest. For example, Amazon EC2 resources are HIPAA eligible. You can use EC2 instances to store and analyze Protected Health Information (PHI) and build HIPAA compliant applications. Researchers, healthcare providers, hospital administrators and other users can use Amazon EC2 instances to analyze, visualize or process PHI data in compliance with the HIPAA standard. Cloud Conformity strongly recommends that you process, store and transmit Protected Health Information using only HIPAA eligible services and resources, as defined in the AWS BAA:
HIPAA
- AWS Amplify Console
- Amazon API Gateway
- AWS AppSync
- Amazon Athena
- Amazon Aurora (MySQL, PostgreSQL)
- Amazon Auto Scaling
- AWS Batch
- AWS Certificate Manager
- AWS CloudFormation
- Amazon CloudFront (including Lambda@Edge)
- AWS CloudHSM
- AWS CloudTrail
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon CloudWatch Logs
- AWS CodeBuild
- AWS CodeCommit
- AWS CodeDeploy
- Amazon Cognito
- Amazon Comprehend
- AWS Config
- Amazon Connect
- AWS Database Migration Service
- AWS DataSync
- AWS Direct Connect
- AWS Directory Services (excluding Simple AD and AD Connector)
- Amazon DynamoDB
- Amazon ElastiCache (Redis)
- Amazon Elasticsearch Service
- AWS Elastic Beanstalk
- Amazon EBS
- Amazon EC2
- Amazon Elastic Container Registry (ECR)
- Amazon Elastic Container Service (ECS)
- Amazon Elastic Container Service for Kubernetes
- Amazon Elastic File System (EFS)
- Elastic Load Balancing
- Amazon Elastic MapReduce (EMR)
- AWS Elemental MediaConnect
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- AWS Firewall Manager
- Amazon FreeRTOS
- Amazon FSx
- Amazon Glacier
- AWS Global Accelerator
- AWS GreenGrass
- Amazon GuardDuty
- Amazon Inspector
- AWS IoT (Core and Device Management)
- AWS Key Management Service
- Amazon Kinesis Analytics
- Amazon Kinesis Data Streams
- Amazon Kinesis Firehose
- Amazon Kinesis Video Streams
- AWS Lambda
- Amazon Macie
- AWS Managed Services
- Amazon MQ
- AWS OpsWorks
- Amazon Polly
- Amazon QuickSight
- Amazon Rekognition
- Amazon Redshift
- Amazon RDS (SQL Server, MySQL, Oracle, PostgreSQL and MariaDB database engines)
- AWS RoboMaker
- Amazon Route 53
- Amazon SageMaker (excluding Public Workforce and Vendor Workforce)
- AWS Secrets Manager
- AWS Security Hub
- AWS Service Catalog
- AWS Serverless Application Repository
- AWS Server Migration Service
- AWS Shield
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon S3 (including S3 Transfer Acceleration)
- Amazon Simple Workflow
- AWS Snowball
- AWS Snowball Edge
- AWS Snowmobile
- AWS Step Functions
- AWS Storage Gateway
- AWS Systems Manager
- Amazon Transcribe
- AWS Transfer for SFTP
- Amazon Translate
- Amazon Virtual Private Cloud (VPC)
- AWS VM Import/Export
- AWS Web Application Firewall (WAF)
- Amazon WorkDocs
- Amazon WorkSpaces
- AWS X-Ray
The most current list of HIPAA-eligible services and resources can be found at this URL. Consult this list before you design, create or upgrade your HIPAA compliant environment within your AWS account. An example of non-compliant HIPAA resource is an Neptune database instance, as Amazon Neptune services and its resources are not HIPAA eligible at this moment. Because these types of resources are not yet compliant (i.e. not HIPAA eligible), your organization can be fined if does makes use of AWS Neptune database instances to process, store or transmit PHI data such as patient identification numbers and demographic information like birth dates, gender, ethnicity, contact and emergency contact information, as well as patient diagnoses, treatment information, medical test results and any prescription information that is considered protected health information under HIPAA. That being said, Cloud Conformity strongly recommends to terminate any non-compliant HIPAA resources (e.g. AWS Neptune database instances) in order to avoid any penalties and fines applied for failing to comply with the HIPAA security rules. To help your organization maintain HIPAA compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the HIPAA standard.
Remediation / Resolution
Amazon Web Services provides all the protections necessary to satisfy the HIPAA security requirements, so you can use AWS cloud services and resources to build applications that store, process and transmit sensitive health-related information, consistent with your organization privacy and security obligations. AWS will also sign a Business Associate Agreement (BAA) with your healthcare organization, which represents a contract that outlines how your company is going to handle the Protected Health Information (PHI), the types of responsibilities that the organization takes on and some of the very specific rules around its obligations with regards to HIPAA standard. All AWS components can be used with a healthcare application, but only services and resources covered by the AWS BAA can be used to store, process and transmit Protected Health Information under HIPAA. That being said, using services and resources that are not included within the AWS BAA will fail to comply with the HIPAA regulations and this can lead to losing the trust of your customers, exposing your healthcare organization to legal actions or get fined for violating HIPAA security rules.
References
- AWS Documentation
- Healthcare Compliance in the Cloud
- HIPAA
- AWS Compliance Architectures
- HIPAA Eligible Services Reference
-
Architecting for HIPAA Security and Compliance on Amazon Web Services
-
AWS Blog(s)
- Frequently Asked Questions About HIPAA Compliance in the AWS Cloud
- Accept a BAA with AWS for all accounts in your organization