cloud professional services
Book A Meeting

Healthcare Compliance on AWS Cloud

How to protect PHI & PII on AWS and HIPAA Compliance

The Challenge

HIPPA Regulations were made to keep the privacy of the healthcare industry while using the latest technologies available in the market. Healthcare uses both Personally Identifiable Information (PII) and Protected Health Information (PHI).

  • PII examples are Name, Address, ID, and every other information about an individual that can lead us to that individual.
  • PHI examples are Medical records, Biometric identifiers, certificates, and all dates directly linked to an individual (birth, death, discharge from hospital)
The main challenge in working with the healthcare industry and complying with HIPPA regulations is to keep the data safe, confidential, and accessible both at rest and in transit.

One of the key things to do to keep data safe is to encrypt it. A lot of different encryption keys need to be managed and rotated every year. Another important thing is to keep the network as private as possible and restrict access to the servers, not just for the data.
When working with developing environments, developers tend to sometimes ignore security guidelines to make the development process faster. And then, when moving the code to production environments, things start to break.

The Goal

First of all, we need to isolate the network and restrict access to it, not expose any server to the outside world and use public services protected with Firewalls (Like a WAF on an ELB Or CloudFront), so no one could access the data. Second, we need to make sure all environments are isolated within themselves (Dev can’t access Prod), and the connection is private to each of them so that no data breaches will occur. We want to be aware of who will access and what they can do in our environment. All sessions need to be recorded, access is restricted and monitored, even if unauthorized personnel try to get to data, we will know about it. Finally, all the data must be encrypted (in both EBS and S3) and backed up as much as possible so no data will ever be lost.

 

The Solution Architecture: 

HC_arch-1

The Cloudride Solution:

We took a small startup and decoupled their application and networks. It went from an architecture of servers with Public IP’s that can be accessed from everywhere to a private, isolated network. All servers are not accessible from the internet only via an Application Load Balancer, and CloudFront distribution with AWS WAF integrated on them. In order for Administrators and Developers to access a server, they need a VPN connection and go through a recorded Bastion Server that logs every action they do. It is impossible to connect from Dev to Prod; all connections are private using VPC- Peering. Even when accessing public services such as S3, we use a private connection called VPC - Endpoint.

Regarding the data itself, we use SSL certificates to authenticate and encrypt the data on transit and use Encrypted EBS volumes and S3 buckets to keep the data encrypted at rest. We were using Config rules to prevent creating unencrypted volumes and use.

Regarding backups, all backups are managed in AWS Backup vault and Amazon Glacier, which holds the server's backups and the event trailing in the account.

Regarding monitors, all Actions in the account are monitored (API actions using CloudTrail, Changes to Security rules using Config, ALB, and Cloudfront write logs to S3 Bucket)

 

If it’s all a bit too much, no worries, we’re here to help you out!

Book A Meeting

Share the story:

Policies & Config Rules

Even if you harden all your environment, someone can still make changes and use unapproved non-compliant resources. So maintain the Hardening using policies and Config rules to make sure this won’t happen.

Backups for Better at Night.

Use the native backup services and define backups on a schedule that will let you roll back and go back before a major event happens. If you can restore all the environments from backups, you can sleep better at night.