(SEC304) Architecting for HIPAA Compliance on AWS

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bill Shinn, AWS Principal Security Solutions Architect
Haddon Bennett, Emdeon Chief Information Security Officer
October 2015
SEC 304
Architecting for HIPAA
Compliance on AWS

What to expect from this session
• Review AWS Health Insurance Portability and Accountability Act
(HIPAA) Program and Business Associate Agreement.
• Learn how Emdeon is architecting for HIPAA requirements on AWS.
• Learn how to architect for key HIPAA Security Rule “implementation
specifications” when using AWS Eligible Services.

AWS HIPAA Program
• Strong presence in healthcare and
life sciences from our roots
• Business Associates and the
January 2013 Omnibus Final Rule
• Started signing Business Associate
Agreements (BAA) in
Q2 2013
• Program is based on Shared
Security Responsibility Model
AWS HIPAA Program is aligned to
NIST 800-53 and FedRAMP
Authorizations

Alignment to HIPAA Security Rule
HIPAA Security Rule
(45 CFR Part 160 and Subparts
A and C of Part 164)
NIST 800-66
An Introductory Resource Guide
for Implementing the Health
Insurance Portability and
Accountability Act (HIPAA)
Security Rule
NIST 800-53
Moderate baseline + FedRAMP
controls

AWS HIPAA Eligible Services – 2014
• Customers may use all services within a “HIPAA Account.”
• Customers may process, store, or transmit ePHI using only Eligible
Services.
Amazon EC2
Elastic Load
Balancing
(TCP-mode only)
Amazon S3Amazon EBS Amazon Glacier Amazon Redshift

AWS HIPAA Eligible Services – 2015
• Customers may use all services within a “HIPAA Account”
• Customers may process, store, or transmit ePHI using only Eligible Services.
EC2
Elastic Load
Balancing
(TCP mode only)
S3EBS Amazon Glacier Amazon Redshift
Amazon
DynamoDB
Amazon
RDS for
MySQL
Amazon
RDS for
Oracle
Amazon EMR

AWS BAA configuration requirements
• Customers must encrypt ePHI in transit and at rest.
• Customers must use EC2 Dedicated Instances for instances
processing, storing, or transmitting ePHI.
• Customers must record and retain activity related to use of and
access to ePHI.

Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSGWebSG

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
PHI

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
S3
PHI

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
Amazon
Glacier
PHI
S3

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
Web Tier
ASG
App Tier
ASG
WebSG
Amazon
DynamoDB
PHI

WebSG
Using Eligible Services for PHI with other services
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
Amazon
Route 53
AWS Config AWS CloudTrail AWS
IAM
AWS CloudFormation
Non-PHI

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
Amazon
Route 53
CloudWatch
Non-PHI

WebSG
Availability Zone
Availability Zone
Patient
Web Tier
ASG
App Tier
ASG
RDS
MySQL
Web Tier
ASG
App Tier
ASG RDS
MySQL
WebSG
Amazon
Route 53
AWS CodeDeploy
Non-PHI

Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLS
HAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
ELB

AZ A
HAProxy/Public
SSL/TLS
HAProxy/Public
SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
TCP-only Session
TLS w/ PHI
ELB

AZ A
HAProxy/Public
SSL/TLS
HAProxy/Public
SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
TCP-only Session
TLS w/ PHI
New TLS Session
ELB

AZ A
HAProxy/
Public SSL/TLS
HAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
Terminating TLS on ELB (April 2015+)
AZ A
Web
Server/Private
TLS
Web
Server/Private
TLS
TCP-only Session
TLS w/ PHI
New TLS Session
ELB ELB

AZ A
HAProxy/Public
SSL/TLS
HAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
TCP-only Session
TLS w/ PHI
New TLS Session
Terminating TLS on ELB (April 2015+)
AZ A
Web
Server/Private
TLS
Web
Server/Private
TLS
ELB ELB

Emdeon Overview
People
 6,000+ team members
Our customers
 Payers
 Providers
 Pharmacies
 Laboratories
 Physicians
 Hospitals
 Dentists
Assets
 The single largest financial and
administrative health information
network in the nation
 Emdeon Intelligent
Healthcare Network™

Emdeon Overview
 17 months
 2,000+ instances
 10K application deployments
People AWS footprint
 6,000+ team members
Our customers
 Payers
 Providers
 Pharmacies
 Laboratories
 Physicians
 Hospitals
 Dentists
Assets
 The single largest financial and
administrative health information
network in the nation
 Emdeon Intelligent
Healthcare Network™

Top compliance and security initiatives
Encryption
Patching
Build
standard
Logging
Incident
investigation
Disaster
recovery
Asset
management
Configuration
management
Vulnerability
scanning

Top reasons compliance and security initiatives fail
Not enough memory/CPU/out-of-date hardware
Unknown impact to performance
Can’t incur downtime
No test environment
No legacy knowledge to properly test application
No way to roll back change (with assurance)
No deployment tools
Length of time to patch
Encryption
Patching
Build
standard
Logging
Incident
investigation
Disaster
recovery
Asset
management
Configuration
management
Vulnerability
scanning

Traditional data center
• Manually touch 10K servers
• Server and network impact
• Misconfiguration due to manual
efforts
• Result = Several months
Logging
AWS
• Modify build scripts
• Unnoticed due to auto-scaling
• Consistent and compliant config
due to automation and testing
• Result = Several minutes
Technical safeguards 164.312
(b). Standard: Audit controls. Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that
contain or use electronic protected health information.
CloudTrail (API logs); CloudFormation (for hardened AMI system logs); S3

• Set up alert on root logon.
• Attempt to get logs from 3 different
groups (network, systems, and
database)…and wait.
• Perform live forensics and impact
integrity, or take system down and
incur revenue loss.
• Result: Time to mitigate, investigate,
resolve, and downtime is significant.
Incident investigation
• Automate a task to quarantine
existing environment and bring up
fresh noncompromised environment
when you see a root logon in
production.
• View all logs on quarantined system
(create another snapshot first for
forensic preservation).
• Result: Time to mitigate and
investigate reduced dramatically with
zero downtime.
Traditional data center AWS
Security Incident Procedures 164.308(a)(6)
(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful effects of security incidents that are known to the covered entity; and
document security incidents and their outcomes.
ELB; security groups

• Acquire/deploy expensive patching
tool and push out.
• Patch 10K servers, schedule
downtime, reboots; not sustainable.
• Patch damages server; attempts to
roll back fail.
• No proper testing environment.
•Result = Instability, high effort;
minimal compliance assurance.
Patching
• Follow standard release process.
• Patch base AMI and redeploy.
• Redeploy previous release.
• Redeploy production as a dev
environment.
• Result = Stability, tested, and
compliant.
Traditional data center AWS
Organizational requirements 164.314
(A) Implement administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of the
electronic protected health information that it creates, receives, maintains, or
transmits

HIPAA Security Rule – Fine print explained
… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
The Code of Federal Regulations

of Part 164.
Source:
http://www.nasa.gov/centers/dryden/multimedia/
imagegallery/Shuttle/EC94-42789-2.html

of Part 164.
Source:
http://www.nasa.gov/centers/dryden/multimedia/
imagegallery/Shuttle/EC94-42789-2.html
Source:
http://www.seaway.dot.gov/sites/seaway.dot.gov/files/docs/SLSDC%20System%20Brochure%202014.pdf

of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare

of Part 164.
Subtitle A - Health and Human Services

of Part 164.
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS

of Part 164.
Part 160 - General Administrative Requirements

of Part 164.
Part 164 - Security and Privacy

of Part 164.
Subpart C - Security Standards for the Protection of Electronic Protected Health Information

of Part 164.
Section 164.308 - Administrative Safeguards
Section 164.310 - Physical Safeguards
Section 164.312 - Technical Safeguards
Section 164.314 - Organizational Safeguards

of Part 164.
Section 164.308 - Administrative Safeguards
Section 164.310 - Physical Safeguards
164.312(b)(2) – Standard: Audit Controls
Section 164.314 - Organizational Safeguards

Audit Controls 164.312(b)(2) – Security Rule
164.312 (b)(2) Standard: Audit Controls
Implement hardware, software, and/or procedural mechanisms that *record and examine
activity* in information systems that contain or use electronic protected health
information.

Audit Controls 164.312(b)(2) – OCR Audit
Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Audit Procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.
Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented
over information systems that contain or use ePHI.
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.

Protocol
§164.312(b):
Key Activity
Audit Procedures
Key Activity
Audit Procedures
Something you have to do.

Protocol
§164.312(b):
Key Activity
Audit Procedures
Key Activity
Audit Procedures

Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited Something you have to do.
.

Protocol – Determine the Activities
§164.312(b):
Key Activity
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance

§164.312(b):
Key Activity
AttachVolume
CopySnapshot
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
RDS CloudTrail Events
AuthorizeDBSecurityGroupIngress
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance

§164.312(b):
Key Activity
AttachVolume
CopySnapshot
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
Amazon Glacier CloudTrail
Events
DeleteArchive
DeleteVault

§164.312(b):
Key Activity
AttachVolume
CopySnapshot
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
DynamoDB CloudTrail Events
DeleteTable
UpdateTable
Events
DeleteArchive
DeleteVault

§164.312(b):
Key Activity
AttachVolume
CopySnapshot
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
DynamoDB CloudTrail Events
DeleteTable
UpdateTable
Amazon Redshift CloudTrail Events
AuthorizeClusterSecurityGroupIngress
CopyClusterSnapshot
CreateClusterSnapshot
DeleteCluster
DeleteClusterSnapshot
DisableLogging
Events
DeleteArchive
DeleteVault

§164.312(b):
Key Activity
CloudTrail CloudTrail Events
CreateTrail
DeleteTrail
UpdateTrail
StopLogging

§164.312(b):
Key Activity
CloudTrail CloudTrail Events
CreateTrail
DeleteTrail
UpdateTrail
StopLogging
S3 CloudTrail Events
(New in Sept 2015)
Delete Bucket
Delete Bucket lifecycle
Delete Bucket tagging
Put Bucket acl
Put Bucket lifecycle
Put Bucket policy
Put Bucket replication

§164.312(b):
Key Activity
EC2 Instance Events
/var/log/messages
/var/log/audit
/var/log/<whatever>
</your/application/logs>
RDS Instance Events
MySQL – DDL/DML
general_log = 1
log_output = TABLE | FILE
DynamoDB Application-Level
Events (SDK and/or DynamoDB
Streams)
BatchGetItem
BatchWriteItem
DeleteItem
GetItem
PutIItem
Query
Scan
UpdateItem
Amazon Redshift Database Events
Connection Logging
(STL_CONNECTION_LOG)
Query Text Logging
(STL_QUERY & STL_QUERYTEXT)

Protocol – Document Implementation
§164.312(b):
Audit Procedures
.

§164.312(b):
Key Activity
Capture CloudTrail Configuration (CLI Example)
$ aws cloudtrail describe-trails
{
"trailList": [
{
"IncludeGlobalServiceEvents": true,
"Name": "Default",
"S3KeyPrefix": ”CloudTrail",
"S3BucketName": "us-east-1.logging",
"CloudWatchLogsRoleArn":
"arn:aws:iam::663354267581:role/CloudTrail_CloudWatchLogs_Role",
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:663354267581:log-
group:CloudTrail/us-east-1-LogGroup:*"
}
]
}

§164.312(b):
Key Activity
Capture CloudTrail Trusted Advisor Report

Protocol – Select the Tools
§164.312(b):
Key Activity
Key Activity
Audit Procedures

CloudTrail CloudWatch Logs Amazon
Kinesis
CloudWatch
Logs
subscription
consumer
(KCL-based)
ELK
CloudWatch
Logs
subscription
Amazon EC2
+
CloudWatch
Logs agent

CloudWatch Logs Amazon
Kinesis
CloudWatch
Logs
subscription
LogGroup-CloudTrail/Stream1
LogGroup-CWL-syslog/instance-1
LogGroup-CWL-syslog/instance-2
LogGroup-CWL-customApp/instance-3
[…]

§164.312(b):
Key Activity
Audit Procedures
[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit
information.
$ aws logs describe-log-groups --log-group-name-prefix "CloudTrail"
{
"logGroups": [
{
"arn": "arn:aws:logs:us-east-1:663354267581:log-group:CloudTrail/us-east-1-LogGroup:*",
"creationTime": 1439155915783,
"metricFilterCount": 0,
"logGroupName": "CloudTrail/us-east-1-LogGroup",
"storedBytes": 411573
}
]
}

§164.312(b):
Audit Procedures
[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit
information.
$ aws logs describe-subscription-filters --log-group-name CloudTrail/us-east-1-LogGroup
{
"subscriptionFilters": [
{
"filterPattern": "",
"filterName": "cwl-cfn-es-CWL-Elasticsearch-KinesisSubscriptionStream-1KSJUFTUP6K5K",
"roleArn": "arn:aws:iam::663354267581:role/CWL-Elasticsearch-CloudWatchLogsKinesisRole-
4DVR5UWI4QBR",
"creationTime": 1439157386140,
"logGroupName": "CloudTrail/us-east-1-LogGroup",
"destinationArn": "arn:aws:kinesis:us-east-1:663354267581:stream/CWL-Elasticsearch-
KinesisSubscriptionStream-1KSJUFTUP6K5K"
}
]
}

Protocol – Activity Reviews
§164.312(b):
Key Activity
Key Activity
Audit Procedures

Protocol – Activity Reviews

of Part 164.
164.312(a)(1) – Standard: Access Control
164.312(a)(2) - Implementation Specification
164.312(e)(1) – Standard: Transmission Security
164.312(e)2) – Implementation Specification

of Part 164.
164.312(a)(1) – Standard: Access Control
164.312(a)(2) - Implementation Specification
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
164.312(e)(1) – Standard: Transmission Security
164.312(e)2) – Implementation Specification
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Encryption Controls – 164.312(a)(2)(iv)
164.312 (a)(2)(iv) Standard: Access Control
Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health
information.
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and
such confidential process or key that might enable decryption has not been breached. To avoid a
breach of the confidential process or key, these decryption tools should be stored on a device or at a
location separate from the data they are used to encrypt or decrypt.

“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber
entre les mains de l’ennemi” – Auguste Kerckhoffs, “La Cryptographie
Militaire,” Journal des Sciences Militaires, January, 1883

“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber
entre les mains de l’ennemi.” – Auguste Kerckhoffs, “La Cryptographie
Militaire,” Journal des Sciences Militaires, January, 1883
The system must not require secrecy and can be stolen by the
enemy without causing trouble.

Encryption Controls – 164.312(a)(2)(iv) – OCR
Audit Protocol
§164.312(a)(2)(iv):
Key Activity
Encryption and Decryption
Audit Procedures
Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal
policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to
protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
- Type(s) of encryption used.
- How encryption keys are protected.
- Access to modify or create keys is restricted to appropriate personnel.
- How keys are managed.

Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS
HIPAA Eligible Services integrations
Amazon Elastic Block Store
Amazon Relational Database Service – MySQL
Amazon Relational Database Service – Oracle
Amazon Simple Storage Service (SSE-K)
Amazon Redshift
Amazon Elastic MapReduce (client-side EMRFS)

Amazon KMS – EBS example
EBS
volume

EBS
volume
Volume
encryption key

EBS
volume
Volume
encryption key
KMS
customer
master key

EBS
snapshot
EBS
volume
Volume
encryption key
KMS
customer
master key

EBS
snapshot
EBS
volume
Volume
encryption key
KMS
customer
master key
region 1 us-west-2
us-east-1
EBS
snapshot
KMS
customer
master key
region 2
Volume
encryption key

Remember to complete
your evaluations!

(SEC304) Architecting for HIPAA Compliance on AWS

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à (SEC304) Architecting for HIPAA Compliance on AWS

Similaire à (SEC304) Architecting for HIPAA Compliance on AWS (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

(SEC304) Architecting for HIPAA Compliance on AWS