HIPAA Compliance In The AWS Cloud - Deloitte
HIPAA compliance in the AWS cloudIntroductionWhat is HIPAA?Why HIPAA mattersThe Health Insurance Portability andAccountability Act (HIPAA) wasintroduced in 1996. Title II of theregulation, known as the AdministrativeSimplification (AS) provisions, consists ofthe Privacy Rule and the Security Rule.Within the HIPAA Privacy Rule, nationalstandards were established to protectindividuals' medical records and otherpersonal health information. TheSecurity Rule requires appropriateadministrative, physical, and technicalsafeguards to protect the confidentiality,integrity, and availability of electronicprotected health information (ePHI). TheHIPAA rules apply to covered entitiessuch as health plans, health careclearinghouses, health care providersthat conduct certain health caretransactions electronically, and businessassociates of covered entities.HIPAA was designed to protect patientdata and a growing number of healthcare data breaches have led toincreased HIPAA enforcement over theyears. The Office of Civil Rights (OCR)has been responsible for enforcing theHIPAA rules. Since the April 2003compliance deadline, OCR has receivedmore than 177,854 complaints and hasinitiated more than 884 compliancereviews. 1Health Information Technology forEconomic and Clinical Health Act(HITECH)HITECH was enacted in 2009 to promotethe adoption and meaningful use ofhealth information technology and toreinforce HIPAA rules. HITECHestablished breach notificationrequirements to provide greatertransparency for individuals whoseinformation may be at risk.OCR’s audit programHITECH requires OCR to conduct periodicaudits of covered entity and businessassociate compliance with the HIPAArules. In 2011 and 2012, in order toassess compliance with HIPAA’srequirements, OCR implemented a pilotaudit program to examine the controlsand processes implemented by 115covered entities. OCR also conducted anextensive evaluation of the effectivenessof the pilot program. Drawing on thatexperience and the results of theevaluation, OCR implemented phase twoof its audit program in 2016 under whichboth covered entities and businessassociates can be audited. Theassessment can include or extend tohosted environments. 2To date, the OCR has settlednon-compliance cases,resulting in fines of more than78 million dollarsBased on enforcement highlights published bythe OCR as of May 3, 20181Statistics published by OCR. Available at: .html2HIPAA Privacy, Security, and Breach Notification Audit Program. Available at: ance-enforcement/audit/index.html1
Considerations for cloud customersCovered entities and businessassociates under HIPAAUnder HIPAA, a covered entity is ahealth care provider, a health plan, or ahealth care clearinghouse. A businessassociate is a person or entity whoperforms or assists in performing anactivity regulated by the associatedHIPAA rules, for or on behalf of thecovered entity. If a covered entity orbusiness associate engages a cloudservice provider (CSP) such as AmazonWeb Service (AWS) to store or processePHI, the CSP itself is a businessassociate under HIPAA. It is importantfor customers moving to a public cloudenvironment to understand thisdistinction, because a business associateagreement (BAA) should then beenacted to define both privacy andsecurity responsibilities of the coveredentity and the business associate.Business associate agreementsHIPAA requires a BAA between thecovered entity and a business associatesuch as AWS. These agreements serve todefine and limit the permissible usesand disclosures of ePHI, as appropriate.Examples of functions a businessassociate might provide include claimsprocessing, billing, benefitsmanagement, member care, andprovider data analysis. If a customer(covered entity or business associate)plans to use protected healthinformation (as defined by HIPAA) withinAWS services, the customer should firstaccept the AWS business associateaddendum (AWS BAA). AWS services canbe used with health care applications,but only services covered by the AWSBAA can be used to store, process, ortransmit ePHI. Customers can review,accept, and check the status of theirAWS BAA through a self-service portalavailable in AWS Artifact.When it comes todeploying security andprivacy technologies,public clouds have thebenefit of economies ofscale compared withprivate data centers.Shared responsibility within the cloudThe AWS Shared Responsibility Model can be extended to the HIPAA control areas to assist with defining responsibilities.Illustrative scenario: Health care provider hosts customer portal on AWSIn this scenario, a health care provider and AWS are jointly responsible for meeting HIPAA security requirements.Illustrative HIPAAcontrol areaAWS responsibilityHealth care provider responsibilityAccess controlsProvide identity and access managementcapabilities for AWS services.Implement policies and procedures for identityand access management that are consistent withthe AWS BAA and HIPAA.Audit controlsEnable logging and monitor capabilities forAWS services and ability to capture and logAPI actions against the AWS environment.Employ auditing procedures that allow securityanalysts to periodically examine detailed activitylogs or reports.Provide and maintain disaster recoverycapabilities for rapid recovery of ITinfrastructure and data ensuring adequatedurability and availability of services.Develop a resilient architecture capable ofresponding to, and recovering from,incidents.Incident response anddisaster recovery2
Architecting for HIPAA on AWSCyber Everywhere Deloitte used its deep cyber experience, technological innovation, enterprise-wide cyber capabilities, and leading industryexperience to develop a HIPAA-based security methodology for AWS embedded with a range of controls that are relevant toenterprises in multiple industries. This methodology helps AWS customers meet the administrative, technical, and physicalsafeguards required under HIPAA using HIPAA-eligible and other AWS services. 3 Deloitte and AWS also developed whitepapersthat deep dive on the topics of Identity and Access Management, Data Protection, IoT Security, and Network and Infrastructuresecurity, which will cover the fundamentals of securing AWS broadly.HIPAA-based security methodology for AWSCyber EverywhereEnd-to-end enterprise-wide cyber security capabilities (identify, protect, detect, recover,respond) for achieving HIPAA complianceIncident responseIntegrity controlsAudit controlsDisaster recoveryAccess controlsInformation systemactivity reviewData backup and storageHIPAA complianceLog-in ONINSPECTORAmazon Web Services33HIPAA Eligible Services. Available at ervices-reference/AMAZONS3AMAZON EC2AMAZONEBSAMAZONGLACIERShared responsibility within cloudTransmission security
Establishing HIPAA compliantcontrols to secure data andsystemsEffective controls across anorganization’s security infrastructure areimperative for creating a wellarchitected end-to-end security posture.The goal for architects and developers isto create an infrastructure capable ofwithstanding potential cyber-attacks.Once again, controls should align withsafeguards documented within theHIPAA Security RuleAssessing cybersecurity risk inthe handling and storageof ePHI dataUnderstanding your responsibilitieswithin HIPAA is important to securingePHI within the AWS cloud, and a criticalfirst step is the identification andassessment of cybersecurity risk. Thereare several sources of guidanceavailable to assist entities in this effort.The Office of the National Coordinatorfor Health Information Technology(ONC) within the US Department ofHealth and Human Services (HHS)provides a detailed security riskassessment tool that covered entitiescan use to perform this risk assessment.The tool provides guidance on assessingthe current posture of risks andsafeguards for: Validating authenticated andauthorized access to ePHIChecking ePHI transmissionMaintaining integrity of systems andePHIValidating secure transmission andstorage of ePHIThe OCR, as a part of its audit program,has developed and published auditprotocols 4 that can be used as a tool by4organizations to conduct their owninternal self-audits as part of their HIPAAcompliance activities.The National Institute of Standards andTechnology (NIST) has also developedspecial publications 5 that provideguidance on HIPAA compliance,including NIST Special Publication 80066: An Introductory Resource Guide forImplementing the HIPAA Security Rule.Deloitte has extensive experience inproviding HIPAA risk assessment andanalysis services. Utilizing ourproprietary assessment frameworkcustomized for cloud services, Deloittecan provide practical, actionableguidance and recommendations onmeeting the requirements of the HIPAAsecurity rule.Whether an entity conducts their HIPAArisk assessment internally or works withan advisor such as Deloitte, they willneed to gather information on how thebusiness intends to use the cloud, andwhat applications and data will bemigrated. The will also need to pay closeattention to the HIPAA technicalsafeguards related to access, audit,integrity, and transmission securitycontrols.Secure transmission and storageof ePHI through integrity controlsand encryptionfeatures native to HIPAA-eligible servicessuch as AWS Simple Storage Service (S3).In addition to encryption at-rest,customers can enable encryption intransit using TLS (encryption protocol)certificates, and they can leverage AWSCertificate Manager (ACM) for certificatemanagement.Deloitte has helped clients with networksecurity and segmentation using AWSservices such as Amazon Virtual PrivateCloud (VPC). These services allow forsegmentation of the network and dataflows from non-ePHI-related computeand storage services. For developers,Amazon API Gateway is a HIPAA-eligibleservice that makes it easy to create,publish, maintain, monitor, and secureapplication programming interfaces(APIs) at scale. The APIs created withAmazon API Gateway expose HTTPSendpoints only, thereby providingencryption in-transit. Amazon APIGateway does not support unencrypted(HTTP) endpoints.IAM, MFA, passwordmanagement, and accessauthorization controlsIdentity and access management (IAM)involves the strategies and methodsused to authenticate and authorizeactions that specific users can perform.The HIPAA Security Rule includesaddressable implementationspecifications for the encryption of ePHIin transit, in use, and at rest. Deloitte’sapproach uses AWS’s native encryptiontools. AWS offers a wide set of featuresand services to make encryption of ePHImanageable and easier to audit,including the AWS Key ManagementService (AWS KMS). Customers can alsotake advantage of the encryptionAn Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008. Available 0-66/rev-1/final5Architecting for HIPAA Security and Compliance on Amazon Web Services, January 2019. Available /AWS HIPAA Compliance Whitepaper.pdf4
addition to a PAM solution, enterprisesshould leverage AWS’s multi-factorauthentication (MFA) solution as anadditional layer of security protectionalong with traditional user name andpassword credentials. Amazon Cognitocan also be leveraged to extend nativeidentity and access managementcontrols within web and mobileapplications.IAM is a critical component of HIPAAsecurity. Within an AWS environment,access management strategies andassociated technical controls are neededat the AWS infrastructure layer, theoperating system layer, and theapplication layer. 6 The HIPAA SecurityRule documents addressablerequirements for implementingauthentication and authorizationmechanisms to protect ePHI from beingaltered or destroyed in an unauthorizedmanner.HIPAA contains requirements forcovered entities to include proceduresfor creating, changing, and safeguardingpasswords. AWS customers can managepasswords for account root users andfor IAM users in their account.Customers can set a password policy ontheir AWS account to specify complexityrequirements and mandatory rotationperiods for their IAM users' passwordsto prevent password re-use.Deloitte has developed referencearchitectures for deploying privilegedaccess management (PAM) solutions,which can serve as a starting point forPAM deployment in AWS. Thearchitectures also provide blueprints forintegration with AWS IAM and activedirectory/third-party identity providers(IdPs).Leveraging the PAM solution enableseffective management of root accountpasswords and system accounts. In6Under HIPAA, covered entities shouldimplement policies and proceduresbefore granting access to PHI.Authorization in AWS is accomplished bypermissions that are dictated by policiesand then applying these to users via rolemapping or group membership. Astrategy for creating policies andassigning them to users is required togrant administrators the rights theyneed to perform their job functionswhile upholding a least-privilegeapproach. When an IdP is used withAWS, applying policies to users isachieved with roles. Users are mappedto roles within the IdP, and then theyassume the role in AWS.Amazon Cognito provides a simple andsecure mechanism for authenticatingusers in an AWS environment. For anadditional layer of authentication,customers can configure MFA withCognito. Following authentication, userscan assume the required IAM role toaccess the necessary AWS resourcesand APIs.Recognizing resiliency as animportant feature of HIPAAUnder HIPAA, covered entities mustmeet the Emergency Access Procedurerequirement, which includes the needfor availability in any HIPAA-compliantenvironment. To meet this requirement,covered entities must enableadministrative controls, such as a databackup and disaster recovery plan.This contingency plan for protectingdata in the event of a disaster shouldfocus on the creation and maintenanceof retrievable exact copies of ePHI. Thisinvolves maintaining highly availablesystems, keeping both the data andsystem replicated offsite, and enablingcontinuous access to both. In addition,implementing and testing identity andaccess management controls must beaccounted for within the contingencyplan. Secure authorization andauthentication must be enabled, evenduring times where emergency access toePHI is needed.AWS provides tools and resources thatcustomers can use to build scalablebackup and recovery solutions. Toimplement a data backup plan on AWS,Amazon’s Elastic Block Store (EBS) offerspersistent storage for Amazon EC2virtual server instances. These volumescan be exposed as standard blockdevices and offer off-instance storagethat persists independently from the lifeof an instance 7. To align with HIPAAguidelines, customers can create pointin-time snapshots of Amazon EBSvolumes that are automatically stored inAmazon S3 and are replicated acrossmultiple Availability Zones--distinctlocations engineered to be isolated fromfailures in other Availability Zones. Thesesnapshots can be accessed easily andcan protect data for long-termdurability. 8Amazon S3 also provides a highlyavailable solution for data storage andautomated backups. By simply loading afile or image into Amazon S3, multipleredundant copies are automaticallycreated and stored in separate datacenters. These files can be accessedeasily (based on permissions), can beversioned, and are stored until deleted.Deloitte’s framework empowers coveredentities to develop a resilient AWSenvironment capable of responding toincidents by consistently backing upcritical data.HIPAA Security Risk Assessment Tool, August 2019. Available at: d-hipaa/security-risk-assessment-toolUsing Amazon Web Services for Disaster Recovery, October 2014. Available at recovery.pdf8Cyber Resilience – Building the “always-on” enterprise, 2017 available at lience-deloitte-aws.pdf75
Further, AWS has many options fordatabases. Customers can run their owndatabase on Amazon EC2, use one ofthe managed service database optionsprovided by the Amazon RelationalDatabase Service (RDS), or leverage anyof AWS’s managed non-relationaldatabases, such as DynamoDB,ElasticSearch, or Redis. Amazon RDScreates a storage volume snapshot of acustomer’s database instance, backingup the database instance, not justindividual databases.Leveraging AWS services, Deloitte canenable highly available and fault-tolerantarchitectures to meet HIPAArequirements. These can be harnessedthrough AWS service offerings thatinclude decoupled architecture, highavailability, redundancy, and securityautomation.Being vigilant through auditingand monitoringAuditing and monitoring controls areessential to meeting the requirements ofthe HIPAA Security Rule. Auditingcontrols are technical safeguards thatshould be addressed through technicalcontrols by anyone who wishes to store,process, or transmit ePHI. Monitoringcontrols include procedures formonitoring log-ins and reportingdiscrepancies. A combination of servicessuch as AWS Config, AWS CloudTrail,AWS Security Hub, Amazon GuardDuty,and Amazon CloudWatch create a costeffective solution for auditing andmonitoring resources in the AWSenvironment. AWS Config provides anassessment and audit of configurationsof various AWS resources, while AWSCloudTrail captures API calls made to anaccount (either through the commandline, Software Development Kit (SDK)or through the console user interface).CloudTrail logs can also be directlyported to an Amazon S3 bucket forfurther analysis by a third-partysecurity incident and eventmanagement (SIEM) solution.7Continuously monitor to avoidHIPAA data breachesDeloitte has helped clients build vigilantAWS environments that not onlyextensively monitor resources, but alsosend alerts when there is unusual orsuspicious activity. AWS customers cancollect logs from various sources andcentrally store them in an S3 bucket,allowing for easy ingestion of logs intoSIEM tools. SIEM capabilities such asalerting, interpreting, and parsing datacan be leveraged through an establishedthird-party vendor, Splunk, or they canbe leveraged across several AWSservices. Amazon Athena, for example,allows for analytical queries that parsedata, while Amazon CloudWatch Eventprovides alerts for certain actions withinthe AWS environment. Deloitte usesCloudWatch Events to monitor forsystem events in near real time andcreated several auto-correction actionsusing AWS Lambda to enablecompliance with baseline securityconfigurations.To increase the efficiency of alerts, theDeloitte approach leverages AmazonMacie. Macie uses machine learning todiscover and classify unstructured,business-critical data, as well as analyzeaccess patterns and user behaviorwithin S3 buckets. While SIEM mightalert customers about malicious activityanywhere in their accounts, becauseMacie can understand and classify dataat-rest, it can determine which data isbusiness critical and focus its alerts inthese areas.Monitor identity log-in attemptsThe HIPAA Security Rule requires coveredentities to implement procedures tomonitor log-in attempts and reportdiscrepancies. Customers who haveenabled CloudTrail can see log entriesassociated with sign-in events, includingthe internet protocol (IP) address of theentity signing in and whether MFA wasenforced for that sign-in. In addition tologging these events, CloudTrail capturessuccessful sign-ins by users in IAM androot.Analyze risks by identifying andremediating vulnerabilitiesUnder HIPAA, covered entities arerequired to conduct assessments ofpotential risks and vulnerabilities to theconfidentiality, integrity, and availability ofePHI held by them and by their businessassociates. Amazon Inspector is a HIPAAeligible automated security assessmentservice designed to help improve thesecurity and compliance of applicationsdeployed on Amazon EC2. Clients can useAmazon Inspector to automaticallyevaluate applications for vulnerabilities ordeviations from leading practices. Afterperforming an assessment, AmazonInspector produces a detailed list ofsecurity findings prioritized by level ofseverity. These findings can be revieweddirectly or as part of detailed assessmentreports that are available via the AmazonInspector console or API.
Collect evidence and be auditreadyIn designing an information system thatis consistent with HIPAA requirements,customers should include auditingcapabilities so that security analysts cantest detailed activity logs or reports tosee who had access, from what IPaddress, what data was accessed, etc.Using Amazon EC2, customers can runactivity log files and audits to the packetlayer on their virtual servers, just as theydo on traditional hardware. They canalso track IP traffic that reaches theirvirtual server instance. Administratorscan back up the log files into Amazon S3for long-term, durable storage. AWSCloudTrail can be leveraged to monitorall API calls made and this candemonstrate to be a critical source for8audits/forensic investigations. Deloitte’sframework can enable customers toemploy AWS services to track, log, andstore data in a central location forextended periods of time, so it isavailable for use in case of an audit.Get ahead of the curveWhile moving to the cloud may provideinformation security benefits forcustomers, it does not discharge themfrom the duty under HIPAA to secure thedata they possess. AWS provides myriadHIPAA-eligible services that canaccelerate HIPAA compliance efforts.Deloitte’s implementation experience incloud compliance and documentedaccelerators can help companies meetHIPAA compliance within AWS. Ourapproach includes performing a current-state cloud risk assessment, developinga detailed cloud security riskmanagement program, anddocumenting administrative standardssupporting the secure use of the AWScloud, as well as designing, architecting,building, and testing technicalsafeguards within AWS.
The strength of the Deloitte/AWS relationshipOur relationship brings together Deloitte’s extensive industry experience in cyberand enterprise risk management with the security-enabled cloud infrastructure ofAWS. In 2006, AWS began offering IT infrastructure services to businesses in the formof web services—now commonly known as cloud computing. Today AWS provides ahighly reliable, secure, scalable, low-cost infrastructure that powers hundreds ofthousands of businesses in 190 countries around the world, with over a millionactive customers spread across many industries and geographies.Security CompetencyGovernment CompetencyFinancial ServicesCompetencyPublic Sector PartnerMSP PartnerLife SciencesCompetency9Deloitte can help organizations adopt AWS securely and establish a security-firstcloud strategy. Deloitte is a leading information technology and advisory company.Deloitte is an APN Premier Consulting Partner and an AWS Security CompetencyPartner (Launch Partner) and was one of the first eight organizations globally toachieve the Security Competency as a launch partner. Deloitte’s vast experience incyber risk, combined with its extensive experience with AWS and cloud technologies,enable us to provide end-to-end security solutions.
AuthorsAaron BrownRavi DhavalPartner, Cyber Risk ServicesAWS Alliance LeaderDeloitte & Touche LLPaaronbrown@deloitte.comSenior Manager, Cyber Risk ServicesCloud & IoT Security ArchitectDeloitte & Touche LLPrdhaval@deloitte.comDevendra AwasthiJustin RoweSenior Manager, Cyber Risk ServicesTechnology AssuranceDeloitte & Touche LLPdawasthi@deloitte.comSenior Manager, Cyber Risk ServicesDeloitte & Touche LLPjurowe@deloitte.comAmazon Web ServicesPiyum ZonoozGlobal Partner Solution Architectpzonooz@amazon.comContributorsSteve MaSenior Consultant, Cyber Risk ServicesDeloitte & Touche LLPxiaotma@deloitte.comThis publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, orother professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision oraction that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professionaladvisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of ourlegal structure. Certain services may not be available to attest clients under the rules and regulations of public accountingCopyright 2019 Deloitte Development LLC. All rights reserved.
AWS services, the customer should first accept the AWS business associate addendum (AWS BAA). AWS services can be used with health care applications, but only services covered by the AWS BAA can be used to store, process, or transmit ePHI. Customers can review, accept, and check the status of the
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
4 AWS Training & Services AWS Essentials Training AWS Cloud Practitioner Essentials (CP-ESS) AWS Technical Essentials (AWSE) AWS Business Essentials (AWSBE) AWS Security Essentials (SEC-ESS) AWS System Architecture Training Architecting on AWS (AWSA) Advanced Architecting on AWS (AWSAA) Architecting on AWS - Accelerator (ARCH-AX) AWS Development Training
Basics of HIPAA and HITECH 4 What exactly is HIPAA? 4 Covered entities v. business associates 5 The HIPAA Omnibus Rule 6 7 H C E T I H HIPAA Compliance Simplified 8 Five security-thought-leader tips for HIPAA Compliance 8 Three specific HIPAA tips you need to know post-omnibus 11 Checklist: How to Make Sure You're Compliant 13
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business .
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business Impact .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
