2024 Guide to HIPAA Compliant Architecture on AWS

The Health Insurance Portability and Accountability Act (HIPAA) requires that you follow best practices for security and access controls. Amazon Web Services (AWS) is the most popular cloud computing service provider, so it is important to understand how to use AWS services in order to setup a proper HIPAA architecture. HIPAA compliance is never something to take lightly, so it’s always best to be a way of best practices when it comes to securing protected health information (PHI). Below we will go through the different areas of your architecture that you will want to take into consideration for HIPAA, along with some HIPAA-enabled AWS services that you can use to meet their needs.

SSL & TSL Certificates

Using SSL certificates is a no-brainer for any website these days, never mind a healthcare website that deals with PHI. To manage SSL certificates within AWS, you can use AWS Certificate Manager. You always want to process, store, and transmit data in encrypted formats. Having valid SSL certificates is HIPAA security and compliance 101; your cloud services should always have them.

Server Management

Everyone knows that Amazon EC2 is the de facto way to create and manage servers on AWS. However, in today’s DevOps world, you might also be interested in a number of other AWS services for managing your servers, including:

1. AWS Fargate: Fargate attempts to take some of the infrastructure and server management out of AWS, so you can focus on the development of your application. We see this as a win for AWS.
2. Amazon EKS: A managed Kubernetes service on AWS.
3. Amazon ECS: Amazon Elastic Container Service is a fast way to manage services in a cluster.

There are a number of different ways to manage servers through AWS these days. If you are not sure which path to go down, we recommend trying Amazon Fargate. Fargate works with both EKS and ECS. At the end of the day, these are all ways to manage Amazon Ec2 instances, but AWS Fargate takes the most off of your shoulders.

Database Management

For database management on AWS, we commend Amazon Relational Database Service. Keep in mind that, as with most applications, you will want to enable:

1. Database backups. If data is ever lost, you want to be able to restore from an automated database backup.
2. Read-only follower databases. Most people in your organization should not have access to a production database with write enabled, since your production database is likely to have protected health information (PHI) in it.

Cloud Storage

Most applications require some form of cloud storage these days. On AWS, you can use Amazon S3 and Amazon S3 Glacier for storing and archiving assets from your application. We recommend restricting Amazon S3 bucket access to your application and only exposing expiring URLs to users or colleagues so that the locations of assets within your Amazon S3 folder are not exposed.

For a complete overview of Amazon S3 HIPAA Compliance.

Network Configuration

Within your cloud infrastructure, there’s a good chance that you want virtual private clouds configured with subnets within them. To isolate environments from each other, you might even want separate VPCs for each environment you run. To configure VPCs, you can use Amazon VPC. Within your Amazon VPC you can configure subnets for your environments. Some additional network security services you may want to include:

1. AWS Transit Gateway, which allows your VPCs to connect to each other.
2. AWS Site-to-Site VPN, which will allow you to connect to your VPCs from your remote network.

Access Control and Permissions

When it comes to HIPAA compliance, access controls are important. Your HIPAA-compliant applications should only give the necessary levels of access to your employees and business associates. That is true for all of your HIPAA-compliant AWS infrastructures, along with any services that contain sensitive data (especially PHI). AWS Identity and Access Management can help you create policies to control access for the different people who might manage PHI.

Infrastructure and Application Monitoring

To visualize your architecture and application, setup Amazon CloudWatch. You can use it to monitor application performance, perform root analysis, to optimize cloud resources, and for some logging.

You should setup your AWS account to send you notifications of any alerts you receive. Use Amazon Simple Notification Service (SNS) to send yourself an email or an SMS message whenever an alert is received.

Infrastructure Logs, Application Logs, and Audit Logs

Detecting unauthorized access and having access and infrastructure logs are important for HIPAA-compliant applications. AWS CloudTrail can help you put these items in place. CloudTrail is almost designed for things like HIPAA compliance. Auditing and security incident identifications are two of the main purposes of AWS CloudTrail.

Continuous Integration and Continuous Deployment

We highly recommend not using manual deploys for HIPAA applications. Manual deploys open the gate for human error. To configure CI/CD on AWS, you can use AWS CodePipeline. Depending on your configuration, you may also have to get your hands dirty with AWS CodeCommit (Guide) and AWS CodeDeploy.

Get Help Setting up HIPAA on AWS

A lot goes into setting up AWS to be HIPAA compliant. The information above is pertinent to covered entities, business associates, and business associate subcontractors. If you need help getting a HIPAA-compliant architecture setup, Flatirons can help. We are a HIPAA-compliant software vendor that can sign a Business Associate Agreement with your organization. We have experience setting up HIPAA-compliant infrastructure on a number of clouds computing services.