AWS Secrets to HIPAA-Compliant Health Applications

The digitalization of healthcare has made our lives easier, allowing us to manage our health and our loved ones' well-being better. However, as healthcare becomes more interconnected, it is crucial to approach this digital transformation with care, as it involves handling some of our most sensitive and private data.

The Health Insurance Portability and Accountability Act (HIPAA) sets important guidelines for protecting this information. In this article, we explore the challenges of maintaining HIPAA compliance and offer clear, practical solutions for effectively safeguarding patient data using AWS Cloud solutions.

Why It Matters, Especially in Health Applications

The number of data breaches is not only increasing, but the breaches themselves are becoming more severe. In 2021, 45.9 million records were compromised. Unfortunately, 2022 was even worse, with 51.9 million records breached. However, 2023 shattered all previous records, with an astonishing 133 million records exposed, stolen, or otherwise improperly disclosed. This staggering total includes 26 breaches involving more than 1 million records each, and four breaches involving over 8 million records (source: HIPAA Journal).

In her book Privacy is Power, Carissa Véliz addresses many aspects of data protection, including the protection of patients' medical data:

“You could also be the victim of a data breach. In 2015, over 112 million health records were breached in the United States alone.”‍

Source: Carissa Véliz, Privacy is Power

Source of statistics: Forbes

It's not just breaches that threaten our data. Another serious problem is the number of companies that fail to protect user data and sell it to data brokers without anonymization or even the patient’s consent.

“Privacy also gets a hard time in medical contexts. Physicians and tech companies hungry for personal data argue that privacy is a barrier to the advancement of personalized medicine and big data analytics.”‍

Source: Carissa Véliz, Privacy is Power

Data breaches' increasing frequency and severity highlight the critical importance of protecting patient data. In 2023 alone, 133 million healthcare records were compromised, surpassing previous years. This alarming trend underscores the need for robust data protection measures, especially as some companies fail to safeguard user data, selling it to brokers without proper anonymization or consent. Ensuring privacy is essential not only for compliance but also for maintaining trust in healthcare systems.

‍

‍

Understanding HIPAA and Its Requirements

The HIPAA document is complex and lengthy, but understanding it is crucial. HIPAA compliance involves a detailed set of rules designed to ensure the privacy and security of both Protected Health Information (PHI) and Electronic Protected Health Information (ePHI).

At a high level, these rules include Technical Safeguards, Physical Safeguards, and Administrative Safeguards, each with specific requirements. For organizations new to these regulations, understanding and implementing them correctly can be daunting.

• Technical Safeguards: These include actions such as proper access management, audits, encryption of data, ePHI detection, and integrity.
• Physical Safeguards: These involve protecting physical PHI from unauthorized access and destruction. It also includes securing physical access to your infrastructure, which is why outsourcing this to a HIPAA-compliant vendor like AWS can reduce costs and time spent on this.
• Administrative Safeguards: These are the most extensive in terms of preparation. They encompass employee training, awareness, and a serious approach to data security. This also includes proper agreements, secrets management, data breach response, and a recovery plan.

Start with comprehensive training for your team. It’s crucial that everyone, from IT staff to executives, understands HIPAA’s requirements and the importance of compliance. Additionally, consider partnering with a compliance expert who can guide you through the complexities of HIPAA. Regularly update your training and procedures to stay compliant with any changes in the regulations.

Choosing Your Partners Right for the HIPAA Compliance

One of HIPAA's key requirements is establishing a Chain of Trust. This means that to protect ePHI (electronic Protected Health Information) or PHI (Protected Health Information), every link in the chain must be reliable to ensure true security. These links include Covered Entities, as well as all business associates and vendors. To comply, you must sign a Business Associate Agreement (BAA) with all associates, vendors, and companies with whom you exchange any sensitive data. This agreement outlines the rules for data exchange and affirms that both parties are HIPAA-compliant.

It is crucial to thoroughly vet your partners, as a data breach may occur on their side without your direct involvement, yet it can still damage your credibility and erode user trust. Importantly, all BAA agreements must be signed before you begin collecting data under HIPAA compliance, as HIPAA regulations apply to your partners the moment the BAA is signed.

As a cloud provider, AWS is committed to signing a BAA with its clients, which can be facilitated through the AWS Artifact service. AWS offers a BAA that you can sign to ensure that the services used to process PHI comply with HIPAA. It’s important to review this agreement carefully and understand which AWS services are covered. Not all AWS services are HIPAA-eligible, so you need to select the right ones for your use case.

Once the BAA is in place, ensure that all relevant employees are aware of the terms and conditions. Regularly audit your use of AWS services to confirm that you comply with the agreement. Communication between you and your associates should also be HIPAA-compliant, as it might contain sensitive information. This is a complex subject, as not every email/chat provider ensures HIPAA compliance out of the box, and some solutions might be costly. To ensure a HIPAA-compliant solution, we use Mattermost for secure communication.

Securing ePHI on AWS

HIPAA requires that ePHI be securely stored, accessed, and transmitted. With AWS, while the infrastructure is secure, the responsibility of configuring it to meet HIPAA requirements falls on your organization. Misconfigurations, such as insufficient access controls or improper encryption, can lead to data breaches.

AWS provides several tools and services to help secure PHI:

• Data Encryption: Use AWS Key Management Service (KMS) to encrypt data at rest and AWS Certificate Manager to provide TLS for data in transit. This ensures that ePHI is protected both while it’s stored and as it moves between systems. Many AWS services like AWS RDS, S3, or DynamoDB provide out-of-the-box encryption.
• Access Control: Implement strict Identity and Access Management (IAM) policies to ensure that only authorized personnel can access PHI. Use Multi-Factor Authentication (MFA) to add an additional layer of security. We strongly recommend using Yubikeys as a hardware key to provide the strongest 2FA for your IAM users and introduce robust password policies. If your organization needs to be split into more departments, you can use AWS Organizations to centralize all your AWS accounts and manage them. Your organization might also establish Site-to-Site VPN connections to access private resources on your VPC without exposing them to the public internet.
• Monitoring and Auditing: Enable AWS CloudTrail and AWS Config to monitor and log all activities in your AWS environment. These tools help you detect unauthorized access or changes to your environment, which is crucial for maintaining compliance.
• Threat Detection: Use AWS Inspector and AWS GuardDuty to provide continuous auditing and scanning of your activity and resources to detect suspicious activity and vulnerabilities. AWS Trusted Advisor offers automated guidance for improving security configurations.

Here you can find a comprehensive description of all services that might be used on an organization's HIPAA compliance journey. By leveraging these AWS services, you can create a secure environment that meets HIPAA’s standards.

Responding to Data Breaches

Despite your best efforts, data breaches can happen. HIPAA requires that you have a plan in place to respond quickly to such incidents, including notifying affected individuals and regulatory authorities.

Develop a robust incident response plan that includes:

• Detection: Use AWS CloudWatch and CloudTrail to monitor your systems for signs of a breach. Set up alarms that notify your security team immediately when suspicious activity is detected. Properly configured CloudTrail is crucial for detecting the root cause of what happened on your AWS account. Additionally, we strongly recommend using Auditd with robustly configured rules for auditing your servers. As your infrastructure grows, it becomes more important to provide automated and strong solutions for detecting and preventing data breaches.
• Response: Define clear procedures for investigating and containing the breach. This should include steps to protect any remaining PHI and to prevent further unauthorized access. HIPAA obligates you to assign roles and prepare a plan for recovery from incidents, aiming for the lowest possible time and data loss.
• Notification: Be prepared to notify affected individuals and the Department of Health and Human Services (HHS) within the timeframes required by HIPAA. It is good practice to prepare templates for your customers that hopefully will never need to be used. However, a lack of communication with your customers in the event of a data leak might be even more damaging to your business. Such a message might be an email or text message, which can be sent in bulk via AWS SNS or AWS SES services.

Regularly testing and updating your incident response plan is crucial to ensure it remains effective, adapting to changes in technology, regulations, and your organization’s operations. This involves not only internal and external security tests, such as penetration testing and vulnerability assessments but also regular auditing to confirm compliance with HIPAA requirements and the proper functioning of security measures. Implementing strict access controls, where employees have access only to the data necessary for their roles, further reduces the risk of unauthorized access. Additionally, enforcing internal policies and ensuring that employees consistently follow security protocols through regular training and compliance reviews is vital. Together, these measures significantly decrease the likelihood of a data breach, helping to maintain the integrity of sensitive information and uphold trust.

Maintaining HIPAA Compliance with AWS

Achieving and maintaining HIPAA compliance on AWS requires a proactive approach. By understanding HIPAA’s requirements, securing your data, managing third-party agreements, and preparing for potential breaches, you can leverage the power of AWS while keeping patient information safe and compliant.

AWS provides the tools and services necessary to meet HIPAA standards, but it’s up to your organization to implement and manage these tools correctly. Regular training, auditing, and updates to your processes will help ensure ongoing compliance in an ever-evolving digital landscape.

AWS—Your Ally in the HIPAA-Compliant Health Application

Healthcare organizations must treat HIPAA compliance as a continuous process rather than a one-time task. By following best practices and staying informed about changes in regulations and technology, you can protect your patients’ data and your organization’s reputation. AWS can be a powerful ally in this effort, provided you use its tools and services with compliance in mind.