Achieving Compliance with Healthcare Regulations Using safeINIT’s HIPAA-Compliant Environment
By Cosmin Drîmbă, CEO and Co-Founder – safeINIT
By Ovidiu Chelăruș, Sales and Marketing Director – safeINIT
By Radu Dobrinescu, Partner Solutions Architect, CEE – AWS EMEA
Healthcare organizations must take strict measures to protect patient data, including using secure infrastructure to host applications.
From protecting sensitive personal health information (PHI) from unauthorized access or disclosure, to regular monitoring and auditing of IT systems and processes, or ensuring that third-party vendors comply with HIPAA regulations, the tasks can be daunting.
It’s important to remember that compliance is not just about avoiding penalties—it’s about keeping patients’ personal health information safe. That’s why a new infrastructure-as-code (IaC) HIPAA-compliant environment from safeINIT is designed specifically to protect sensitive data for healthcare applications on Amazon Web Services (AWS).
The offering allows organizations to easily deploy, manage, and scale infrastructure, while maintaining compliance with HIPAA regulations and customizing the solution to cater their specific needs.
In this post, you’ll learn how organizations can overcome common challenges and achieve compliance with healthcare regulations while building a secure and resilient environment to store ePHI.
safeINIT is an AWS Advanced Tier Services Partner and AWS Marketplace Seller that is a member of the AWS Well-Architected Partner Program. safeINIT has invested hundreds of hours in combining the necessary tools, methods, and certifications to provide a suitable environment for hosting HIPAA applications.
Some of the biggest challenges customers face while maintaining HIPAA compliance usually fall into these categories:
- Auditing and compliance
- Data security
- Limited resources or limited time to stay up to date
- Risk management
- Cost management
Keeping expenses associated with compliance in check while ensuring the organization is meeting all requirements is a difficult balance. It can be achieved by deploying the right cloud solutions and following best practices, such as conducting a thorough risk analysis, implementing access controls, or encrypting data in transit and at rest.
Regardless of how an organization chooses to configure their HIPAA-compliant environment, they need to keep some things in mind:
- Employees must be trained to recognize and report potential violations of HIPAA regulations, as they have to be aware of the importance of protecting PHI.
- Third-party vendors, contractors, and business associates, who may also have access to PHI, also need to comply with HIPAA regulations and maintain the same level of security as the healthcare organization.
safeINIT’s HIPAA-compliant environment is designed specifically to host healthcare applications on AWS, providing organizations with a faster and more secure way to deploy and manage their infrastructure.
How it Works
The solution starts with a provisioning phase in which an initial AWS CloudFormation template is deployed, which automates the creation of the accounts. The template creates an AWS Organization, along with child AWS accounts, following AWS best practices and security reference architectures.
This includes a payer (or management) account, audit account, log-archive account, shared services account, and at least one workload account, where the application will be hosted. Additional workload accounts can be created for development, staging, or quality assurance purposes.
Regarding the CI/CD setup, the provisioning template facilitates the establishment of key components for seamless integration and deployment. These components include the creation of an AWS CodeCommit repository, configuration of an Amazon EventBridge rule, setup of an AWS Lambda function, and establishment of an AWS CodePipeline and AWS CodeBuild project.
As part of the setup, the customer’s CodeCommit repository is automatically populated with the latest code from the central safeINIT repository. An EventBridge rule is implemented to detect code pushes to the customer’s repository, triggering a Lambda function that incorporates the necessary logic to efficiently plan and apply the Terraform code within the designated workspace. This process ensures a smooth and accurate deployment experience.
Figure 1 – Infrastructure deployment flow.
Workload accounts are split into multiple layers, with each representing a specific purpose. This structured approach helps streamline resource management and maintain consistency across environments. By organizing workspaces in this manner, safeINIT can efficiently manage and deploy resources while maintaining a clear separation of concerns across different environments and purposes.
The shared layer contains common resources used by the other layers, such as networking resources, security groups, and Amazon Route 53 hosted zones.
The application layer contains application-specific resources, such as Elastic Load Balancers, Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Elastic Container Service (Amazon ECS) clusters, and microservices definitions.
The Terraform code is customized to meet the customer’s needs before the initial push, such as changing settings for backup retention periods, Amazon Simple Storage Service (Amazon S3) lifecycle options, and Amazon Route 53 hosted zone names.
The workspaces are then manually applied in sequence from the AWS CodePipeline interface, starting with the shared layer, then the stateful layer, and finally the application layer. This ensures all dependencies between resources are satisfied.
Once the infrastructures is deployed by safeINIT, then AWS Config and AWS Organizations are used to continuously monitor the environment’s compliance with HIPAA regulations, including security group rules, encryption at rest, multi-factor authentication (MFA), and network segmentation.
Dive Deep on Security
Security is of the utmost importance when it comes to hosting healthcare-compliant applications, which is why the safeINIT’s HIPAA-compliant environment implements several security measures and AWS products to support the protection of sensitive patient data:
Encryption in Transit
To ensure all traffic received on Amazon CloudFront and Application Load Balancer is encrypted, the safeINIT HIPAA-compliant environment uses AWS Certificate Manager. Additionally, redirect rules are configured to redirect HTTP traffic to HTTPS, as it provides a secure connection between a user’s web browser and the website they are visiting
Encryption at Rest
AWS resources that support encryption, such as Amazon S3, Amazon Elastic Block Store (Amazon EBS), or Amazon RDS, are configured to use an AWS Key Management Service (AWS KMS) key for data encryption at rest.
Access to the AWS KMS key is strictly controlled, and only the necessary resources and services are given access.
Force EBS Encryption
safeINIT has implemented a policy requiring all EBS volumes to use AWS KMS encryption; this way, any unencrypted volumes cannot be created.
Strict Security Group Rules
To limit the attack surface, safeINIT has configured strict security group rules so AWS resources only interact with the necessary services and only on the needed ports.
Block Amazon S3 Public Access
To help protect stored files from unauthorized access, safeINIT has implemented a policy that forces all Amazon S3 buckets to block public access.
Access to Amazon EC2 Instances
Apply Specific Service Control Policies
Service Control Policies (SCPs) enforce boundaries across the AWS Organization. These policies include denying the creation of AWS Identity and Access Management (IAM) users, denying S3 buckets without encryption, and denying the deletion of AWS KMS keys.
AWS Secrets Manager
To protect sensitive information, such as database passwords and tokens, safeINIT has implemented AWS Secrets Manager. This service can securely store and manage sensitive data, and it’s set by default to rotate the data every 30 days.
To detect any unusual behavior, AWS CloudTrail is enabled on all accounts and the logging is configured for each component used by the application. This allows safeINIT to monitor for potential security threats and quickly respond to any incidents.
By implementing these security measures, safeINIT can support a more secure and compliant infrastructure for hosting HIPAA-compliant applications and help keep patient data protected.
The safeINIT solution offers customers necessary security controls, such as encryption and access controls, or pre-configured, compliance-specific services, such as AWS Config and AWS Systems Manager.
The environment also includes automated deployment of network, compute, and storage resources, reducing the risk of errors and improving efficiency.
Other benefits include:
- Master management of security controls: The safeINIT offering provides a variety of security controls, such as IAM and AWS KMS, which can be used to protect PHI and limit access to authorized users.
- Safe encryption: Using AWS KMS, Amazon EBS, and AWS Certificate Manager, PHI can be encrypted at rest and in transit, making it more difficult for unauthorized users to access the data in the event of a breach.
- Monitoring and auditing support: Services such as Amazon CloudWatch and AWS CloudTrail make it simple to monitor and audit access to PHI, providing visibility into any potential breaches and allowing organizations to respond quickly to security incidents.
- Compliance and governance: AWS has achieved compliance with HIPAA and HITECH regulations and has a Business Associate Agreement (BAA) available for customers to sign, which is a requirement for using AWS services to store, process, or transmit PHI. This allows healthcare organizations and other businesses in the healthcare industry to take advantage of the scalability, reliability, and cost-effectiveness of AWS cloud computing services while meeting regulatory requirements and protecting sensitive patient data.
- Fast incident response: safeINIT’s solution provides an incident response service that helps customers respond to security breaches and restore normal operations as quickly as possible. The system is based on services such as Amazon GuardDuty, AWS Config, and AWS Security Hub.
- Reliable backups: With services such as Amazon S3 and AWS Backup creating and managing stable backups of PHI, organizations can quickly restore data in case of availability issues.
i2iConnect is a practice management and teletherapy platform, building relationship-centered technology to improve outcomes and revolutionize the delivery of behavioral healthcare. It had to comply with the strict regulations of HIPAA and address high-availability, security, and operational needs.
Implementing the safeINIT solution gave the customer’s business associates a confidence boost in terms of overall system security. Together with i2iConnect’s CISO, safeINIT filled out the HIPAA compliance report and checked all of the missing boxes.
Specifically, this resulted in:
- Improving the application’s reliability and cost-effectiveness.
- Reducing the time to scale by over 75%.
- Decreasing database and compute costs by 50%.
- Streamlining application development process.
Read the full safeINIT-i2iConnect case study to learn more.
In another example, the rXperius consulting business provides strategic drug development guidance to small and emerging pharma companies looking to engage the U.S. Food and Drug Administration (FDA) to advance drug development programs.
The company needed a modernized infrastructure with improved utilization and scalability in a secure, HIPAA-compliant environment. With the new architecture in place, it achieved:
- More flexible deployment.
- Faster delivery of new features.
- Reliability on best practices.
- Improved scalability to handle changes.
Check out the full safeINIT-rXperius case study to learn more.
In this post, you learned why maintaining HIPAA compliance is a complex and ongoing challenge for healthcare organizations.
safeINIT understands this and offers a comprehensive package to help healthcare organizations incorporate compliance regulations into their key infrastructure and to support improved security and privacy for PHI. You can learn more about safeINIT’s HIPAA-compliant environment in AWS Marketplace.
Contact safeINIT to help you stay compliant and protect against data breaches, so you can focus on providing quality healthcare services.
safeINIT – AWS Partner Spotlight
safeINIT is an AWS Partner that has invested hundreds of hours in combining the necessary tools, methods, and certifications to provide a suitable environment for hosting HIPAA applications.