Streamline Your HIPAA Security Program on AWS with Dash ComplyOps
By Cheryl Cage, Sr. Security Partner Strategist – AWS
By Jacob Nemetz, CTO – Dash
Healthcare organizations and software providers that build and manage healthcare workloads must formulate the appropriate strategies to establish an effective security and compliance program.
The HIPAA Security Rule requires covered entities (individuals and organizations) and their business associates (vendors, contractors, and subcontractors) who access or handle protected health information (PHI) to follow appropriate technical, physical, and administrative safeguards to keep healthcare data confidential and secure.
It’s imperative to take these safeguards into consideration when designing and building your application. HIPAA defines PHI based on a set of 18 identifiers that may appear in data such as names or email addresses. HIPAA requirements are intentionally vague and broad in scope in certain places so HIPAA can be applied equally to every different type of covered entity or business associate that handles PHI.
With some guidance and the proper tools, meeting HIPAA requirements is less intimidating.
In this post, we will walk through best practices for Amazon Web Services (AWS) customers to build, monitor, and maintain a robust HIPAA security program across their AWS cloud environments. You’ll learn how to automate compliance efforts by leveraging AWS-native services alongside Dash ComplyOps, which is available in AWS Marketplace.
Dash is an AWS Partner with the AWS Healthcare Competency and a member of the Global Security & Compliance Acceleration (GSCA, formerly known as ATO on AWS) program. Dash provides an automated solution for managing administrative security policies, setting technical controls, and maintaining security programs through continuous compliance monitoring.
Building the Solution
The AWS Shared Responsibility Model is extremely important in HIPAA, outlining who is responsible for implementing the HIPAA technical, physical, and administrative safeguards. This means you still need to take measures to assure you’re adhering to necessary security regulations by implementing security controls and conducting regular risk assessments.
To help navigate shared responsibility, AWS has released the Customer Compliance Guides (CCGs) on AWS Artifact. Customer Compliance Guides are derived from AWS Service User Guides and include security best practice guidance for over 100 AWS services and features mapped to compliance frameworks, including HIPAA, NIST, CMMC, PCI-DSS, SOC 2, CIS Critical Controls, NERC-CIP, and ISO-27001.
Let’s look at best practices that allow organizations to demonstrate HIPAA compliance on AWS.
Sign a Business Associate Agreement with AWS
Before storing or managing any PHI on AWS, you must sign and execute a Business Associate Agreement (BAA) with AWS. This is a legal document outlining who is responsible when it comes to ensuring the privacy of healthcare data. Customers can review, accept, and check the status of their AWS BAA through a self-service portal available in AWS Artifact.
Identify Scope of Your HIPAA Compliance Requirements
Any AWS service can be used with healthcare applications, but only services covered by the AWS BAA and listed on the HIPAA Eligible Services Reference website can be used to process, store, and transmit PHI.
Implement Appropriate Security Controls
Utilizing HIPAA-eligible services does not instantly make your organization or your application HIPAA compliant. Customers are responsible for configuring and implementing appropriate technical controls and safeguards to protect PHI. Misconfigurations of AWS services can lead to security breaches and potential HIPAA violations, so it’s important to configure these services according to AWS guidance to ensure they meet HIPAA compliance requirements.
Always Encrypt Both In-Transit and At-Rest
The HIPAA Security Rule includes addressable implementation specifications for the encryption of PHI in-transit, in-use, and at-rest. AWS offers a wide set of features and services to make encryption of PHI manageable and easier to audit, including AWS Key Management Service (AWS KMS).
Customers can also take advantage of features native to HIPAA-eligible services such as Amazon Simple Storage Service (Amazon S3) and enable encryption in-transit using TLS (encryption protocol) certificates and can leverage AWS Certificate Manager for certificate management.
Auditing and monitoring controls are a technical safeguard that must be addressed when architecting for HIPAA compliance on AWS. This data should be tracked, logged, and stored in a central location to provide a thorough audit trail in case there are any incidents of data loss or security breaches.
Using a combination of services such as AWS Config, AWS CloudTrail, AWS Security Hub, Amazon GuardDuty, and Amazon CloudWatch can be an effective approach. Additionally, the Operational Best Practices for HIPAA Security AWS Config Conformance Pack can help manage configuration compliance of your AWS resources.
Have Disaster Recovery Mechanisms in Place
Every organization that falls under HIPAA regulations must have an emergency plan in case of a disaster. To avoid any leak of private patients’ records and protect all collected, stored, and used PHI data, you must ensure backup and recovery processes are configured properly. Using recommended AWS settings is especially important to preserve and protect data.
Assess and Update the Security of Your AWS Environment
As organizations scale applications, add staff, and create new AWS resources, they must continue to maintain security standards and match security policies. One of the major risks for evolving organizations is configuration and operational “drift.” This means current business practices are not reflected in policy, or AWS configurations do not comply with current policies. Security teams must continually ensure security settings for AWS services are not misconfigured.
Dash ComplyOps: HIPAA Security Program Automation
To meet the administrative safeguards required by HIPAA, organizations must develop a set of administrative policies and procedures. These should set realistic standards, be written in a simple and understandable format, and designed around the organization’s IT infrastructure and cloud services.
Dash ComplyOps helps security teams to automatically generate a set of custom HIPAA administrative policies simply by answering guiding questions about their organization’s technologies and overall operations.
Step 1: Get Started in the Policy Center
After signing up for Dash ComplyOps, AWS customers can start building HIPAA administrative policies and procedures by taking the following steps:
- Navigate to the Policy Center in Dash ComplyOps.
- Answer all questions in the Initial Policy Questionnaire to the best of your ability. These answers will provide further options and recommendations for further policies and inputs.
- Click Save after answering these questions.
Step 2: Answer Questions About Your Organization and Adopt Policies
After completing the Initial Policy Questionnaire, you’ll be taken to the full list of recommended policies and procedures based on the compliance needs of your organization.
- To create a new policy document, navigate to the Policy Center and click the Start Policy button next to the policy you would like to create.
Figure 1 – Administrative policies provided by Dash ComplyOps.
- You will be presented with questions related to this policy. Provide the most appropriate answers about your organization, tools and technology, and preferred security practices.
Figure 2 – Create policies and administrative controls.
- Once you have answered the questions, click Adopt Policy and Dash will generate a new policy document. Policy answers are automatically saved as you make changes, and your team can answer these questions and make changes to your answers at any time.
Step 3: Customize Procedures to Meet Your Needs
Administrative policies are easy to download and edit to better meet the organization’s technologies and security needs.
- Policies created by Dash can be downloaded as PDF or annotated .docx file by clicking the Download PDF button or Download Doc button.
- After downloading the file, you can open the policy to view and edit.
Figure 3 – Example policy created with Dash ComplyOps.
- Additional modifications to the policy can be made in-line.
- Modified policy documents or existing organizational policies can be uploaded via the Upload Policy Manually button.
Dash administrative policies are purpose-built and mapped to compliance standards, including HIPAA, SOC 2, GDPR, and cloud security best practices.
Teams that build and adopt administrative policies using Dash ComplyOps can quickly address HIPAA administrative safeguard requirements and are better prepared to deal with upcoming security audits and security questionnaires.
Enable Continuous Compliance Monitoring
To meet technical safeguards required by HIPAA, organizations must implement security standards including the following:
- Access control
- Audit logging
- Backup and disaster recovery
- Vulnerability scanning
While AWS provides many cloud services and security settings to accomplish these settings, your team is responsible for maintaining these security controls across all of your AWS resources. With Dash ComplyOps, you can define a security baseline and enforce compliance standards across your AWS infrastructure.
Available Scanning and Monitoring
Dash Continuous Compliance Monitoring enables AWS customers to automatically gather security and compliance issues and provides findings such as:
- Access control issues: For example, a security group with an SSH port open to the public.
- Encryption issues: Such as Amazon Elastic Block Store (Amazon EBS) volumes that are unencrypted.
- Availability/backup issues: Including Amazon S3 buckets without replication.
Compliance issues can be filtered by severity, cloud service, and/or account with each issue mapped to individual HIPAA Security Rule requirements. This makes it easy for DevOps and SecOps teams to quickly identify and resolve HIPAA compliance issues across their infrastructure.
Teams should take the following steps to implement compliance monitoring.
Step 1: Connect Dash Scanning IAM Role
Dash ComplyOps provides a solution for adopting a HIPAA security baseline and security enforcing controls across their AWS cloud environments.
- In the left sidebar, navigate to Settings > Monitoring Settings.
- Enter a name for your AWS account and input your AWS account ID.
Figure 4 – Connecting an AWS environment with AWS CloudFormation.
- You will be directed to log in to AWS and deploy an AWS CloudFormation template containing a read-only AWS Identity and Access Management (IAM) role.
Figure 5 – Dash monitoring role deployed via AWS CloudFormation.
- Deploy the CloudFormation template and confirm it successfully deploys and shows CREATE COMPLETE.
- Navigate back to the Dash ComplyOps application and click the Connect Account button.
Dash will now start to scan your AWS account(s) for security configuration issues and conflicts with HIPAA requirements and Dash administrative policies.
Step 2: Resolve Compliance Issues Across Your AWS Environment
Once you have connected your AWS account(s), Dash ComplyOps will start to provide continuous compliance monitoring results over the next day.
Your team can view and resolve security and compliance issues by following these steps:
- In the left sidebar, navigate to Compliance Center > Compliance Issues.
Figure 6 – Security findings in the ComplyOps Compliance Center.
- You’ll see a list of all compliance issues detected across your AWS environments. You can adjust filters for status, priority, and service on the right side of the page.
- Click on an issue in the list to view the individual issue and its affected objects.
Figure 7 – ComplyOps security and compliance finding.
In the Compliance Center Issue view, you can find the following information:
- Compliance standards: How this issue relates to different compliance frameworks, including HIPAA, SOC 2, GDPR, and the applicable regulatory safeguards.
- Related policies: Dash administrative policies the issue conflicts with.
- Issue: The description of what has been detected during the scan, and context needed to help you to pinpoint the issue.
- Recommendation: A recommendation on what should be done to bring this issue into compliance.
- Assignments: You can assign an issue to a specific team member or to yourself for future completion.
- Affected objects: A list of AWS resources that have been flagged for this issue.
After taking action to fix a compliance issue, you can mark an issue or object as resolved by:
- Clicking the Resolve Issue button for the issue.
- Or clicking Resolve Issue Item for the affected object.
- On the next Dash ComplyOps scan, the application will confirm these issues are properly resolved, or the issue will be reopened as an active issue.
Step 3: Reporting on HIPAA Security Controls
Users can navigate to Dash ComplyOps Report Center and select the HIPAA Framework report to view HIPAA safeguards and all current controls in-place across your organization.
Figure 8 – ComplyOps reporting of compliance controls and artifacts.
A proper security architecture is just one step to building and managing a HIPAA security program. Organizations must build administrative policies around security processes, technical safeguards, and standard operating procedures.
Organizations should also build policies including procedures for defining roles, conducting risk analysis, managing disaster recovery procedures, intrusion detection, and employee training.
With Dash ComplyOps, you can quickly build administrative policies and procedures, connect these policies to continuous compliance monitoring, and validate security efforts for auditors, partners, and clients.
Dash ComplyOps provides AWS customers with a platform to streamline cloud security programs and maintain security and regulatory standards. Run a free Dash Compliance Scan across your AWS environment to identify and resolve compliance issues for security standards. Check out Dash’s latest case study for accelerating HIPAA compliance.
You can also learn more about Dash ComplyOps in AWS Marketplace.
Dash – AWS Partner Spotlight
Dash is an AWS Partner that provides an automated solution for managing administrative security policies, setting technical controls, and maintaining security programs through continuous compliance monitoring.