How to Automate HIPAA Compliance (Part 1): Use the Cloud to Protect the Cloud
The United States healthcare ecosystem is highly complex. It is composed of review boards, regulating bodies, government agencies, pharmaceutical companies, insurance payers, and a mix of public and private provider entities, all of which intersect and overlap. Underlying this system lays highly sensitive patient data, which is governed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). This law and its implementing regulations, much like the system they protect, can be complex. Automating and improving a typical HIPAA compliance process can improve the security, speed, and reliability of an entity’s application of the healthcare rules.
Where, though, should you start with such process improvements? As AWS Principal Security Consultant Hart Rossman said at AWS re:Invent 2015 during the breakout session, Architecting for End-to-End Security in the Enterprise: “You’ve got to use the cloud to protect the cloud. Our most successful customers who are security conscious are leveraging all of the features and functions that are available to them through AWS and our partner ecosystem.” The model of security diligence that Rossman and his colleague Bill Shinn detail in their session is one that is modeled after DevOps, a methodology created by the software development community as a way to speed the deployment of mission-critical code. The goal of Bill and Hart’s session is to evangelize the need to make security an essential part of the DevOps process—this combination of development, operations, and security is known as DevSecOps.
In a series of blog posts on the AWS Security Blog this month, I will provide prescriptive advice and code samples to developers, system administrators, and security specialists who wish to improve their healthcare IT by applying the DevSecOps methods that the cloud enables. I will also demonstrate AWS services that can help customers meet their AWS Business Associate Agreement obligations in an automated fashion. Consider this series a getting started guide for DevSecOps strategies you can implement as you migrate your own compliance frameworks and controls to the cloud.
In upcoming posts, I will show how to use the cloud to protect the cloud in the following areas:
- February 16: Use the AWS Service Catalog for Code Deployments
- February 22: How to Translate HIPAA Controls to AWS CloudFormation Templates
- February 23: Use AWS Config to Help with Required HIPAA Audit Controls
Although the examples in these posts will focus on how you can meet your AWS Business Associate Agreement obligations, the examples will be applicable to many compliance programs because they provide avenues for helping to ensure the security of your programs.