Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services April 2009Creating HIPAA-compliant Medical Data Applications with AWS - 2 - April 2009 Executive Summary In the U.S., certain organizations that transmit an individual’s protected health information (PHI) across Internet applications or electronic systems are required to meet Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. HIPAA is a set of established federal standards, implemented through a combination of administrative, physical and technical safeguards, intended to ensure the security and privacy of PHI. These standards affect the use and disclosure of PHI by certain covered entities (such as healthcare providers engaged in electronic transactions, health plans and healthcare clearinghouses) and their business associates. Healthcare businesses subject to HIPAA can utilize the secure, scalable, low-cost, IT infrastructure provided by Amazon Web Services (AWS) as part of building HIPAA-compliant applications. Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute capacity in the cloud, and Amazon Simple Storage Service (Amazon S3) provides a virtually unlimited cloud-based data object store. With no minimum fees, no term-based contracts, and pay-as-you-use pricing, AWS is a reliable and effective solution for growing healthcare industry applications. This paper briefly outlines how companies can use Amazon Web Services to power HIPAA-compliant information processing systems. We will focus on the HIPAA sections The Privacy Rule and The Security Rule, and how to encrypt and protect your data in the AWS cloud. For additional information on HIPAA, visit http://www.hhs.gov/ocr/hipaa. What is HIPAA and Why is it Important? HIPAA provides national minimum standards to protect an individual’s health information. HIPAA was originally created to streamline healthcare processes and reduce costs, while ensuring individual consumer privacy. The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.Creating HIPAA-compliant Medical Data Applications with AWS - 3 - April 2009 HIPAA covers protected health information (PHI) which is any information regarding an individual’s physical or mental health, the provision of healthcare to them, or payment of related services. PHI also includes any personally identifiable information, including for example Employer Identification Number, social security number, name, address, phone number, medical condition when linked to a patient, and some types of billing information. In order to be compliant, organizations must design their systems and applications to meet HIPAA’s privacy and security standards and related administrative, technical, and physical safeguards. Privacy & Security Rules HIPAA’s Privacy Rule requires that individuals’ health information is properly protected by covered entities. Among other requirements, the privacy rule prohibits entities from transmitting PHI over open networks or downloading it to public or remote computers without encryption. The Security Rule requires covered entities to put in place detailed administrative, physical and technical safeguards to protect electronic PHI. To do this, covered entities are required to implement access controls, encrypt data, and set up back-up and audit controls for electronic PHI in a manner commensurate with the associated risk. Privacy Controls: Encrypting Data in the Cloud HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, can also be used in a virtual computing environment, such as Amazon EC2 and Amazon S3. Amazon EC2 provides the customer with full root access and administrative control over virtual servers. To ensure data security during electronic transmission, files containing PHICreating HIPAA-compliant Medical Data Applications with AWS - 4 - April 2009 should be encrypted using technologies such as 256 bit AES algorithms. Furthermore, to reduce the risk of exposing PHI and to reduce bandwidth usage, any data not required by applications running in the cloud, including PHI, should be removed prior to transmission. Using AWS, customer’s system administrators can utilize token or key-based authentication to access their virtual servers. Amazon EC2 creates a 2048 bit RSA key pair, with private and public keys and a unique identifier for each key pair to help facilitate secure access. Administrators can also utilize a command-line shell interface, Secure Shell (SSH) keys, or sudo to enable additional security and privilege escalation. A complete firewall solution can be created in the cloud by utilizing Amazon EC2’s default deny-all mode which automatically denies all inbound traffic unless the customer explicitly opens an EC2 port. Administrators can create multiple security groups in order to enforce different ingress policies as needed. They can control each security group with a PEM-encoded X.509 certificate and restrict traffic to each EC2 instance by protocol, service port, or source IP address. For more information on encryption and firewalls, see the AWS Security Whitepaper. Similar to Amazon EC2, when sending data to Amazon S3 for either short term or long term storage, we highly recommend encrypting data before transmission. We also recommend against putting any PHI or other sensitive data, including keys, in Amazon S3 metadata. Amazon S3 can be accessed via Secure Socket Layer (SSL)-encrypted endpoints over the Internet and from within Amazon EC2. Following these practices ensures that PHI and other sensitive data remain highly secure. Security Controls: High-Level Data Protection While data flowing to and from the AWS cloud should be safeguarded with encryption, data that comes in contact with administrators or third-party partners may
View Full Document
Unlocking...