Are you a developer working on a HIPAA compliant web application that you want to deploy on AWS? For starters, the AWS cloud platform offers a number of services that enable processing, maintaining, and storing protected health information (PHI) according to HIPAA compliance requirements. Through this guide, we will help you understand the proper way to build a HIPAA compliant web application on AWS.
What Is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act (HIPAA) that was enacted by the U.S. Congress in 1996. HIPAA sets out some general guidelines in order to ensure the privacy of a patient’s data.
As per the HHS.gov website: The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other protected health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of any personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
However, “appropriate safeguards to protect the privacy of protected health information” are not detailed out in terms of actual technical security measures that must be implemented. Much of HIPAA implementation is about administrative safeguards. These administrative safeguards must be implemented by the management of the entity which handles any form of PHI (Protected Health Information). From a developer’s perspective, the technical safeguards are more important.
This article aims to detail out most of the technical safeguards, one needs to implement to ensure the safety of the PHI.
However, depending on your particular situation these might not be sufficient. One should always get a comprehensive security audit done periodically to ensure the safety of the PHI.
From a technical perspective, the core of HIPAA comes down to protecting a patient’s health information and guarding access to PHI to a limited number of individuals who actually need it. One of the main methods that help you with protecting PHI is end-to-end encryption. You must ensure that:
- Data is encrypted at Rest.
- Data is encrypted in Flight.
Let’s First Consider What Kind of Data We Handle in a Web Application
- Application Datastore
This is relational or non-relational data that powers your web application. For example, MySQL, PostgreSQL, DynamoDB, etc.
- File Datastore
This is typically used to store files that your application generates. These might be various test results that are uploaded and stored as images or PDF files. These can also be recordings of the telemedicine calls that happen on your platform. In AWS application typically one or more S3 buckets are used to store this kind of data.
As per HIPAA, if you are storing PHI on a third-party infrastructure, you need BAA (Business Associate Agreement) with the third-party providing the infrastructure. AWS has a procedure to enter into such BAA with its clients. This process can move a little bit faster if you purchase at least the basic level of support from AWS.
Not all services that AWS offers are HIPAA compliant. AWS performs a special audit of its services to declare them fit for HIPAA usage. They have published a white paper (which is updated from time to time) to maintain the list of services which are eligible for HIPAA usage.
As of now almost all of the main services which a web developer cares about are eligible for HIPAA usage. The main ones are:
- Amazon EC2
- Elastic Load Balancers
- Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server and Aurora)
- Amazon S3
However, while using these services, it’s the responsibility of the customer to configure these correctly as per the security guidelines. Let’s consider these services from the two encryption requirements we mentioned above.
Encryption at Rest
To ensure that the data is encrypted at rest the EBS volumes that are attached to the EC2 instances must be encrypted. You can use Key Management Service (KMS) to achieve this.
For RDS, when you spin up a new instance, you are given an option to encrypt the storage disk. If you are using S3 to store files and/or backups you can encrypt the storage using S3 server-side encryption using KMS.
Encryption in Flight
To ensure that data is encrypted during flight, you can use HTTPS protocol. In typical deployments, SSL is terminated at the load balancer and traffic from that point onwards uses HTTP protocol. However, this should not be done for HIPAA workloads. The connection from the load balancer to your app server and from your app server to your DB server should also be encrypted.
While configuring the SSL certificates you should make sure that you have disabled the HTTPS protocols and ciphers which have known vulnerabilities. You can use this online tool to test your SSL configuration.
Amazon RDS allows you to connect to your DB using SSL.
Firewall and VPC Configuration
AWS has a built-in feature termed as Security Groups which allows you block unwanted traffic to your instances. Also, AWS provides a feature called as VPC (Virtual Private Cloud) which helps you to isolate your infrastructure from rest of the network. Typically for HIPAA workload, you should create at least 2 subnets. One public subnet, which has a NAT gateway to allow access from the Internet and another private subnet which can’t be accessed from the Internet.
All your servers should be in the private subnet. Only your load balancer should be in the public subnet. Also, you can create a bastion host to access your servers securely.
Typically only port 443 should be accessible from the Internet. Rest of the traffic should be locked down to your offices’ known static IP address.
AWS allows you to enable CloudTrail for your deployment. CloudTrail logs all the changes to your infrastructure. This helps the auditors to track any changes to the deployment in case of a breach. You should store CloudTrail logs in an S3 bucket which has server-side encryption enabled.
Your deployment will have 3 types of logs:
- Server Logs
There are logs from various programs running on your server. For example, SSH logins, Web App Server Access Logs. These should be aggregated to a centralized logging server. This way your admin team can monitor any unauthorized access to the servers or the application.
- Application Logging in HIPAA Compatible Application
Logs from your web application should also be aggregated to a centralized logging server for easier debugging and centralized tracking. Since logs are stored in plain text, you must ensure that your application is not logging any PHI.
- Application Level Access Logs
It’s also a very good idea to maintain an application-level access log any time a user (typically a doctor or a nurse) wants to access a patient’s data. You should generally store this in a database. This way you can provide an interface in your admin panel where the hospital administration can quickly determine who had accessed which patients information at what time. This helps the hospital in administrative safeguards they are required to maintain as per HIPAA.
Antivirus and Malware Protection
Your servers should have an antivirus and malware protection software installed. This should be periodically updated to protect from any threats. All the computers and laptops which are used to access PHI should also have antivirus and malware protection software installed.
All the servers, as well as computers and laptops which are used to access PHI, should be updated with the latest OS patches at least once a month to ensure that they are free from any known vulnerabilities.
Creating a HIPAA compliant web application on AWS can be a complicated topic. This article covers the bare minimum deployment setup that you should have on AWS to ensure the safety of a patient’s health information. We at Mobisoft have developed and deployed many HIPAA compliant healthcare applications for our clients leveraging the AWS cloud platform.
If you need our expert help in developing a HIPAA compliant healthcare application, please feel free to reach out to us.
Pritam Barhate, with an experience of 11+ years in technology, heads Technology Innovation at Mobisoft Infotech. He has a rich experience in design and has been a consultant for a variety of industries and startups. At Mobisoft Infotech, he primarily focuses on technology resources and develops the most advanced solutions. Follow him @pritambarhate