Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA

AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Security & Privacy:
Using AWS to Meet Requirements
for HIPAA, CJIS, and FERPA
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Our Speakers
• Justin Lundy, CTO, CIO, and Co-Founder of Evident.IO
• Chris Gile, AWS Senior Manager, Security Assurance
• Elizabeth Boudreau, Senior Manager of Information
Technology, Claritas Genomics/Boston Children’s Hospital

HIPAA Compliance on AWS
Justin Lundy, Founder & CTO, Evident.io
https://evident.io/
jbl@evident.io
twitter.com/justinlundy_

HIPAA Overview
• Addresses the security and privacy of health data. The standards are
meant to improve the efficiency and effectiveness of the nation's
health care system by encouraging the widespread use of electronic
data interchange in the U.S. health care system.

HIPAA Compliance on AWS
• Customer may use all services within a “HIPAA Account” BUT
• Customers may only process, store, or transmit ePHI using only
eligible services:
– Amazon Elastic Compute Cloud (Amazon EC2)
– Amazon Elastic Block Store (Amazon EBS)
– Elastic Load Balancing (ELB)
– Amazon Simple Storage Service (Amazon S3)
– Amazon Glacier
– Amazon Redshift

AWS HIPAA Configuration Requirements
• Must encrypt ePHI in transit and at rest
• Must use Amazon EC2 dedicated instances for processing, storing or
transmitting ePHI
• Must record and retain activity related to use of and access to ePHI
• Unique user identification required
• Strong authentication required

HIPAA Compliance Case Study: Emdeon
• Emdeon is a leading provider of revenue and payment cycle
management and clinical information exchange solutions,
connecting payers, providers and patients in the U.S. healthcare
system.
• “The combination of Emdeon’s leading intelligent financial,
administrative, and clinical health information network, with AWS’s
capabilities allows us to more quickly and more cost-effectively
transform healthcare data into actionable insights that improve
patient care, administrative processes, and payments.” - Emdeon
President and CEO

HIPAA Access, Audit, and Integrity Controls
HIPAA Access controls (164.312(a)(1))
• Template everything – AWS CloudFormation/Chef/Puppet
• CI/CD and automated testing
• AssumeRole, no insecure keys on disk
• No human interaction with ePHI
• Separate Dev/Stage/Prod Environments
HIPAA Audit controls (164.312(b))
• AWS CloudTrail
• High degree of transparency
• Change Control Monitoring
• Modern Patching (Launch new stack, terminate old)
HIPAA Integrity Controls (164.312(c))
• Limited production access Debugging w/o PHI
• All transactions persisted in Amazon S3
• Backup Policy - Encrypted Amazon S3 to Encrypted Amazon Glacier
• Run out of multiple AZs using ELB in TCP Proxy Mode

HIPAA on AWS Summary
• AWS provides everything required to create secure and HIPAA-
compliant systems
• AWS enables customers own their security via predictable
deployments for HIPAA compliant apps
• Evident.io can partner as a Business Associate under a BAA
• Evident.io is an experienced partner that helps organizations build
and maintain standards compliant infrastructures securely in AWS.

HIPAA on AWS Web Tier Ref Architecture

Using AWS to meet CJIS and
FERPA compliance
Chris Gile
AWS Senior Manager
Security Assurance

Using AWS to meet CJIS
• What is CJIS?
• How can AWS customers meet
CJIS requirements?

What is CJIS?
• Criminal Justice Information Services
Workloads
• CJIS Security Policy
– Establish set of minimum security
requirements for CJA and NCJA
– CJIS-provided FedRAMP control mapping

AWS CJIS Workbook provides
• AWS Shared Responsibility Model
• AWS alignment to AWS-applicable
CJIS requirements
• Security plan template aligned to
CJIS policy areas/requirements
• Systematic approach of
implementing security
requirements

Enabling customers for CJIS-compliant
workloads
• AWS CJIS Security Policy Workbook available
• AWS will sign CJIS Security Addendum
• AWS third-party audits provided through our
FedRAMP program
• Utilizing AWS services/features to address
requirements:
– AWS CloudHSM/AWS KMS for key management
• Encryption for data in transit/at rest required
– AWS CloudTrail/VPC Flow Logging for auditing

FERPA on AWS
• What is FERPA?
• Why is it important?
• How customers use AWS to meet FERPA

What is FERPA?
• The Family Educational Rights & Privacy
Act of 1974
• Support and promote protection of privacy
and reasonable governance of student
education records

Why is FERPA important?
• Provides students the right to inspect and
review, governance over disclosure, and a
mechanism to amend [their] incorrect
educational records

Using AWS to meet FERPA
• Built-in firewalls – Configure built in firewall rules to control
access to your Amazon EC2 virtual instances.
• Authentication and authorization – Consider IAM and
AWS customer-controlled credentials in AWS environment.
• Guest operating system – AWS customers control virtual
instances in Amazon EC2 and Amazon VPC.
• Storage – AWS storage options like Amazon EBS,
Amazon S3, and Amazon RDS allow you to make data
easily accessible to your applications or for backup.

Continued..
• Private subnets – Amazon VPC allows customers to add
another layer of network security to their instances.
• Encrypted data storage – The data and objects stored in
Amazon EBS, Amazon S3, Amazon Glacier, Amazon Redshift
can be optionally encrypted with AES 256.
• Dedicated connection option – Customers can establish a
dedicated network connection from your premises to AWS.
• Perfect forward secrecy
• Security logs – AWS CloudTrail provides logs of user activity
within your AWS account.

Continued..
• Asset identification and configuration – Customers use AWS
Config to discover and view the configuration of their AWS
resources.
• Centralized key management – AWS Key Management Service
(KMS) and AWS CloudHSM to manage and administer your keys.
• AWS Trusted Advisor – Customers use AWS Trusted Advisor to
monitor their resources, creating security and access policy alerts.

Building HIPAA-Level Security
Solutions:
Partnering with AWS
Elizabeth Boudreau
Senior Manager of IT
Claritas Genomics/ Boston Children’s Hospital

Data-Sharing Between Partner Institutions
Creates HIPAA-Compliance Challenges

Shared Responsibility Model
• Layers of Security
• Proper Architecture
• Keeping Up with New Services
– BAA Updates
– Integration Into Infrastructure

AWS Benefits
• HIPAA Secured Data Processing
• Institutional Data Sharing
• New Data Source Integration
• Security Assistance
• Administrative Oversight
• Available Uptime

The Claritas Experience
• Partnered with AWS Professional Services
• Calculated Growth
• Created Policies
• Implemented Direct Connect
• Reacted To Heartbleed Vulnerability
• Withstood DDOS Attack
– No Breach!!

Making It Work
• Start with small projects
• Account Management
– R&D
– Production Versus Development
• Train Your Employees and Partners
• Create a Culture of Audits
– Be a trustworthy source
– Document now to save time later

Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices

Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA

Similar a Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Último

Último (20)

Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA