2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Our Speakers
• Justin Lundy, CTO, CIO, and Co-Founder of Evident.IO
• Chris Gile, AWS Senior Manager, Security Assurance
• Elizabeth Boudreau, Senior Manager of Information
Technology, Claritas Genomics/Boston Children’s Hospital
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA Compliance on AWS
Justin Lundy, Founder & CTO, Evident.io
https://evident.io/
jbl@evident.io
twitter.com/justinlundy_
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA Overview
• Addresses the security and privacy of health data. The standards are
meant to improve the efficiency and effectiveness of the nation's
health care system by encouraging the widespread use of electronic
data interchange in the U.S. health care system.
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA Compliance on AWS
• Customer may use all services within a “HIPAA Account” BUT
• Customers may only process, store, or transmit ePHI using only
eligible services:
– Amazon Elastic Compute Cloud (Amazon EC2)
– Amazon Elastic Block Store (Amazon EBS)
– Elastic Load Balancing (ELB)
– Amazon Simple Storage Service (Amazon S3)
– Amazon Glacier
– Amazon Redshift
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS HIPAA Configuration Requirements
• Must encrypt ePHI in transit and at rest
• Must use Amazon EC2 dedicated instances for processing, storing or
transmitting ePHI
• Must record and retain activity related to use of and access to ePHI
• Unique user identification required
• Strong authentication required
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA Compliance Case Study: Emdeon
• Emdeon is a leading provider of revenue and payment cycle
management and clinical information exchange solutions,
connecting payers, providers and patients in the U.S. healthcare
system.
• “The combination of Emdeon’s leading intelligent financial,
administrative, and clinical health information network, with AWS’s
capabilities allows us to more quickly and more cost-effectively
transform healthcare data into actionable insights that improve
patient care, administrative processes, and payments.” - Emdeon
President and CEO
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA Access, Audit, and Integrity Controls
HIPAA Access controls (164.312(a)(1))
• Template everything – AWS CloudFormation/Chef/Puppet
• CI/CD and automated testing
• AssumeRole, no insecure keys on disk
• No human interaction with ePHI
• Separate Dev/Stage/Prod Environments
HIPAA Audit controls (164.312(b))
• AWS CloudTrail
• High degree of transparency
• Change Control Monitoring
• Modern Patching (Launch new stack, terminate old)
HIPAA Integrity Controls (164.312(c))
• Limited production access Debugging w/o PHI
• All transactions persisted in Amazon S3
• Backup Policy - Encrypted Amazon S3 to Encrypted Amazon Glacier
• Run out of multiple AZs using ELB in TCP Proxy Mode
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA on AWS Summary
• AWS provides everything required to create secure and HIPAA-
compliant systems
• AWS enables customers own their security via predictable
deployments for HIPAA compliant apps
• Evident.io can partner as a Business Associate under a BAA
• Evident.io is an experienced partner that helps organizations build
and maintain standards compliant infrastructures securely in AWS.
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HIPAA on AWS Web Tier Ref Architecture
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Using AWS to meet CJIS and
FERPA compliance
Chris Gile
AWS Senior Manager
Security Assurance
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Using AWS to meet CJIS
• What is CJIS?
• How can AWS customers meet
CJIS requirements?
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What is CJIS?
• Criminal Justice Information Services
Workloads
• CJIS Security Policy
– Establish set of minimum security
requirements for CJA and NCJA
– CJIS-provided FedRAMP control mapping
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CJIS Workbook provides
• AWS Shared Responsibility Model
• AWS alignment to AWS-applicable
CJIS requirements
• Security plan template aligned to
CJIS policy areas/requirements
• Systematic approach of
implementing security
requirements
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Enabling customers for CJIS-compliant
workloads
• AWS CJIS Security Policy Workbook available
• AWS will sign CJIS Security Addendum
• AWS third-party audits provided through our
FedRAMP program
• Utilizing AWS services/features to address
requirements:
– AWS CloudHSM/AWS KMS for key management
• Encryption for data in transit/at rest required
– AWS CloudTrail/VPC Flow Logging for auditing
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
FERPA on AWS
• What is FERPA?
• Why is it important?
• How customers use AWS to meet FERPA
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What is FERPA?
• The Family Educational Rights & Privacy
Act of 1974
• Support and promote protection of privacy
and reasonable governance of student
education records
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Why is FERPA important?
• Provides students the right to inspect and
review, governance over disclosure, and a
mechanism to amend [their] incorrect
educational records
19. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Using AWS to meet FERPA
• Built-in firewalls – Configure built in firewall rules to control
access to your Amazon EC2 virtual instances.
• Authentication and authorization – Consider IAM and
AWS customer-controlled credentials in AWS environment.
• Guest operating system – AWS customers control virtual
instances in Amazon EC2 and Amazon VPC.
• Storage – AWS storage options like Amazon EBS,
Amazon S3, and Amazon RDS allow you to make data
easily accessible to your applications or for backup.
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Continued..
• Private subnets – Amazon VPC allows customers to add
another layer of network security to their instances.
• Encrypted data storage – The data and objects stored in
Amazon EBS, Amazon S3, Amazon Glacier, Amazon Redshift
can be optionally encrypted with AES 256.
• Dedicated connection option – Customers can establish a
dedicated network connection from your premises to AWS.
• Perfect forward secrecy
• Security logs – AWS CloudTrail provides logs of user activity
within your AWS account.
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Continued..
• Asset identification and configuration – Customers use AWS
Config to discover and view the configuration of their AWS
resources.
• Centralized key management – AWS Key Management Service
(KMS) and AWS CloudHSM to manage and administer your keys.
• AWS Trusted Advisor – Customers use AWS Trusted Advisor to
monitor their resources, creating security and access policy alerts.
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Building HIPAA-Level Security
Solutions:
Partnering with AWS
Elizabeth Boudreau
Senior Manager of IT
Claritas Genomics/ Boston Children’s Hospital
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Data-Sharing Between Partner Institutions
Creates HIPAA-Compliance Challenges
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Shared Responsibility Model
• Layers of Security
• Proper Architecture
• Keeping Up with New Services
– BAA Updates
– Integration Into Infrastructure
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Benefits
• HIPAA Secured Data Processing
• Institutional Data Sharing
• New Data Source Integration
• Security Assistance
• Administrative Oversight
• Available Uptime
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
The Claritas Experience
• Partnered with AWS Professional Services
• Calculated Growth
• Created Policies
• Implemented Direct Connect
• Reacted To Heartbleed Vulnerability
• Withstood DDOS Attack
– No Breach!!
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Making It Work
• Start with small projects
• Account Management
– R&D
– Production Versus Development
• Train Your Employees and Partners
• Create a Culture of Audits
– Be a trustworthy source
– Document now to save time later
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015