aptible, aws, and telepharm: architecting hipaa compliance for the cloud

Aptible + Telepharm HIPAA for StartupsPresenters: Scott Ward, AWS Frank Macreery, Aptible Caleb Boyd, Telepharm Kent Safranski, Telepharm

June 23rd, 2015

AWS Compliance

AWS maintains a formal control environment

SOC 1 Type II report published every six months

SOC 2 Security and Availability report every six months

ISO 27001 Certification

ISO 9001 Certification

+ Many more

Certified PCI DSS 3.0 Level 1 Service Provider

FedRAMP Certification

HIPAA BAAs

DoD CSM Levels 1-2, 3-5

GxPISO 13485AS9100ISO/TS 16949

HIPAA Compliance

HIPAA is there to protect the security and privacy of Protected Health Information (PHI).

PHI covers a wide set of personally identifiable health and health related data.

HIPAA on AWS means that you are protecting all the PHI data and that you are only using AWS services which are covered by the BAA allowing you to protect PHI information.

AWS looks after the security of the platform

Customers are responsible for their security configuration IN the Cloud

Security is shared between AWS and customers

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Encryption Key Management

Client and Server Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Customers

AWS HIPAA Eligible Services

Customer may use all services within a “HIPAA Account”

Customers may process, store, or transmit ePHI using only Eligible Services

Amazon EC2 Elastic LoadBalancing

(TCP mode only)

Amazon S3

Amazon EBS

Amazon Glacier

Amazon Redshift

AWS HIPAA configuration requirements

Customers must encrypt ePHI in transit and at rest

Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI

Customers must record and retain activity related to use of and access to ePHI

Data Encryption at Rest

Amazon Simple Storage Service (S3)

Access controls at bucket and object levelRestrict access and rights Versioning

S3 Cryptographic FeaturesHTTPS for in transit dataS3 Server Side EncryptionS3 Client Side EncryptionMD5 Checksums to verify file integrity

Amazon Elastic Block Store (EBS)

Implement AWS managed encryption

Implement your own encryption

AWS Partner solutions to help with encryption management and implementation

EBS

Data Encryption in Transit

AWS Service endpoints support https

Customers implement their own https or TLS encryption of data in transit to support their applications

Controlling your EC2 instances

Launch instance EC2

AMI catalogue Running instance Your instance

You choose and control your imageAWS CatalogYour ownMarketplaceCommunity

You determine network placementVPCSubnetSecurity GroupsPublic IP address

You configure your instanceHarden operating systemHost based firewallControl admin/user accessLogging

Configure instance

Dedicated EC2 Instances

Shared Tenancy

DedicatedTenancy

EC2 instance customer #1

EC2 instance customer #2

EC2 instance customer #3

EC2 instance customer #4

EC2 instance customer #1

EC2 instance customer #1

EC2 instance customer #1

EC2 instance customer #1

Audit Controls - AWS CLOUDTRAIL

You are making API calls...

On a growing set of services around the

world…

AWS CloudTrail is continuously

recording API calls…

And delivering log files to you

Redshift

AWS CloudFormation

AWS Elastic Beanstalk

Implementing SecurityDelegate, automate, standardize

What Does HIPAA Require?

Physical Safeguards

Physical SafeguardsFacility Management

Physical SafeguardsPhysical Contingency Plans

Physical Safeguards

General Technical Safeguards

General Technical SafeguardsEncryption

General Technical SafeguardsData Backups

General Technical SafeguardsInstance Access (SSH) Controls

General Technical Safeguards

Specific Technical Safeguards

Specific Technical SafeguardsAuthentication

Specific Technical SafeguardsPHI Record Access Controls (Authorization)

Specific Technical Safeguards

Administrative Safeguards

Administrative SafeguardsPolicies & Procedures

Administrative SafeguardsRisk Assessments

Administrative SafeguardsWorkforce Training

Administrative Safeguards

Specific Technical

General Technical

Physical

Delegation

DelegationAptible delegates physical safeguards to AWS

DelegationCustomers delegate administrative and (many) technical safeguards to Aptible

How does Aptible implement technical safeguards?

OpsWorks

Chef

CloudTrailCFN

OpsWorks

Chef

CFN

General Technical Safeguards Specific Technical Safeguards

Unique SSH User IdentificationOpsWorks + IAM

A covered entity must… assign a unique name and/or number for identifying and tracking user identity.

§164.312(a)(2)(i)(Required)

Unique SSH User IdentificationOpsWorks + IAM

Unique SSH User IdentificationEC2 SSH key pair?

Unique SSH User IdentificationEC2 SSH key pair

Unique SSH User IdentificationManual authorized_keys management?

Unique SSH User IdentificationManual authorized_keys management

OpsWorks + IAM

IAMIdentity and Access Management: Service for programmatically managing user identities

OpsWorksChef-based deployment platform

OpsWorks + IAMGives visibility into current SSH permissions across all EC2 instances

OpsWorks + IAMMakes it easy to rotate keys or revoke access

OpsWorks + IAMCreates an audit log of all SSH permission changes, through CloudTrail

End-to-end EncryptionELB—NGiNX—applications

A covered entity must… implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

§164.312(a)(2)(i)(Addressable)

AWS "Approved" Services

AWS "Approved" Services

EC2 ELB EBS S3 Glacier Redshift

EC2Must use dedicated instances for PHI

EBSAll PHI volumes must be encrypted

ELBEnd-to-end encryption in transit

TCP OR HTTPS TCP OR HTTPS

HTTPS HTTPS

https://github.com/aptible/docker-nginx

https://quay.io/repository/aptible/nginx

Standardized SSL Termination ContainerDeployed everywhere we require encryption in transit

Configurable via ENV$UPSTREAM_SERVERS

Configurable via ENV$UPSTREAM_SERVERS$FORCE_SSL$HSTS_MAX_AGE (…)

Configurable via ENVMakes testing easier

@test "It should send a Strict-Transport-Security header with FORCE_SSL" {FORCE_SSL=true wait_for_nginxrun curl -Ik https://localhost 2>/dev/null[[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]]

}

@test "It should send a Strict-Transport-Security header with FORCE_SSL" {FORCE_SSL=true wait_for_nginxrun curl -Ik https://localhost 2>/dev/null[[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]]

}

Configurable via ENVAbstracts implementation details: could be NGiNX, HAProxy, …

ENV configurationSimplifies configuration management: central store doesn’t need to know parameters in advance

Implementing SecurityDelegate low-level or general security details to providers like AWS and Aptible

Implementing SecurityAutomate management of technical safeguards (e.g., through OpsWorks + IAM for SSH access)

Implementing SecurityStandardize implementation and deployment of key security infrastructure

Photo Documentation

What is TelePharm?

Remote Approval

Hardware Agnostic

Minimize Pharmacist Time

Multi-Site Workflow Management

Why Aptible

Market Options(VPS v. PaaS)

Cost (Initial and Ongoing)

Resource Requirements

Uptime and Stability

Requirements and Challenges

Minimize resource investment

Scaling

*Access Control

*Auditing

*Data storage

*Real-time Data processing

*Requires HIPAA Compliance

Access Control

Scoped by Tenant/Organization

Role based

Limited session length

Blacklist

Detailed access logs

Auditing

Log usage of DALs with current Principal

Log usage of endpoints and services

Store actions taken on ePHI

Data storage and processing

Managed encryption on document storage

Managed encryption on blob storage

Managed encryption on (maybe) persistent cache storage

• All solved with platform and infrastructure provided by AWS and Aptible.

Thank you