aptible, aws, and telepharm: architecting hipaa compliance for the cloud
Post on 19-Aug-2015
19 Views
Preview:
TRANSCRIPT
Aptible + Telepharm HIPAA for StartupsPresenters: Scott Ward, AWS Frank Macreery, Aptible Caleb Boyd, Telepharm Kent Safranski, Telepharm
June 23rd, 2015
AWS Compliance
AWS maintains a formal control environment
SOC 1 Type II report published every six months
SOC 2 Security and Availability report every six months
ISO 27001 Certification
ISO 9001 Certification
+ Many more
Certified PCI DSS 3.0 Level 1 Service Provider
FedRAMP Certification
HIPAA BAAs
DoD CSM Levels 1-2, 3-5
GxPISO 13485AS9100ISO/TS 16949
HIPAA Compliance
HIPAA is there to protect the security and privacy of Protected Health Information (PHI).
PHI covers a wide set of personally identifiable health and health related data.
HIPAA on AWS means that you are protecting all the PHI data and that you are only using AWS services which are covered by the BAA allowing you to protect PHI information.
AWS looks after the security of the platform
Customers are responsible for their security configuration IN the Cloud
Security is shared between AWS and customers
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Encryption Key Management
Client and Server Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS HIPAA Eligible Services
Customer may use all services within a “HIPAA Account”
Customers may process, store, or transmit ePHI using only Eligible Services
Amazon EC2 Elastic LoadBalancing
(TCP mode only)
Amazon S3
Amazon EBS
Amazon Glacier
Amazon Redshift
AWS HIPAA configuration requirements
Customers must encrypt ePHI in transit and at rest
Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI
Customers must record and retain activity related to use of and access to ePHI
Data Encryption at Rest
Amazon Simple Storage Service (S3)
Access controls at bucket and object levelRestrict access and rights Versioning
S3 Cryptographic FeaturesHTTPS for in transit dataS3 Server Side EncryptionS3 Client Side EncryptionMD5 Checksums to verify file integrity
Amazon Elastic Block Store (EBS)
Implement AWS managed encryption
Implement your own encryption
AWS Partner solutions to help with encryption management and implementation
EBS
Data Encryption in Transit
AWS Service endpoints support https
Customers implement their own https or TLS encryption of data in transit to support their applications
Controlling your EC2 instances
Launch instance EC2
AMI catalogue Running instance Your instance
You choose and control your imageAWS CatalogYour ownMarketplaceCommunity
You determine network placementVPCSubnetSecurity GroupsPublic IP address
You configure your instanceHarden operating systemHost based firewallControl admin/user accessLogging
Configure instance
Dedicated EC2 Instances
Shared Tenancy
DedicatedTenancy
EC2 instance customer #1
EC2 instance customer #2
EC2 instance customer #3
EC2 instance customer #4
EC2 instance customer #1
EC2 instance customer #1
EC2 instance customer #1
EC2 instance customer #1
Audit Controls - AWS CLOUDTRAIL
You are making API calls...
On a growing set of services around the
world…
AWS CloudTrail is continuously
recording API calls…
And delivering log files to you
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
Implementing SecurityDelegate, automate, standardize
What Does HIPAA Require?
Physical Safeguards
Physical SafeguardsFacility Management
Physical SafeguardsPhysical Contingency Plans
Physical Safeguards
General Technical Safeguards
General Technical SafeguardsEncryption
General Technical SafeguardsData Backups
General Technical SafeguardsInstance Access (SSH) Controls
General Technical Safeguards
Specific Technical Safeguards
Specific Technical SafeguardsAuthentication
Specific Technical SafeguardsPHI Record Access Controls (Authorization)
Specific Technical Safeguards
Administrative Safeguards
Administrative SafeguardsPolicies & Procedures
Administrative SafeguardsRisk Assessments
Administrative SafeguardsWorkforce Training
Administrative Safeguards
Specific Technical
General Technical
Physical
Delegation
DelegationAptible delegates physical safeguards to AWS
DelegationCustomers delegate administrative and (many) technical safeguards to Aptible
How does Aptible implement technical safeguards?
OpsWorks
Chef
CloudTrailCFN
OpsWorks
Chef
CFN
General Technical Safeguards Specific Technical Safeguards
Unique SSH User IdentificationOpsWorks + IAM
A covered entity must… assign a unique name and/or number for identifying and tracking user identity.
§164.312(a)(2)(i)(Required)
Unique SSH User IdentificationOpsWorks + IAM
Unique SSH User IdentificationEC2 SSH key pair?
Unique SSH User IdentificationEC2 SSH key pair
Unique SSH User IdentificationManual authorized_keys management?
Unique SSH User IdentificationManual authorized_keys management
OpsWorks + IAM
IAMIdentity and Access Management: Service for programmatically managing user identities
OpsWorksChef-based deployment platform
OpsWorks + IAMGives visibility into current SSH permissions across all EC2 instances
OpsWorks + IAMMakes it easy to rotate keys or revoke access
OpsWorks + IAMCreates an audit log of all SSH permission changes, through CloudTrail
End-to-end EncryptionELB—NGiNX—applications
A covered entity must… implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
§164.312(a)(2)(i)(Addressable)
AWS "Approved" Services
AWS "Approved" Services
EC2 ELB EBS S3 Glacier Redshift
EC2Must use dedicated instances for PHI
EBSAll PHI volumes must be encrypted
ELBEnd-to-end encryption in transit
TCP OR HTTPS TCP OR HTTPS
HTTPS HTTPS
https://github.com/aptible/docker-nginx
https://quay.io/repository/aptible/nginx
Standardized SSL Termination ContainerDeployed everywhere we require encryption in transit
Configurable via ENV$UPSTREAM_SERVERS
Configurable via ENV$UPSTREAM_SERVERS$FORCE_SSL$HSTS_MAX_AGE (…)
Configurable via ENVMakes testing easier
@test "It should send a Strict-Transport-Security header with FORCE_SSL" {FORCE_SSL=true wait_for_nginxrun curl -Ik https://localhost 2>/dev/null[[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]]
}
@test "It should send a Strict-Transport-Security header with FORCE_SSL" {FORCE_SSL=true wait_for_nginxrun curl -Ik https://localhost 2>/dev/null[[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]]
}
Configurable via ENVAbstracts implementation details: could be NGiNX, HAProxy, …
ENV configurationSimplifies configuration management: central store doesn’t need to know parameters in advance
Implementing SecurityDelegate low-level or general security details to providers like AWS and Aptible
Implementing SecurityAutomate management of technical safeguards (e.g., through OpsWorks + IAM for SSH access)
Implementing SecurityStandardize implementation and deployment of key security infrastructure
Photo Documentation
What is TelePharm?
Remote Approval
Hardware Agnostic
Minimize Pharmacist Time
Multi-Site Workflow Management
Why Aptible
Market Options(VPS v. PaaS)
Cost (Initial and Ongoing)
Resource Requirements
Uptime and Stability
Requirements and Challenges
Minimize resource investment
Scaling
*Access Control
*Auditing
*Data storage
*Real-time Data processing
*Requires HIPAA Compliance
Access Control
Scoped by Tenant/Organization
Role based
Limited session length
Blacklist
Detailed access logs
Auditing
Log usage of DALs with current Principal
Log usage of endpoints and services
Store actions taken on ePHI
Data storage and processing
Managed encryption on document storage
Managed encryption on blob storage
Managed encryption on (maybe) persistent cache storage
• All solved with platform and infrastructure provided by AWS and Aptible.
Thank you
top related