(sec304) architecting for hipaa compliance on aws

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Bill Shinn, AWS Principal Security Solutions Architect

Haddon Bennett, Emdeon Chief Information Security Officer

October 2015

SEC 304

Architecting for HIPAA

Compliance on AWS

What to expect from this session

• Review AWS Health Insurance Portability and Accountability Act

(HIPAA) Program and Business Associate Agreement.

• Learn how Emdeon is architecting for HIPAA requirements on AWS.

• Learn how to architect for key HIPAA Security Rule “implementation

specifications” when using AWS Eligible Services.

AWS HIPAA Program

• Strong presence in healthcare and

life sciences from our roots

• Business Associates and the

January 2013 Omnibus Final Rule

• Started signing Business Associate

Agreements (BAA) in

Q2 2013

• Program is based on Shared

Security Responsibility Model

AWS HIPAA Program is aligned to

NIST 800-53 and FedRAMP

Authorizations

Alignment to HIPAA Security Rule

HIPAA Security Rule(45 CFR Part 160 and Subparts

A and C of Part 164)

NIST 800-66An Introductory Resource Guide

for Implementing the Health

Insurance Portability and

Accountability Act (HIPAA)

Security Rule

NIST 800-53 Moderate baseline + FedRAMP

controls

AWS HIPAA Eligible Services – 2014

• Customers may use all services within a “HIPAA Account.”

• Customers may process, store, or transmit ePHI using only Eligible

Services.

Amazon EC2Elastic Load

Balancing

(TCP-mode only)

Amazon S3Amazon EBS Amazon Glacier Amazon Redshift

AWS HIPAA Eligible Services – 2015

• Customers may use all services within a “HIPAA Account”

• Customers may process, store, or transmit ePHI using only Eligible Services.

EC2Elastic Load

Balancing

(TCP mode only)

S3EBS Amazon Glacier Amazon Redshift

Amazon

DynamoDBAmazon

RDS for

MySQL

Amazon

RDS for

Oracle

Amazon EMR

AWS BAA configuration requirements

• Customers must encrypt ePHI in transit and at rest.

• Customers must use EC2 Dedicated Instances for instances

processing, storing, or transmitting ePHI.

• Customers must record and retain activity related to use of and

access to ePHI.

Using Eligible Services for PHI

Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSGWebSG

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

PHI

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

S3

PHI

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

Amazon

Glacier

PHI

S3

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

Web Tier

ASGApp Tier

ASG

WebSG

Amazon

DynamoDB

PHI

WebSG

Using Eligible Services for PHI with other services

Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

Amazon

Route 53

AWS Config AWS CloudTrail AWS

IAM

AWS CloudFormation

Non-PHI

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

Amazon

Route 53

CloudWatch

Non-PHI

WebSG


Availability Zone

Availability Zone

Patient

Web Tier

ASGApp Tier

ASG

RDS

MySQL

Web Tier

ASGApp Tier

ASG RDS

MySQLWebSG

Amazon

Route 53

AWS CodeDeploy

Non-PHI

Terminating TLS on EC2 (May 2013 – April 2015+)

Managing PHI in load-balanced applications

VPC Public Subnet 10.40.1.0/24

AZ A

HAProxy/Public

SSL/TLSHAProxy/

Public SSL/TLS

Web Server/

Private SSL/TLS

Web Server/

Private SSL/TLS

VPC Private Subnet 10.40.3.0/24


ELB




AZ A

HAProxy/Public

SSL/TLSHAProxy/Public

SSL/TLS

Web Server/

Private SSL/TLS

Web Server/

Private SSL/TLS



TCP-only Session

TLS w/ PHI

ELB




AZ A

HAProxy/Public

SSL/TLSHAProxy/Public

SSL/TLS

Web Server/

Private SSL/TLS

Web Server/

Private SSL/TLS



TCP-only Session

TLS w/ PHI

New TLS Session

ELB




AZ A

HAProxy/

Public SSL/TLSHAProxy/

Public SSL/TLS

Web Server/

Private SSL/TLS

Web Server/

Private SSL/TLS



Terminating TLS on ELB (April 2015+)


AZ A

Web

Server/Private

TLS

Web

Server/Private

TLSVPC Private Subnet 10.40.3.0/24

TCP-only Session

TLS w/ PHI

New TLS Session

ELB ELB




AZ A

HAProxy/Public

SSL/TLSHAProxy/

Public SSL/TLS

Web Server/

Private SSL/TLS

Web Server/

Private SSL/TLS



TCP-only Session

TLS w/ PHI

New TLS Session

Terminating TLS on ELB (April 2015+)


AZ A

Web

Server/Private

TLS

Web

Server/Private

TLSVPC Private Subnet 10.40.3.0/24

ELB ELB

Emdeon

Emdeon Overview

People

6,000+ team members

Our customers

Payers

Providers

Pharmacies

Laboratories

Physicians

Hospitals

Dentists

Assets

The single largest financial and

administrative health information

network in the nation

Emdeon Intelligent

Healthcare Network™

Emdeon Overview

17 months

2,000+ instances

10K application deployments

People AWS footprint

6,000+ team members

Our customers

Payers

Providers

Pharmacies

Laboratories

Physicians

Hospitals

Dentists

Assets

The single largest financial and

administrative health information

network in the nation

Emdeon Intelligent

Healthcare Network™

Top compliance and security initiatives

Encryption

Patching

Build

standard

Logging

Incident

investigation

Disaster

recovery

Asset

managementConfiguration

management

Vulnerability

scanning

Top reasons compliance and security initiatives failNot enough memory/CPU/out-of-date hardware

Unknown impact to performance

Can’t incur downtime

No test environment

No legacy knowledge to properly test application

No way to roll back change (with assurance)

No deployment tools

Length of time to patch

Encryption

Patching

Build

standard

Logging

Incident

investigation

Disaster

recovery

Asset

managementConfiguration

management

Vulnerability

scanning

Traditional data center

• Manually touch 10K servers

• Server and network impact

• Misconfiguration due to manual

efforts

• Result = Several months

Logging

AWS

• Modify build scripts

• Unnoticed due to auto-scaling

• Consistent and compliant config

due to automation and testing

• Result = Several minutes

Technical safeguards 164.312(b). Standard: Audit controls. Implement hardware, software, and/or procedural

mechanisms that record and examine activity in information systems that

contain or use electronic protected health information.

CloudTrail (API logs); CloudFormation (for hardened AMI system logs); S3

• Set up alert on root logon.

• Attempt to get logs from 3 different

groups (network, systems, and

database)…and wait.

• Perform live forensics and impact

integrity, or take system down and

incur revenue loss.

• Result: Time to mitigate, investigate,

resolve, and downtime is significant.

Incident investigation

• Automate a task to quarantine

existing environment and bring up

fresh noncompromised environment

when you see a root logon in

production.

• View all logs on quarantined system

(create another snapshot first for

forensic preservation).

• Result: Time to mitigate and

investigate reduced dramatically with

zero downtime.

Traditional data center AWS

Security Incident Procedures 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent

practicable, harmful effects of security incidents that are known to the covered entity; and

document security incidents and their outcomes.

ELB; security groups

• Acquire/deploy expensive patching

tool and push out.

• Patch 10K servers, schedule

downtime, reboots; not sustainable.

• Patch damages server; attempts to

roll back fail.

• No proper testing environment.

•Result = Instability, high effort;

minimal compliance assurance.

Patching

• Follow standard release process.

• Patch base AMI and redeploy.

• Redeploy previous release.

• Redeploy production as a dev

environment.

• Result = Stability, tested, and

compliant.

Traditional data center AWS

Organizational requirements 164.314 (A) Implement administrative, physical, and technical safeguards that reasonably

and appropriately protect the confidentiality, integrity, and availability of the

electronic protected health information that it creates, receives, maintains, or

transmits

HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”

The Security Rule is located at 45 CFR Part 160 and Subparts A and C

of Part 164.

The Code of Federal Regulations



of Part 164.


Source:

http://www.nasa.gov/centers/dryden/multimedia/

imagegallery/Shuttle/EC94-42789-2.html



of Part 164.


Source:

http://www.nasa.gov/centers/dryden/multimedia/

imagegallery/Shuttle/EC94-42789-2.htmlSource:

http://www.seaway.dot.gov/sites/seaway.dot.gov/files/docs/SLSDC%20System%20Brochure%202014.pdf



of Part 164.

Title 45 of the Code of Federal Regulations – Public Welfare



of Part 164.


Subtitle A - Health and Human Services



of Part 164.



Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS



of Part 164.




Part 160 - General Administrative Requirements



of Part 164.





Part 164 - Security and Privacy



of Part 164.






Subpart C - Security Standards for the Protection of Electronic Protected Health Information



of Part 164.







Section 164.308 - Administrative Safeguards

Section 164.310 - Physical Safeguards

Section 164.312 - Technical Safeguards

Section 164.314 - Organizational Safeguards



of Part 164.







Section 164.308 - Administrative Safeguards

Section 164.310 - Physical Safeguards


164.312(b)(2) – Standard: Audit Controls

Section 164.314 - Organizational Safeguards

Audit Controls 164.312(b)(2) – Security Rule

164.312 (b)(2) Standard: Audit Controls

Implement hardware, software, and/or procedural mechanisms that *record and examine

activity* in information systems that contain or use electronic protected health

information.

Audit Controls 164.312(b)(2) – OCR Audit

Protocol

§164.312(b):

Key Activity

Determine the Activities that Will be Tracked or Audited

Audit Procedures

Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.

Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented

over information systems that contain or use ePHI.

Key Activity

Select the Tools that Will be Deployed for Auditing and System Activity Reviews

Audit Procedures

Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are

necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has

identified to capture the appropriate audit information.


Protocol

§164.312(b):

Key Activity


Audit Procedures




Key Activity


Audit Procedures




Something you have to do.


Protocol

§164.312(b):

Key Activity


Audit Procedures




Key Activity


Audit Procedures







Protocol

§164.312(b):

Key Activity

Determine the Activities that Will be Tracked or Audited Something you have to do.

.


Protocol – Determine the Activities

§164.312(b):

Key Activity


EC2 CloudTrail Events

AttachVolume

AuthorizeSecurityGroupIngress

CopySnapshot

CreateNetworkAclEntry

CreateSnapshot

DeleteSnapshot

DeleteTags

DeleteVolume

TerminateInstance



§164.312(b):

Key Activity



AttachVolume


CopySnapshot


CreateSnapshot

DeleteSnapshot

DeleteTags

DeleteVolume

TerminateInstance

RDS CloudTrail Events

AuthorizeDBSecurityGroupIngress

CopyDBSnapshot

CreateDBSnapshot

DeleteDBInstance

DeleteDBSnapshot

ModifyDBInstance



§164.312(b):

Key Activity



AttachVolume


CopySnapshot


CreateSnapshot

DeleteSnapshot

DeleteTags

DeleteVolume

TerminateInstance



CopyDBSnapshot

CreateDBSnapshot

DeleteDBInstance

DeleteDBSnapshot

ModifyDBInstance

Amazon Glacier CloudTrail

Events

DeleteArchive

DeleteVault



§164.312(b):

Key Activity



AttachVolume


CopySnapshot


CreateSnapshot

DeleteSnapshot

DeleteTags

DeleteVolume

TerminateInstance



CopyDBSnapshot

CreateDBSnapshot

DeleteDBInstance

DeleteDBSnapshot

ModifyDBInstance

DynamoDB CloudTrail Events

DeleteTable

UpdateTable


Events

DeleteArchive

DeleteVault



§164.312(b):

Key Activity



AttachVolume


CopySnapshot


CreateSnapshot

DeleteSnapshot

DeleteTags

DeleteVolume

TerminateInstance



CopyDBSnapshot

CreateDBSnapshot

DeleteDBInstance

DeleteDBSnapshot

ModifyDBInstance

DynamoDB CloudTrail Events

DeleteTable

UpdateTable

Amazon Redshift CloudTrail Events

AuthorizeClusterSecurityGroupIngress

CopyClusterSnapshot

CreateClusterSnapshot

DeleteCluster

DeleteClusterSnapshot

DisableLogging


Events

DeleteArchive

DeleteVault



§164.312(b):

Key Activity


CloudTrail CloudTrail Events

CreateTrail

DeleteTrail

UpdateTrail

StopLogging



§164.312(b):

Key Activity


CloudTrail CloudTrail Events

CreateTrail

DeleteTrail

UpdateTrail

StopLogging

S3 CloudTrail Events

(New in Sept 2015)

Delete Bucket

Delete Bucket lifecycle

Delete Bucket tagging

Put Bucket acl

Put Bucket lifecycle

Put Bucket policy

Put Bucket replication



§164.312(b):

Key Activity


EC2 Instance Events

/var/log/messages

/var/log/audit

/var/log/<whatever>

</your/application/logs>

RDS Instance Events

MySQL – DDL/DMLgeneral_log = 1

log_output = TABLE | FILE

DynamoDB Application-Level

Events (SDK and/or DynamoDB

Streams)

BatchGetItem

BatchWriteItem

DeleteItem

GetItem

PutIItem

Query

Scan

UpdateItem

Amazon Redshift Database Events

Connection Logging (STL_CONNECTION_LOG)

Query Text Logging(STL_QUERY & STL_QUERYTEXT)


Protocol – Document Implementation

§164.312(b):

Audit Procedures





.



§164.312(b):

Key Activity


Capture CloudTrail Configuration (CLI Example)

$ aws cloudtrail describe-trails

{

"trailList": [

{

"IncludeGlobalServiceEvents": true,

"Name": "Default",

"S3KeyPrefix": ”CloudTrail",

"S3BucketName": "us-east-1.logging",

"CloudWatchLogsRoleArn":

"arn:aws:iam::663354267581:role/CloudTrail_CloudWatchLogs_Role",

"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:663354267581:log-

group:CloudTrail/us-east-1-LogGroup:*"

}

]

}



§164.312(b):

Key Activity


Capture CloudTrail Trusted Advisor Report


Protocol – Select the Tools

§164.312(b):

Key Activity

Key Activity


Audit Procedures







CloudTrail CloudWatch Logs Amazon

Kinesis

CloudWatch

Logs

subscription

consumer

(KCL-based)

ELK

CloudWatch

Logs

subscription

Amazon EC2

+

CloudWatch

Logs agent



CloudWatch Logs Amazon

Kinesis

CloudWatch

Logs

subscription

LogGroup-CloudTrail/Stream1

LogGroup-CWL-syslog/instance-1

LogGroup-CWL-syslog/instance-2

LogGroup-CWL-customApp/instance-3

[…]


Protocol – Document Implementation§164.312(b):

Key Activity


Audit Procedures

[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit

information.

$ aws logs describe-log-groups --log-group-name-prefix "CloudTrail"

{

"logGroups": [

{

"arn": "arn:aws:logs:us-east-1:663354267581:log-group:CloudTrail/us-east-1-LogGroup:*",

"creationTime": 1439155915783,

"metricFilterCount": 0,

"logGroupName": "CloudTrail/us-east-1-LogGroup",

"storedBytes": 411573

}

]

}


Protocol – Document Implementation§164.312(b):

Audit Procedures

[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit

information.

$ aws logs describe-subscription-filters --log-group-name CloudTrail/us-east-1-LogGroup

{

"subscriptionFilters": [

{

"filterPattern": "",

"filterName": "cwl-cfn-es-CWL-Elasticsearch-KinesisSubscriptionStream-1KSJUFTUP6K5K",

"roleArn": "arn:aws:iam::663354267581:role/CWL-Elasticsearch-CloudWatchLogsKinesisRole-

4DVR5UWI4QBR",

"creationTime": 1439157386140,

"logGroupName": "CloudTrail/us-east-1-LogGroup",

"destinationArn": "arn:aws:kinesis:us-east-1:663354267581:stream/CWL-Elasticsearch-

KinesisSubscriptionStream-1KSJUFTUP6K5K"

}

]

}


Protocol – Activity Reviews

§164.312(b):

Key Activity

Key Activity


Audit Procedures






Protocol – Activity Reviews



of Part 164.








164.312(a)(1) – Standard: Access Control

164.312(a)(2) - Implementation Specification

164.312(e)(1) – Standard: Transmission Security

164.312(e)2) – Implementation Specification



of Part 164.








164.312(a)(1) – Standard: Access Control

164.312(a)(2) - Implementation Specification

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

164.312(e)(1) – Standard: Transmission Security

164.312(e)2) – Implementation Specification

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Encryption Controls – 164.312(a)(2)(iv)

164.312 (a)(2)(iv) Standard: Access Control

Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health

information.

Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or

Indecipherable to Unauthorized Individuals

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html



Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or

Indecipherable to Unauthorized Individuals




Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an

algorithmic process to transform data into a form in which there is a low probability of assigning

meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and

such confidential process or key that might enable decryption has not been breached. To avoid a

breach of the confidential process or key, these decryption tools should be stored on a device or at a

location separate from the data they are used to encrypt or decrypt.








“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber

entre les mains de l’ennemi” – Auguste Kerckhoffs, “La Cryptographie

Militaire,” Journal des Sciences Militaires, January, 1883








“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber

entre les mains de l’ennemi.” – Auguste Kerckhoffs, “La Cryptographie

Militaire,” Journal des Sciences Militaires, January, 1883

The system must not require secrecy and can be stolen by the

enemy without causing trouble.

Encryption Controls – 164.312(a)(2)(iv) – OCR

Audit Protocol

§164.312(a)(2)(iv):

Key Activity

Encryption and Decryption

Audit Procedures

Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal

policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to

protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:

- Type(s) of encryption used.

- How encryption keys are protected.

- Access to modify or create keys is restricted to appropriate personnel.

- How keys are managed.

Encryption Controls – 164.312(a)(2)(iv) – Using

Amazon KMS

HIPAA Eligible Services integrations

Amazon Elastic Block Store

Amazon Relational Database Service – MySQL

Amazon Relational Database Service – Oracle

Amazon Simple Storage Service (SSE-K)

Amazon Redshift

Amazon Elastic MapReduce (client-side EMRFS)


Amazon KMS – EBS example

EBS

volume



EBS

volume

Volume

encryption key



EBS

volume

Volume

encryption key

KMS

customer

master key



EBS

snapshot

EBS

volume

Volume

encryption key

KMS

customer

master key



EBS

snapshot

EBS

volume

Volume

encryption key

KMS

customer

master key

region 1 us-west-2

us-east-1

EBS

snapshot

KMS

customer

master key

region 2

Volume

encryption key

Remember to complete

your evaluations!

Thank you!

(sec304) architecting for hipaa compliance on aws

Technology