(sec304) architecting for hipaa compliance on aws
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bill Shinn, AWS Principal Security Solutions Architect
Haddon Bennett, Emdeon Chief Information Security Officer
October 2015
SEC 304
Architecting for HIPAA
Compliance on AWS
What to expect from this session
• Review AWS Health Insurance Portability and Accountability Act
(HIPAA) Program and Business Associate Agreement.
• Learn how Emdeon is architecting for HIPAA requirements on AWS.
• Learn how to architect for key HIPAA Security Rule “implementation
specifications” when using AWS Eligible Services.
AWS HIPAA Program
• Strong presence in healthcare and
life sciences from our roots
• Business Associates and the
January 2013 Omnibus Final Rule
• Started signing Business Associate
Agreements (BAA) in
Q2 2013
• Program is based on Shared
Security Responsibility Model
AWS HIPAA Program is aligned to
NIST 800-53 and FedRAMP
Authorizations
Alignment to HIPAA Security Rule
HIPAA Security Rule(45 CFR Part 160 and Subparts
A and C of Part 164)
NIST 800-66An Introductory Resource Guide
for Implementing the Health
Insurance Portability and
Accountability Act (HIPAA)
Security Rule
NIST 800-53 Moderate baseline + FedRAMP
controls
AWS HIPAA Eligible Services – 2014
• Customers may use all services within a “HIPAA Account.”
• Customers may process, store, or transmit ePHI using only Eligible
Services.
Amazon EC2Elastic Load
Balancing
(TCP-mode only)
Amazon S3Amazon EBS Amazon Glacier Amazon Redshift
AWS HIPAA Eligible Services – 2015
• Customers may use all services within a “HIPAA Account”
• Customers may process, store, or transmit ePHI using only Eligible Services.
EC2Elastic Load
Balancing
(TCP mode only)
S3EBS Amazon Glacier Amazon Redshift
Amazon
DynamoDBAmazon
RDS for
MySQL
Amazon
RDS for
Oracle
Amazon EMR
AWS BAA configuration requirements
• Customers must encrypt ePHI in transit and at rest.
• Customers must use EC2 Dedicated Instances for instances
processing, storing, or transmitting ePHI.
• Customers must record and retain activity related to use of and
access to ePHI.
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSGWebSG
WebSG
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
PHI
WebSG
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
PHI
WebSG
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
S3
PHI
WebSG
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
Amazon
Glacier
PHI
S3
WebSG
Using Eligible Services for PHI
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
Web Tier
ASGApp Tier
ASG
WebSG
Amazon
DynamoDB
PHI
WebSG
Using Eligible Services for PHI with other services
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
Amazon
Route 53
AWS Config AWS CloudTrail AWS
IAM
AWS CloudFormation
Non-PHI
WebSG
Using Eligible Services for PHI with other services
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
Amazon
Route 53
CloudWatch
Non-PHI
WebSG
Using Eligible Services for PHI with other services
Availability Zone
Availability Zone
Patient
Web Tier
ASGApp Tier
ASG
RDS
MySQL
Web Tier
ASGApp Tier
ASG RDS
MySQLWebSG
Amazon
Route 53
AWS CodeDeploy
Non-PHI
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/Public
SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
TCP-only Session
TLS w/ PHI
ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/Public
SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
TCP-only Session
TLS w/ PHI
ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/Public
SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
TCP-only Session
TLS w/ PHI
New TLS Session
ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/
Public SSL/TLSHAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
Terminating TLS on ELB (April 2015+)
VPC Public Subnet 10.40.1.0/24
AZ A
Web
Server/Private
TLS
Web
Server/Private
TLSVPC Private Subnet 10.40.3.0/24
TCP-only Session
TLS w/ PHI
New TLS Session
ELB ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
TCP-only Session
TLS w/ PHI
New TLS Session
Terminating TLS on ELB (April 2015+)
VPC Public Subnet 10.40.1.0/24
AZ A
Web
Server/Private
TLS
Web
Server/Private
TLSVPC Private Subnet 10.40.3.0/24
ELB ELB
Terminating TLS on EC2 (May 2013 – April 2015+)
Managing PHI in load-balanced applications
VPC Public Subnet 10.40.1.0/24
AZ A
HAProxy/Public
SSL/TLSHAProxy/
Public SSL/TLS
Web Server/
Private SSL/TLS
Web Server/
Private SSL/TLS
VPC Private Subnet 10.40.3.0/24
VPC Private Subnet 10.40.5.0/24
TCP-only Session
TLS w/ PHI
New TLS Session
Terminating TLS on ELB (April 2015+)
VPC Public Subnet 10.40.1.0/24
AZ A
Web
Server/Private
TLS
Web
Server/Private
TLSVPC Private Subnet 10.40.3.0/24
ELB ELB
Emdeon
Emdeon Overview
People
6,000+ team members
Our customers
Payers
Providers
Pharmacies
Laboratories
Physicians
Hospitals
Dentists
Assets
The single largest financial and
administrative health information
network in the nation
Emdeon Intelligent
Healthcare Network™
Emdeon Overview
17 months
2,000+ instances
10K application deployments
People AWS footprint
6,000+ team members
Our customers
Payers
Providers
Pharmacies
Laboratories
Physicians
Hospitals
Dentists
Assets
The single largest financial and
administrative health information
network in the nation
Emdeon Intelligent
Healthcare Network™
Top compliance and security initiatives
Encryption
Patching
Build
standard
Logging
Incident
investigation
Disaster
recovery
Asset
managementConfiguration
management
Vulnerability
scanning
Top reasons compliance and security initiatives failNot enough memory/CPU/out-of-date hardware
Unknown impact to performance
Can’t incur downtime
No test environment
No legacy knowledge to properly test application
No way to roll back change (with assurance)
No deployment tools
Length of time to patch
Encryption
Patching
Build
standard
Logging
Incident
investigation
Disaster
recovery
Asset
managementConfiguration
management
Vulnerability
scanning
Traditional data center
• Manually touch 10K servers
• Server and network impact
• Misconfiguration due to manual
efforts
• Result = Several months
Logging
AWS
• Modify build scripts
• Unnoticed due to auto-scaling
• Consistent and compliant config
due to automation and testing
• Result = Several minutes
Technical safeguards 164.312(b). Standard: Audit controls. Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that
contain or use electronic protected health information.
CloudTrail (API logs); CloudFormation (for hardened AMI system logs); S3
• Set up alert on root logon.
• Attempt to get logs from 3 different
groups (network, systems, and
database)…and wait.
• Perform live forensics and impact
integrity, or take system down and
incur revenue loss.
• Result: Time to mitigate, investigate,
resolve, and downtime is significant.
Incident investigation
• Automate a task to quarantine
existing environment and bring up
fresh noncompromised environment
when you see a root logon in
production.
• View all logs on quarantined system
(create another snapshot first for
forensic preservation).
• Result: Time to mitigate and
investigate reduced dramatically with
zero downtime.
Traditional data center AWS
Security Incident Procedures 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent
practicable, harmful effects of security incidents that are known to the covered entity; and
document security incidents and their outcomes.
ELB; security groups
• Acquire/deploy expensive patching
tool and push out.
• Patch 10K servers, schedule
downtime, reboots; not sustainable.
• Patch damages server; attempts to
roll back fail.
• No proper testing environment.
•Result = Instability, high effort;
minimal compliance assurance.
Patching
• Follow standard release process.
• Patch base AMI and redeploy.
• Redeploy previous release.
• Redeploy production as a dev
environment.
• Result = Stability, tested, and
compliant.
Traditional data center AWS
Organizational requirements 164.314 (A) Implement administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of the
electronic protected health information that it creates, receives, maintains, or
transmits
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
The Code of Federal Regulations
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
The Code of Federal Regulations
Source:
http://www.nasa.gov/centers/dryden/multimedia/
imagegallery/Shuttle/EC94-42789-2.html
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
The Code of Federal Regulations
Source:
http://www.nasa.gov/centers/dryden/multimedia/
imagegallery/Shuttle/EC94-42789-2.htmlSource:
http://www.seaway.dot.gov/sites/seaway.dot.gov/files/docs/SLSDC%20System%20Brochure%202014.pdf
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.308 - Administrative Safeguards
Section 164.310 - Physical Safeguards
Section 164.312 - Technical Safeguards
Section 164.314 - Organizational Safeguards
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.308 - Administrative Safeguards
Section 164.310 - Physical Safeguards
Section 164.312 - Technical Safeguards
164.312(b)(2) – Standard: Audit Controls
Section 164.314 - Organizational Safeguards
Audit Controls 164.312(b)(2) – Security Rule
164.312 (b)(2) Standard: Audit Controls
Implement hardware, software, and/or procedural mechanisms that *record and examine
activity* in information systems that contain or use electronic protected health
information.
Audit Controls 164.312(b)(2) – OCR Audit
Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Audit Procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.
Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented
over information systems that contain or use ePHI.
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Audit Controls 164.308(b)(2) – OCR Audit
Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Audit Procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.
Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented
over information systems that contain or use ePHI.
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Something you have to do.
Audit Controls 164.308(b)(2) – OCR Audit
Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Audit Procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.
Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented
over information systems that contain or use ePHI.
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Something you have to do.
Something you have to do.
Audit Controls 164.308(b)(2) – OCR Audit
Protocol
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited Something you have to do.
.
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
RDS CloudTrail Events
AuthorizeDBSecurityGroupIngress
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
RDS CloudTrail Events
AuthorizeDBSecurityGroupIngress
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
Amazon Glacier CloudTrail
Events
DeleteArchive
DeleteVault
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
RDS CloudTrail Events
AuthorizeDBSecurityGroupIngress
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
DynamoDB CloudTrail Events
DeleteTable
UpdateTable
Amazon Glacier CloudTrail
Events
DeleteArchive
DeleteVault
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 CloudTrail Events
AttachVolume
AuthorizeSecurityGroupIngress
CopySnapshot
CreateNetworkAclEntry
CreateSnapshot
DeleteSnapshot
DeleteTags
DeleteVolume
TerminateInstance
RDS CloudTrail Events
AuthorizeDBSecurityGroupIngress
CopyDBSnapshot
CreateDBSnapshot
DeleteDBInstance
DeleteDBSnapshot
ModifyDBInstance
DynamoDB CloudTrail Events
DeleteTable
UpdateTable
Amazon Redshift CloudTrail Events
AuthorizeClusterSecurityGroupIngress
CopyClusterSnapshot
CreateClusterSnapshot
DeleteCluster
DeleteClusterSnapshot
DisableLogging
Amazon Glacier CloudTrail
Events
DeleteArchive
DeleteVault
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
CloudTrail CloudTrail Events
CreateTrail
DeleteTrail
UpdateTrail
StopLogging
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
CloudTrail CloudTrail Events
CreateTrail
DeleteTrail
UpdateTrail
StopLogging
S3 CloudTrail Events
(New in Sept 2015)
Delete Bucket
Delete Bucket lifecycle
Delete Bucket tagging
Put Bucket acl
Put Bucket lifecycle
Put Bucket policy
Put Bucket replication
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Determine the Activities
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
EC2 Instance Events
/var/log/messages
/var/log/audit
/var/log/<whatever>
</your/application/logs>
RDS Instance Events
MySQL – DDL/DMLgeneral_log = 1
log_output = TABLE | FILE
DynamoDB Application-Level
Events (SDK and/or DynamoDB
Streams)
BatchGetItem
BatchWriteItem
DeleteItem
GetItem
PutIItem
Query
Scan
UpdateItem
Amazon Redshift Database Events
Connection Logging (STL_CONNECTION_LOG)
Query Text Logging(STL_QUERY & STL_QUERYTEXT)
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Document Implementation
§164.312(b):
Audit Procedures
Inquire of management as to whether audit controls have been implemented over information systems that contain or use ePHI.
Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented
over information systems that contain or use ePHI.
Something you have to do.
.
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Document Implementation
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Capture CloudTrail Configuration (CLI Example)
$ aws cloudtrail describe-trails
{
"trailList": [
{
"IncludeGlobalServiceEvents": true,
"Name": "Default",
"S3KeyPrefix": ”CloudTrail",
"S3BucketName": "us-east-1.logging",
"CloudWatchLogsRoleArn":
"arn:aws:iam::663354267581:role/CloudTrail_CloudWatchLogs_Role",
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:663354267581:log-
group:CloudTrail/us-east-1-LogGroup:*"
}
]
}
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Document Implementation
§164.312(b):
Key Activity
Determine the Activities that Will be Tracked or Audited
Capture CloudTrail Trusted Advisor Report
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Select the Tools
§164.312(b):
Key Activity
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Something you have to do.
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Select the Tools
CloudTrail CloudWatch Logs Amazon
Kinesis
CloudWatch
Logs
subscription
consumer
(KCL-based)
ELK
CloudWatch
Logs
subscription
Amazon EC2
+
CloudWatch
Logs agent
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Select the Tools
CloudWatch Logs Amazon
Kinesis
CloudWatch
Logs
subscription
LogGroup-CloudTrail/Stream1
LogGroup-CWL-syslog/instance-1
LogGroup-CWL-syslog/instance-2
LogGroup-CWL-customApp/instance-3
[…]
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Document Implementation§164.312(b):
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit
information.
$ aws logs describe-log-groups --log-group-name-prefix "CloudTrail"
{
"logGroups": [
{
"arn": "arn:aws:logs:us-east-1:663354267581:log-group:CloudTrail/us-east-1-LogGroup:*",
"creationTime": 1439155915783,
"metricFilterCount": 0,
"logGroupName": "CloudTrail/us-east-1-LogGroup",
"storedBytes": 411573
}
]
}
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Document Implementation§164.312(b):
Audit Procedures
[…] Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit
information.
$ aws logs describe-subscription-filters --log-group-name CloudTrail/us-east-1-LogGroup
{
"subscriptionFilters": [
{
"filterPattern": "",
"filterName": "cwl-cfn-es-CWL-Elasticsearch-KinesisSubscriptionStream-1KSJUFTUP6K5K",
"roleArn": "arn:aws:iam::663354267581:role/CWL-Elasticsearch-CloudWatchLogsKinesisRole-
4DVR5UWI4QBR",
"creationTime": 1439157386140,
"logGroupName": "CloudTrail/us-east-1-LogGroup",
"destinationArn": "arn:aws:kinesis:us-east-1:663354267581:stream/CWL-Elasticsearch-
KinesisSubscriptionStream-1KSJUFTUP6K5K"
}
]
}
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Activity Reviews
§164.312(b):
Key Activity
Key Activity
Select the Tools that Will be Deployed for Auditing and System Activity Reviews
Audit Procedures
Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are
necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has
identified to capture the appropriate audit information.
Something you have to do.
Audit Controls 164.312(b)(2) – OCR Audit
Protocol – Activity Reviews
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.312 - Technical Safeguards
164.312(a)(1) – Standard: Access Control
164.312(a)(2) - Implementation Specification
164.312(e)(1) – Standard: Transmission Security
164.312(e)2) – Implementation Specification
HIPAA Security Rule – Fine print explained… or “How do I derive engineering from regulation?”
The Security Rule is located at 45 CFR Part 160 and Subparts A and C
of Part 164.
Title 45 of the Code of Federal Regulations – Public Welfare
Subtitle A - Health and Human Services
Subchapter C - ADMINISTRATIVE DATA STANDARDS AND RELATED REQUIREMENTS
Part 160 - General Administrative Requirements
Part 164 - Security and Privacy
Subpart C - Security Standards for the Protection of Electronic Protected Health Information
Section 164.312 - Technical Safeguards
164.312(a)(1) – Standard: Access Control
164.312(a)(2) - Implementation Specification
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
164.312(e)(1) – Standard: Transmission Security
164.312(e)2) – Implementation Specification
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Encryption Controls – 164.312(a)(2)(iv)
164.312 (a)(2)(iv) Standard: Access Control
Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health
information.
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
Encryption Controls – 164.312(a)(2)(iv)
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
Encryption Controls – 164.312(a)(2)(iv)
Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and
such confidential process or key that might enable decryption has not been breached. To avoid a
breach of the confidential process or key, these decryption tools should be stored on a device or at a
location separate from the data they are used to encrypt or decrypt.
Encryption Controls – 164.312(a)(2)(iv)
Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and
such confidential process or key that might enable decryption has not been breached. To avoid a
breach of the confidential process or key, these decryption tools should be stored on a device or at a
location separate from the data they are used to encrypt or decrypt.
Encryption Controls – 164.312(a)(2)(iv)
Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and
such confidential process or key that might enable decryption has not been breached. To avoid a
breach of the confidential process or key, these decryption tools should be stored on a device or at a
location separate from the data they are used to encrypt or decrypt.
“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber
entre les mains de l’ennemi” – Auguste Kerckhoffs, “La Cryptographie
Militaire,” Journal des Sciences Militaires, January, 1883
Encryption Controls – 164.312(a)(2)(iv)
Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an
algorithmic process to transform data into a form in which there is a low probability of assigning
meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and
such confidential process or key that might enable decryption has not been breached. To avoid a
breach of the confidential process or key, these decryption tools should be stored on a device or at a
location separate from the data they are used to encrypt or decrypt.
“Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber
entre les mains de l’ennemi.” – Auguste Kerckhoffs, “La Cryptographie
Militaire,” Journal des Sciences Militaires, January, 1883
The system must not require secrecy and can be stolen by the
enemy without causing trouble.
Encryption Controls – 164.312(a)(2)(iv) – OCR
Audit Protocol
§164.312(a)(2)(iv):
Key Activity
Encryption and Decryption
Audit Procedures
Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal
policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to
protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
- Type(s) of encryption used.
- How encryption keys are protected.
- Access to modify or create keys is restricted to appropriate personnel.
- How keys are managed.
Encryption Controls – 164.312(a)(2)(iv) – OCR
Audit Protocol
§164.312(a)(2)(iv):
Key Activity
Encryption and Decryption
Audit Procedures
Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal
policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to
protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
- Type(s) of encryption used.
- How encryption keys are protected.
- Access to modify or create keys is restricted to appropriate personnel.
- How keys are managed.
Something you have to do.
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS
HIPAA Eligible Services integrations
Amazon Elastic Block Store
Amazon Relational Database Service – MySQL
Amazon Relational Database Service – Oracle
Amazon Simple Storage Service (SSE-K)
Amazon Redshift
Amazon Elastic MapReduce (client-side EMRFS)
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS – EBS example
EBS
volume
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS – EBS example
EBS
volume
Volume
encryption key
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS – EBS example
EBS
volume
Volume
encryption key
KMS
customer
master key
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS – EBS example
EBS
snapshot
EBS
volume
Volume
encryption key
KMS
customer
master key
Encryption Controls – 164.312(a)(2)(iv) – Using
Amazon KMS – EBS example
EBS
snapshot
EBS
volume
Volume
encryption key
KMS
customer
master key
region 1 us-west-2
us-east-1
EBS
snapshot
KMS
customer
master key
region 2
Volume
encryption key
Remember to complete
your evaluations!
Thank you!