Securing Healthcare Data on AWS for HIPAA

SECURING HEALTHCARE DATA ON AWS FOR HIPAA COMPLIANCE

Patient Data is More Portable than it has even been

•  44% of healthcare orgs already host clinical apps in the cloud (HIMSS)

•  More than 50% of US doctors are receiving MU Incentives for EHR (HHS)

•  More than 40% of physicians use mobile devices to access PHI (Deloitte)

Impact: Protecting the confidentiality, integrity, and availability of this information (PHI) becomes crucial

The HIPAA Security Rule

•  Safeguard the confidentiality, integrity and availability of ePHI

•  Protect ePHI systems and data against reasonably anticipated threats

Stipulates processes for securing electronic protected health records

Technical Safeguards

Physical Safeguards

Administrative Safeguards

HIPAA Breach Notification rule •  Safeguard the confidentiality, integrity and availability of

ePHI data •  Protect ePHI systems and data against reasonably

anticipated threats

HIPAA Privacy rule •  Safeguard the confidentiality, integrity & availability of

ePHI •  Protect ePHI systems and data against reasonably

anticipated threats

The HIPAA Security Rule

HIPAA Security rule •  Safeguard the confidentiality, integrity and availability of ePHI data •  Protect ePHI systems and data against reasonably anticipated threats

Administrative Safeguards - Security Management Process - Assigned Security Responsibility - Workforce Security - Information Access Management - Security Awareness and Training - Security Incident Procedures - Contingency Plan - Evaluation - Business Associate Contracts

Physical Safeguards - Facility Access Controls - Workstation Use - Workstation Security - Device and Media Controls

Technical Safeguards - Access Control - Audit Controls - Integrity - Person or Entity Authentication - Transmission Security


Physical Safeguards


Administrative Safeguards Key Requirement: •  Implement security measures for

protecting ePHI •  Manage the conduct of the workforce in

relation protecting ePHI

How to comply: •  Vulnerability Assessment (Risk analysis) •  Intrusion Detection (Risk management,

protection from malicious s/w, incident response)

•  Web App. Firewall (Risk management, protection from malicious s/w, incident response)

•  Log management/SIEM (Tracking access authorization/modification, backup services)

•  Security monitoring (Application and data criticality analysis)

Addressing HIPAA Compliance Requirements


Physical Safeguards


Physical Safeguards Key requirement: •  Physical measures to protect

ePHI and related systems from unauthorized intrusion and natural hazards.

How to comply: •  Log management/SIEM (Tracking

access control changes and data backups, enabling disaster recovery and integrity assurance of logs)



Physical Safeguards


Technical Safeguards Key requirement: •  Technology that protects ePHI

and controls access to it:

How to Comply •  Intrusion Detection (Automated

security analysis with pre-built alerts and reports)

•  Log management/SIEM (Automates log collection, aggregation and normalization across sources, tracks changes in access control, cryptographic services, audit services)


Using DevOps to Assist with Compliance

• Deployment automation to automatically apply security agents and configuration.

• Leverage tools such as CloudFormation to deploy applications in a consistent and reviewable manner.

• Use CloudTrail to create an audit trail of infrastructure changes. • Leverage IAM to restrict users to BAA approved services,

constraints. • AWS Config Rules can help identify violations of volume

encryption, dedicated tenacny.

How Cloud Defender Works in AWS

AWS Service Log Collection Web and Network Security Events, Application & server logs

Continuous Vulnerability Scanning Configuration Assessments, and Environment

Visibility

AWS SERVICES INSTANCES & APPLICATIONS

Analytics Platform Threat Intel & Context Expert Analysis

Threat Detection with Remediation Tactics

YOUR TEAM

Vulnerability & Configuration Issues

Make HIPAA Easier with a Security Operations Center

• 24x7 monitoring by GIAC-certified security analysts -  Proactive identification and response to suspicious activity -  Incident response and escalation -  Recommendations for resolution

• Ongoing tuning delivers protection and application availability -  Tuning in response to changing attacks and customer application changes -  All team members are responsible for identifying new patterns of attacks that feed into building of

new security content

Summary: Alert Logic Provides Broad HIPAA Coverage

HIPAA Rule Alert Logic

Phy

sica

l S

afeg

uard

s 164.310 (a) Facility access controls ✔

164.310 (d) Device and media controls ✔

Tech

nica

l S

afeg

uard

s

164.312 (a) (1) Access control ✔ 164.312 (b) Audit controls ✔ 164.312 (c) Integrity ✔ 164.312 (e) Transmission security ✔

HIPAA Rule Alert Logic

Adm

inis

trativ

e S

afeg

uard

s 164.308 (a) (1) Security Management Process ✔ 164.308 (a) (3) Workforce Security ✔ 164.308 (a) (4) Information Access Management ✔ 164.308 (a) (5) Security Awareness and Training ✔ 164.308 (a) (6) Security Incident Procedures ✔ 164.308 (a) (7) Contingency Plan ✔

HIPAA Security rule •  Safeguard the confidentiality, integrity and availability of ePHI data •  Protect ePHI systems and data against reasonably anticipated threats

Thank you.