Best Practices For Building a HIPAA-compliant AWS Infrastructure


The massive transition to digitizing personal information has increasingly pushed people to be aware of their rights and privacy. Healthcare organizations are legally obliged to ensure that while handling Protected Health Information (PHI), their systems and processes fully comply with HIPAA regulations. 

What does it mean to be HIPPA-compliant?

The Health Insurance Portability and Accountability Act (HIPPA) was passed in 1996 by the U.S. Congress and worked on primarily handling sensitive patient health information. HIPPA mandates regulations to be followed such that misuse of PHI is barred, and consequently, no information is shared without the concerned person’s knowledge and willingness to do so. 

Most popular cloud service 

AWS offers a wide range of services certified as HIPAA compliant, making it a popular choice for healthcare organizations looking to establish secure and compliant infrastructures. A Business Associate Agreement (BAA) must be signed between a covered entity and AWS to use its services for storing, processing, and transmitting PHI.

Critical practices for building a HIPAA-compliant AWS infrastructure

  • Using Virtual Private Clouds (VPCs) 

For building a HIPAA-compliant infrastructure on AWS, VPCs can prove quite handy. A VPC allows the creation of a logically isolated section of the AWS cloud. This helps in launching resources in any defined virtual network. The access to PHI can now be controlled by creating security groups and network ACLs that handle inbound and outbound traffic.

  • Using Identity and Access Management (IAM)

IAM allows controlled access to PHI at the resource level. Creating IAM policies grants users and applications access to specific resources and actions. Additionally, IAM enables the use of ‘roles’ to give temporary access to resources, minimizing the number of long-term access keys in use.

  • Encrypting

Encryption secures PHI in transit and at rest. AWS Key Management Service (KMS) creates and manages encryption keys. Additionally, AWS offers multiple encryption options: hardware security models (HSM)s, server-side and client-side encryption, etc. 

  • Using Multi-factor authentication (MFA)

MFAs are a crucial security measure that helps protect PHI by adding a layer of protection to privileged access. AWS offers several MFA options, including hardware MFA devices and virtual MFA apps.

  • Data Backup

Regularly backing up your data is vital to ensure no loss of crucial data in case of drastic disasters. AWS provides several tools, such as Amazon S3, Amazon RDS, and AWS Storage Gateway, that can be used to back up data.

  • Monitoring, Reviewing, and Auditing

Regular review and monitoring are crucial to maintaining compliance with HIPPA. AWS provides several tools, such as AWS CloudTrail, Amazon CloudWatch, AWS Config, and AWS Security Hub, that monitor infrastructure and identifies compliance and security vulnerabilities. 

  • Additional Security and Response Plan

For additional layers of security, AWS partners with third-party security providers such as Trend Micro, McAfee, and Symantec. A ready-to-execute response plan in the event of a security breach is an absolute necessity. It should be capable of identifying and containing any threat and reporting it to relevant authorities. 

  • Appropriate Training for Development Team

Educating the project developers on the importance of protecting PHI and providing them with the knowledge and tools needed to do so. They need to be informed about the latest regulations and best practices. AWS provides several resources, such as the AWS Compliance website, that can be used to remain knowledgeable about the latest laws.

  • Hiring Additional Hands
    • It is vital to work with an experienced compliance consultant who can help the development team navigate the complexities of HIPAA compliance and ensure that the infrastructure is configured and maintained per the latest regulations.
    • Working with experienced security professionals and conducting regular risk assessments is essential to ensure the infrastructure is HIPPA compliant.

By following these best practices and working with experienced security professionals, healthcare organizations can build a secure and compliant infrastructure on AWS.

Now, let’s look at some diagrams.

Various resources to audit, backup, and monitor infrastructure to maintain HIPAA compliance (Source: AWS)

Basic Architectural Diagram (Source: AWS)

The above diagram shows that AWS provides us with a Quickstart architecture for HIPAA compliance. Let’s discuss the above process in detail.

  • Availability Zone

The architecture ensures high availability and spans two Availability Zones. This helps to ensure that the infrastructure can withstand the failure of a single availability zone without losing access to the resources.

  • Virtual Private Cloud (VPC)

Three VPCs are used for management, production, and development to segment the infrastructure, which are individually configured with subnets to provide a virtual network within AWS. This allows one to control access to resources and better manage network traffic. 

An AWS Transit Gateway is used for VPC-to-VPC communication and customer connectivity. This allows for connecting the VPCs and other resources in the infrastructure.

  • In the management VPC, a gateway serves as a central point for internet traffic. Public subnets manage network address translation (NAT) gateways to allow internet access for private subnets resources. This will enable resources in the private subnets to access the internet while maintaining a high-security level. Additionally, private subnets are used to deploy security and infrastructure controls, and flow logs are used for auditing, which helps one to have better network traffic visibility.
  • In the production VPC, private subnets are used to deploy production workloads, and flow logs are used for auditing. This helps to ensure that production workloads are isolated from development and management resources and that all network traffic is logged for auditing purposes.
  • In the development VPC, private subnets are used to deploy development workloads, and flow logs are used for auditing. This helps to ensure that development resources are isolated from production and management resources and that all network traffic is logged for auditing purposes.
  • Logging and Audit Controls

Amazon CloudWatch is used to deliver flow logs to an S3 bucket. 

  • Mapping HIPPA requirements

AWS Config is used to map HIPPA mandates to AWS items. 

  • Access Logging

AWS CloudTrail is used. This helps better visibility of what’s happening in the infrastructure and ensures that it complies with HIPAA regulations.

  • Customer Connectivity

Options like AWS Direct Connect, AWS Site-to-Site VPN, and AWS Transit Gateway are available allowing connection between resources in the infrastructure.

  • Access Control, Authorization, and Alerting

Amazon Simple Notification Service (Amazon SNS) sends email alarm alerts. AWS Identity and Access Management (IAM) is used for access control and authorization. This helps to control ‘roles’ who have access to the resources and to be notified of any security incidents.

Related blogs and articles