Healthcare is one of the most important industries in the startup ecosystem in the World. But what makes Healthcare startups so important? The ability to make a potential impact on people?s health and obviously it?s market size. Healthcare startups who are using technology to make an impact on people?s health have to comply with US healthcare laws. One such law is HIPAA which takes care of patient data privacy and security.

Does this mean that AWS is HIPAA certified?

No. There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns with the HIPAA Security Rule.

So how do we make a HIPAA compliant architecture on AWS?

Data Privacy

The healthcare sector has very strict rules in order to keep patient information safe, as they say, ?Data is the new oil?, and with increased security threat looming over the internet, it has become extremely important to safeguard any critical information. It is also very important for the users of your product to feel their private information is safe with you.

Business Associate Agreement

Before moving to or storing information on AWS, it is very important that you get a BAA after contacting AWS so that you can store, the process transmits Protect Health Information (PHI). For more information on BAA, click here.

Role-based Access Control

For any System Security Plan (SSP) it is very important that Role-Based Access Control is documented as it is one of the important ways to make the HIPAA eligible system. Authentication and Authorization system prevents any unauthorized access to the data, which basically means a user has control over who can see their information until shared with someone. AWS has an IAM system that prevents unauthorized access to data.

Encrypted Database

The easiest way to leak someone?s data is by getting through a database especially when it not encrypted, and the easiest way to prevent this is by using Amazon RDS. It is very important to understand that access to the database should always through the application and any sensitive PHI should be encrypted.

For additional discussion on Amazon RDS encryption mechanisms, please refer back to the whitepaper.

Backup and Restore

Until now you have learned how to keep your data secure but you still have to keep it safe with you. AWS RDS provides a Backup and Restore mechanism to back up the last stable set of data that can be restored in case of any mishap. It is very important to be vigilant about your patient's data and you need not worry as AWS provides such mechanisms out of the box. You can use AWS S3 to store the backup files but make sure they are encrypted and not available for public use.