Aptible + TelePharm: HIPAA for Startups

Aptible + Telepharm HIPAA for Startups Presenters: Scott Ward, AWS
Frank Macreery, Aptible Caleb Boyd, Telepharm Kent Safranski, Telepharm June 23rd, 2015

AWS Compliance AWS maintains a formal control environment SOC 1
Type II report published every six months SOC 2 Security and Availability report every six months ISO 27001 Certification ISO 9001 Certification + Many more Certified PCI DSS 3.0 Level 1 Service Provider FedRAMP Certification HIPAA BAAs DoD CSM Levels 1-2, 3-5 GxP ISO 13485 AS9100 ISO/TS 16949

HIPAA Compliance HIPAA is there to protect the security and
privacy of Protected Health Information (PHI). PHI covers a wide set of personally identifiable health and health related data. HIPAA on AWS means that you are protecting all the PHI data and that you are only using AWS services which are covered by the BAA allowing you to protect PHI information.

AWS looks after the security of the platform Customers are
responsible for their security configuration IN the Cloud Security is shared between AWS and customers AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client and Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers

AWS HIPAA Eligible Services Customer may use all services within
a “HIPAA Account” Customers may process, store, or transmit ePHI using only Eligible Services Amazon EC2 Elastic Load Balancing (TCP mode only) Amazon S3 Amazon EBS Amazon Glacier Amazon Redshift

AWS HIPAA configuration requirements Customers must encrypt ePHI in transit
and at rest Customers must use EC2 Dedicated Instances for instances processing, storing, or transmitting ePHI Customers must record and retain activity related to use of and access to ePHI

Data Encryption at Rest Amazon Simple Storage Service (S3) Access
controls at bucket and object level Restrict access and rights Versioning S3 Cryptographic Features HTTPS for in transit data S3 Server Side Encryption S3 Client Side Encryption MD5 Checksums to verify file integrity Amazon Elastic Block Store (EBS) Implement AWS managed encryption Implement your own encryption AWS Partner solutions to help with encryption management and implementation EBS

Data Encryption in Transit AWS Service endpoints support https Customers
implement their own https or TLS encryption of data in transit to support their applications

Controlling your EC2 instances Launch instance EC2 AMI catalogue Running
instance Your instance You choose and control your image AWS Catalog Your own Marketplace Community You determine network placement VPC Subnet Security Groups Public IP address You configure your instance Harden operating system Host based firewall Control admin/user access Logging Configure instance

Dedicated EC2 Instances Shared Tenancy Dedicated Tenancy EC2 instance customer
#1 EC2 instance customer #2 EC2 instance customer #3 EC2 instance customer #4 EC2 instance customer #1 EC2 instance customer #1 EC2 instance customer #1 EC2 instance customer #1

Audit Controls - AWS CLOUDTRAIL You are making API calls...
On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you Redshift AWS CloudFormation AWS Elastic Beanstalk

Implementing Security Delegate, automate, standardize

What Does HIPAA Require?

Physical Safeguards

Physical Safeguards Facility Management

Physical Safeguards Physical Contingency Plans

Physical Safeguards

General Technical Safeguards

General Technical Safeguards Encryption

General Technical Safeguards Data Backups

General Technical Safeguards Instance Access (SSH) Controls

General Technical Safeguards

Specific Technical Safeguards

Specific Technical Safeguards Authentication

Specific Technical Safeguards PHI Record Access Controls (Authorization)

Specific Technical Safeguards

Administrative Safeguards

Administrative Safeguards Policies & Procedures

Administrative Safeguards Risk Assessments

Administrative Safeguards Workforce Training

Administrative Safeguards

Specific Technical General Technical Physical

Delegation

Delegation Aptible delegates physical safeguards to AWS

Delegation Customers delegate administrative and (many) technical safeguards to Aptible

How does Aptible implement technical safeguards?

OpsWorks Chef CloudTrail CFN

OpsWorks Chef CFN General Technical Safeguards Specific Technical Safeguards

Unique SSH User Identification OpsWorks + IAM

A covered entity must… assign a unique name and/or number
for identifying and tracking user identity. §164.312(a)(2)(i) (Required)

Unique SSH User Identification OpsWorks + IAM

Unique SSH User Identification EC2 SSH key pair?

Unique SSH User Identification EC2 SSH key pair

Unique SSH User Identification Manual authorized_keys management?

Unique SSH User Identification Manual authorized_keys management

OpsWorks + IAM

IAM Identity and Access Management: Service for programmatically managing user
identities

OpsWorks Chef-based deployment platform

OpsWorks + IAM Gives visibility into current SSH permissions across
all EC2 instances

OpsWorks + IAM Makes it easy to rotate keys or
revoke access

OpsWorks + IAM Creates an audit log of all SSH
permission changes, through CloudTrail

End-to-end Encryption ELB—NGiNX—applications

A covered entity must… implement a mechanism to encrypt electronic
protected health information whenever deemed appropriate. §164.312(a)(2)(i) (Addressable)

AWS "Approved" Services

AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

EC2 Must use dedicated instances for PHI

EBS All PHI volumes must be encrypted

ELB End-to-end encryption in transit

TCP OR HTTPS TCP OR HTTPS HTTPS HTTPS

https://github.com/aptible/docker-nginx https://quay.io/repository/aptible/nginx

Standardized SSL Termination Container Deployed everywhere we require encryption in
transit

Configurable via ENV $UPSTREAM_SERVERS

Configurable via ENV $UPSTREAM_SERVERS $FORCE_SSL $HSTS_MAX_AGE (…)

Configurable via ENV Makes testing easier

@test "It should send a Strict-Transport-Security header with FORCE_SSL" {
FORCE_SSL=true wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }

Configurable via ENV Abstracts implementation details: could be NGiNX, HAProxy,
…

ENV configuration Simplifies configuration management: central store doesn’t need to
know parameters in advance

Implementing Security Delegate low-level or general security details to providers
like AWS and Aptible

Implementing Security Automate management of technical safeguards (e.g., through OpsWorks
+ IAM for SSH access)

Implementing Security Standardize implementation and deployment of key security infrastructure

Photo Documentation What is TelePharm? Remote Approval Hardware Agnostic Minimize
Pharmacist Time Multi-Site Workflow Management

Why Aptible Market Options (VPS v. PaaS) Cost (Initial and
Ongoing) Resource Requirements Uptime and Stability

Requirements and Challenges Minimize resource investment Scaling *Access Control *Auditing
*Data storage *Real-time Data processing *Requires HIPAA Compliance

Access Control Scoped by Tenant/Organization Role based Limited session length
Blacklist Detailed access logs

Auditing Log usage of DALs with current Principal Log usage
of endpoints and services Store actions taken on ePHI

Data storage and processing Managed encryption on document storage Managed
encryption on blob storage Managed encryption on (maybe) persistent cache storage • All solved with platform and infrastructure provided by AWS and Aptible.

Thank you

Aptible + TelePharm: HIPAA for Startups

Aptible + TelePharm: HIPAA for Startups

More Decks by Frank Macreery

Other Decks in Technology

Featured

Transcript