HIPAA Dev Ops: Architecting Layers of Responsibility

Transcript

1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved.

   May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. November 12, 2014 | Las Vegas HIPAA Dev Ops: Architecting Layers of Responsibility Frank Macreery, Aptible

2. Layers of Responsibility Physical Safeguards • Facility Management • Physical

   Contingency Plans General Technical Safeguards • Encryption • Backups • Instance Access (SSH) Application-Specific
 Technical Safeguards • Authentication • Access Controls • PHI Access Logs

3. Layers of Responsibility Physical Safeguards General Technical Safeguards Application-Specific Technical

   Safeguards

4. Aptible Architecture Overview +

5. Division of Responsibility General Technical Safeguards Application-Specific
 Technical Safeguards

6. Division of Responsibility • CloudFormation template sets up secure network

   layout • Chef (OpsWorks) recipes + custom tools manage general security functions like SSL termination, EBS volume encryption, and backups • Applications run within Docker containers and manage their own framework-specific security/logging

7. General Safeguard: Unique SSH Identities • Regulatory Requirement: "Assign a

   unique name and/or number for identifying and tracking user identity. " • Aptible implementation: IAM + OpsWorks • Other potential solutions: Custom Chef recipes + data bag for authorized keys

8. OpsWorks Deny by Default • SSH access is granted: –

   Only to IAM user – Only on a temporary basis • Chef-configured cron task locks down instances hourly gem install opsworks-cli opsworks allow frank --stack my-stack opsworks lockdown --stack my-stack

9. General Safeguard: Auditing SSH Access • Regulatory Requirement: "Implement hardware,

   software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information" • Aptible implementation: OpsWorks + Deny by Default + CloudTrail • Other potential solutions: Authy, syslog + Logstash + Elasticsearch + Kibana

10. Addressing Application-Specific Safeguards • Challenge: Many frameworks, many libraries, many

    specific implementation decisions • Solution: One "compliance API" to manage audit artifacts and mapping from artifact type to requirements, many clients

11. Application-Specific Safeguard: Authentication gridiron.create_audit_log( criterion: 'authentication_event', timestamp: 1414368280, uuid: 'f59c9a72-2f28-4b6b-93e…',

    authentication_method: 'token', … )

12. Application-Specific Safeguard: Authentication Authentication Audit Log (Satisfies requirements) § 164.312(a)(1):

    Access control § 164.312(a)(2)(i): Unique user identification § 164.312(d): Person or entity authentication (…)

13. Please give us your feedback on this presentation © 2014

    Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Join the conversation on Twitter with #reinvent HLS401: Architecting for HIPAA Compliance on AWS