HIPAA Workloads on AWS

CVS

• In 2009 fined $2.25 million

• Disposing of protected health information in public dumpsters

• OCR Findings:

• Did not have adequate policies and safeguards

Alaska Department of Health and Human Services

• In 2012, fined $1.7 million

• Unencrypted employee USB drive stolen from his car

• OCR Findings:

• Failed to complete risk analysis

• Failed to implement adequate security measures

• Neglected to have security training for its employees

WellPoint• In 2013, fined $1.7 million

• Protected Health Information (PHI) accessible over the internet for 5 months

• OCR Findings:

• Failed to perform an adequate technical evaluation in response to a software upgrade

• Neglected to implement user verification technology to the Web-based patient database

By: Ran Rothschild

Most frequent Violations1. Not permissible uses and disclosures of protected health

information

2. Lack of safeguards of protected health information

3. Lack of patient access to their protected health information

4. Lack of administrative safeguards of electronic protected health information

5. Use or disclosure of more than the minimum necessary protected health information

Most common types of covered entities that have been required to take corrective

action1. Private Practices

2. General Hospitals

3. Outpatient Facilities

4. Pharmacies

5. Health Plans (group health plans and health insurance issuers)

What is PHIHIPAA regulations list eighteen different personal identifiers which, when linked together, are classed as Protected Health Information

Who has responsibility to protect PHI?︎Co︎vered Entities︎, ︎Business Associates ︎ and ︎sub contractors

Achieving HIPAA Compliance on AWS

The 3 Pillars of HIPAA

Internal Procedures and Processes

Internal Procedures

and Processes

IT Environments

Internal Procedures

and Processes

IT Environments

Constant up2date

HIPAA Security Rule1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

4. Policies, Procedures and Documentation governance

IT• Size does matter

• Complexity, capability, cost, probability and criticality of potential risk

• ‘Reasonable anticipated threats’

• Required vs. Addressable

Constant up2date and training• Risk analysis (part of admin. safeguards)

• HITECH

• US Department of Health and Human Services (HHS.gov)

• Office of Civil Rights (OCR)

AWS & HIPAAQ: Is AWS HIPAA Compliant? A: There is no HIPAA certification for a cloud provider such as AWS

Q: Will AWS sign BAA? A: Yes…but…

Q: Are all AWS services HIPAA compliant? A: No…Yes…PHI can only be stored, processed and transmitted in: DynamoDB, EBS, EC2, EMR, ELB, Glacier, RDS (MySQL & Oracle), Redshift, S3

Q: Are you aware of the Shared Responsibility Model?

Do you comply?1. Administrative – to create policies and procedures designed

to clearly show how the entity will comply with the act. 2. Physical – to control physical access to areas of data storage

to protect against inappropriate access 3. Technical – to protect communications containing PHI when

transmitted electronically over open networks

* Minimum information Necessary!!!

Thank You