Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.


Our Speakers• Justin Lundy, CTO, CIO, and Co-Founder of Evident.IO

• Chris Gile, AWS Senior Manager, Security Assurance

• Elizabeth Boudreau, Senior Manager of Information Technology, Claritas Genomics/Boston Children’s Hospital



HIPAA Compliance on AWS

• Justin Lundy, Founder & CTO, Evident.io• https://evident.io/• [email protected]• twitter.com/justinlundy_


HIPAA Overview

• Addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.


HIPAA Compliance on AWS

• Customer may use all services within a “HIPAA Account” BUT• Customers may only process, store, or transmit ePHI using only eligible

services:– Amazon Elastic Compute Cloud (Amazon EC2) – Amazon Elastic Block Store (Amazon EBS)– Elastic Load Balancing (ELB)– Amazon Simple Storage Service (Amazon S3)– Amazon Glacier– Amazon Redshift


AWS HIPAA Configuration Requirements

• Must encrypt ePHI in transit and at rest• Must use Amazon EC2 dedicated instances for processing, storing or

transmitting ePHI• Must record and retain activity related to use of and access to ePHI• Unique user identification required• Strong authentication required


HIPAA Compliance Case Study: Emdeon

• Emdeon is a leading provider of revenue and payment cycle management and clinical information exchange solutions, connecting payers, providers and patients in the U.S. healthcare system.

• “The combination of Emdeon’s leading intelligent financial, administrative, and clinical health information network, with AWS’s capabilities allows us to more quickly and more cost-effectively transform healthcare data into actionable insights that improve patient care, administrative processes, and payments.” - Emdeon President and CEO


HIPAA Access, Audit, and Integrity Controls

HIPAA Access controls (164.312(a)(1))• Template everything – AWS CloudFormation/Chef/Puppet• CI/CD and automated testing• AssumeRole, no insecure keys on disk• No human interaction with ePHI• Separate Dev/Stage/Prod EnvironmentsHIPAA Audit controls (164.312(b))• AWS CloudTrail• High degree of transparency• Change Control Monitoring• Modern Patching (Launch new stack, terminate old)HIPAA Integrity Controls (164.312(c))• Limited production access Debugging w/o PHI• All transactions persisted in Amazon S3• Backup Policy - Encrypted Amazon S3 to Encrypted Amazon Glacier• Run out of multiple AZs using ELB in TCP Proxy Mode


HIPAA on AWS Summary

• AWS provides everything required to create secure and HIPAA-compliant systems

• AWS enables customers own their security via predictable deployments for HIPAA compliant apps

• Evident.io can partner as a Business Associate under a BAA • Evident.io is an experienced partner that helps organizations build and

maintain standards compliant infrastructures securely in AWS.


HIPAA on AWS Web Tier Ref Architecture



Using AWS to meet CJIS and FERPA compliance

Chris Gile

AWS Senior Manager

Security Assurance


Using AWS to meet CJIS• What is CJIS?• How can AWS customers meet

CJIS requirements?


What is CJIS?• Criminal Justice Information Services

Workloads• CJIS Security Policy

– Establish set of minimum security requirements for CJA and NCJA

– CJIS-provided FedRAMP control mapping


AWS CJIS Workbook provides • AWS Shared Responsibility Model• AWS alignment to AWS-applicable

CJIS requirements• Security plan template aligned to

CJIS policy areas/requirements• Systematic approach of

implementing security requirements


Enabling customers for CJIS-compliant workloads

• AWS CJIS Security Policy Workbook available• AWS will sign CJIS Security Addendum• AWS third-party audits provided through our FedRAMP

program• Utilizing AWS services/features to address requirements:

– AWS CloudHSM/AWS KMS for key management• Encryption for data in transit/at rest required

– AWS CloudTrail/VPC Flow Logging for auditing


FERPA on AWS • What is FERPA?• Why is it important?• How customers use AWS to meet FERPA


What is FERPA?• The Family Educational Rights & Privacy

Act of 1974• Support and promote protection of privacy

and reasonable governance of student education records


Why is FERPA important?• Provides students the right to inspect and

review, governance over disclosure, and a mechanism to amend [their] incorrect educational records


Using AWS to meet FERPA

• Built-in firewalls – Configure built in firewall rules to control access to your Amazon EC2 virtual instances.

• Authentication and authorization – Consider IAM and AWS customer-controlled credentials in AWS environment.

• Guest operating system – AWS customers control virtual instances in Amazon EC2 and Amazon VPC.

• Storage – AWS storage options like Amazon EBS, Amazon S3, and Amazon RDS allow you to make data

easily accessible to your applications or for backup.


Continued..• Private subnets – Amazon VPC allows customers to add another

layer of network security to their instances. • Encrypted data storage – The data and objects stored in Amazon

EBS, Amazon S3, Amazon Glacier, Amazon Redshift can be optionally encrypted with AES 256.

• Dedicated connection option – Customers can establish a dedicated network connection from your premises to AWS.

• Perfect forward secrecy• Security logs – AWS CloudTrail provides logs of user activity within

your AWS account.


Continued..• Asset identification and configuration – Customers use AWS

Config to discover and view the configuration of their AWS resources.

• Centralized key management – AWS Key Management Service (KMS) and AWS CloudHSM to manage and administer your keys.

• AWS Trusted Advisor – Customers use AWS Trusted Advisor to monitor their resources, creating security and access policy alerts.



Building HIPAA-Level Security Solutions: Partnering with AWS

Elizabeth Boudreau

Senior Manager of IT

Claritas Genomics/ Boston Children’s Hospital


Data-Sharing Between Partner Institutions Creates HIPAA-Compliance Challenges


Shared Responsibility Model• Layers of Security• Proper Architecture• Keeping Up with New Services

– BAA Updates– Integration Into Infrastructure


AWS Benefits• HIPAA Secured Data Processing• Institutional Data Sharing• New Data Source Integration• Security Assistance• Administrative Oversight• Available Uptime


The Claritas Experience• Partnered with AWS Professional Services• Calculated Growth• Created Policies• Implemented Direct Connect• Reacted To Heartbleed Vulnerability• Withstood DDOS Attack

– No Breach!!


Making It Work• Start with small projects• Account Management

– R&D– Production Versus Development

• Train Your Employees and Partners• Create a Culture of Audits

– Be a trustworthy source– Document now to save time later


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices
