Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
-
Upload
amazon-web-services -
Category
Technology
-
view
735 -
download
2
Transcript of Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Our Speakers• Justin Lundy, CTO, CIO, and Co-Founder of Evident.IO
• Chris Gile, AWS Senior Manager, Security Assurance
• Elizabeth Boudreau, Senior Manager of Information Technology, Claritas Genomics/Boston Children’s Hospital
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA Compliance on AWS
• Justin Lundy, Founder & CTO, Evident.io• https://evident.io/• [email protected]• twitter.com/justinlundy_
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA Overview
• Addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA Compliance on AWS
• Customer may use all services within a “HIPAA Account” BUT• Customers may only process, store, or transmit ePHI using only eligible
services:– Amazon Elastic Compute Cloud (Amazon EC2) – Amazon Elastic Block Store (Amazon EBS)– Elastic Load Balancing (ELB)– Amazon Simple Storage Service (Amazon S3)– Amazon Glacier– Amazon Redshift
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS HIPAA Configuration Requirements
• Must encrypt ePHI in transit and at rest• Must use Amazon EC2 dedicated instances for processing, storing or
transmitting ePHI• Must record and retain activity related to use of and access to ePHI• Unique user identification required• Strong authentication required
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA Compliance Case Study: Emdeon
• Emdeon is a leading provider of revenue and payment cycle management and clinical information exchange solutions, connecting payers, providers and patients in the U.S. healthcare system.
• “The combination of Emdeon’s leading intelligent financial, administrative, and clinical health information network, with AWS’s capabilities allows us to more quickly and more cost-effectively transform healthcare data into actionable insights that improve patient care, administrative processes, and payments.” - Emdeon President and CEO
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA Access, Audit, and Integrity Controls
HIPAA Access controls (164.312(a)(1))• Template everything – AWS CloudFormation/Chef/Puppet• CI/CD and automated testing• AssumeRole, no insecure keys on disk• No human interaction with ePHI• Separate Dev/Stage/Prod EnvironmentsHIPAA Audit controls (164.312(b))• AWS CloudTrail• High degree of transparency• Change Control Monitoring• Modern Patching (Launch new stack, terminate old)HIPAA Integrity Controls (164.312(c))• Limited production access Debugging w/o PHI• All transactions persisted in Amazon S3• Backup Policy - Encrypted Amazon S3 to Encrypted Amazon Glacier• Run out of multiple AZs using ELB in TCP Proxy Mode
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA on AWS Summary
• AWS provides everything required to create secure and HIPAA-compliant systems
• AWS enables customers own their security via predictable deployments for HIPAA compliant apps
• Evident.io can partner as a Business Associate under a BAA • Evident.io is an experienced partner that helps organizations build and
maintain standards compliant infrastructures securely in AWS.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
HIPAA on AWS Web Tier Ref Architecture
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Using AWS to meet CJIS and FERPA compliance
Chris Gile
AWS Senior Manager
Security Assurance
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Using AWS to meet CJIS• What is CJIS?• How can AWS customers meet
CJIS requirements?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
What is CJIS?• Criminal Justice Information Services
Workloads• CJIS Security Policy
– Establish set of minimum security requirements for CJA and NCJA
– CJIS-provided FedRAMP control mapping
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS CJIS Workbook provides • AWS Shared Responsibility Model• AWS alignment to AWS-applicable
CJIS requirements• Security plan template aligned to
CJIS policy areas/requirements• Systematic approach of
implementing security requirements
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Enabling customers for CJIS-compliant workloads
• AWS CJIS Security Policy Workbook available• AWS will sign CJIS Security Addendum• AWS third-party audits provided through our FedRAMP
program• Utilizing AWS services/features to address requirements:
– AWS CloudHSM/AWS KMS for key management• Encryption for data in transit/at rest required
– AWS CloudTrail/VPC Flow Logging for auditing
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
FERPA on AWS • What is FERPA?• Why is it important?• How customers use AWS to meet FERPA
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
What is FERPA?• The Family Educational Rights & Privacy
Act of 1974• Support and promote protection of privacy
and reasonable governance of student education records
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Why is FERPA important?• Provides students the right to inspect and
review, governance over disclosure, and a mechanism to amend [their] incorrect educational records
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Using AWS to meet FERPA
• Built-in firewalls – Configure built in firewall rules to control access to your Amazon EC2 virtual instances.
• Authentication and authorization – Consider IAM and AWS customer-controlled credentials in AWS environment.
• Guest operating system – AWS customers control virtual instances in Amazon EC2 and Amazon VPC.
• Storage – AWS storage options like Amazon EBS, Amazon S3, and Amazon RDS allow you to make data
easily accessible to your applications or for backup.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Continued..• Private subnets – Amazon VPC allows customers to add another
layer of network security to their instances. • Encrypted data storage – The data and objects stored in Amazon
EBS, Amazon S3, Amazon Glacier, Amazon Redshift can be optionally encrypted with AES 256.
• Dedicated connection option – Customers can establish a dedicated network connection from your premises to AWS.
• Perfect forward secrecy• Security logs – AWS CloudTrail provides logs of user activity within
your AWS account.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Continued..• Asset identification and configuration – Customers use AWS
Config to discover and view the configuration of their AWS resources.
• Centralized key management – AWS Key Management Service (KMS) and AWS CloudHSM to manage and administer your keys.
• AWS Trusted Advisor – Customers use AWS Trusted Advisor to monitor their resources, creating security and access policy alerts.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Building HIPAA-Level Security Solutions: Partnering with AWS
Elizabeth Boudreau
Senior Manager of IT
Claritas Genomics/ Boston Children’s Hospital
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Data-Sharing Between Partner Institutions Creates HIPAA-Compliance Challenges
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Shared Responsibility Model• Layers of Security• Proper Architecture• Keeping Up with New Services
– BAA Updates– Integration Into Infrastructure
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Benefits• HIPAA Secured Data Processing• Institutional Data Sharing• New Data Source Integration• Security Assistance• Administrative Oversight• Available Uptime
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
The Claritas Experience• Partnered with AWS Professional Services• Calculated Growth• Created Policies• Implemented Direct Connect• Reacted To Heartbleed Vulnerability• Withstood DDOS Attack
– No Breach!!
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Making It Work• Start with small projects• Account Management
– R&D– Production Versus Development
• Train Your Employees and Partners• Create a Culture of Audits
– Be a trustworthy source– Document now to save time later
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015