Architecting for HIPAA Security and Compliance on Amazon EKS - Architecting for HIPAA Security and Compliance on Amazon EKS
AbstractIntroduction

Architecting for HIPAA Security and Compliance on Amazon EKS

Publication date: March 27, 2022 (Document history)

Abstract

This whitepaper extends the technical and configuration-related information for Amazon EKS provided in the Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper, and outlines how customers may use AWS services to run regulated containerized workloads in accordance with their U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements.

This whitepaper focuses on the considerations pertaining to the HIPAA Privacy and Security Rules for protecting Protected Health Information (PHI); technical and configuration information regarding encrypting data in transit and at-rest; and, how Amazon Elastic Kubernetes Service (Amazon EKS) features can be used to run Kubernetes applications containing Protected Health Information (PHI). AWS does not provide legal or compliance advice. We recommend that customers consult their legal counsel if they have legal questions regarding HIPAA compliance. Customers are responsible for making their own independent assessment of the information in this paper and any use of AWS products or services, including whether the information or the AWS services meet their regulatory, compliance, or operational requirements.

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to “Covered Entities” and “Business Associates.” HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of protected health information (PHI), appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For more information on HIPAA and HITECH, see Health Information Privacy Home.

Covered Entities and their Business Associates can use the secure, scalable, low-cost IT components provided by Amazon Web Services (AWS) to architect applications in alignment with HIPAA and HITECH compliance requirements. AWS offers commercial-off-the-shelf infrastructures with industry-recognized certifications and audits such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3). AWS services and data centers have multiple layers of operational and physical security to help ensure the integrity and safety of customer data. With no minimum fees, no term-based contracts required, and pay-as-you-use pricing, AWS is a reliable and effective solution for growing healthcare industry applications.

AWS enables covered entities and their business associates subject to HIPAA to securely process, store, and transmit PHI. Additionally, as of July 2013, AWS offers a standardized Business Associate Addendum (BAA) for such customers. Customers who execute an AWS BAA may use any AWS service in an account designated as a HIPAA Account, but they may only process, store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a complete list of these services, see the HIPAA Eligible Services Reference page.

AWS maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support HIPAA administrative, technical, and physical safeguards. Using these services to store, process, and transmit PHI helps our customers and AWS to address the HIPAA requirements applicable to the AWS utility-based operating model.

At time of publication, AWS standard BAA requires customers to encrypt PHI stored in, or transmitted using, HIPAA-eligible services in accordance with guidance from the Secretary of Health and Human Services (HHS). Refer to this site as it could be updated, and be made available on a successor (or related) site designated by HHS.

A service listed as HIPAA-eligible does not mean the use of the service by our customers automatically confirms HIPAA-related safeguards are in place. It more appropriately indicates the service has the ability to be configured to meet HIPAA-related safeguards. Where parameters are accessible and configurable by customers, it is the customer’s responsibility to ensure they are configured to meet compliance requirements.

AWS container solutions include managed services such as, Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS). Each service supports deployment on either AWS Fargate or Amazon Elastic Compute Cloud (Amazon EC2). AWS Fargate is a serverless compute engine and removes the need to provision and manage EC2 instances. For Amazon EC2 deployments, customers manage the underlying EC2 instances running the containers.

The benefits of transitioning workloads to container services include solutions independence, deployment speed, and resource efficiency. It’s important, as with any cloud workloads, to understand how to architect for security in containers. The transient and dynamic nature of container environments may make it difficult to assess.

Attack vectors for containerized applications are similar to those faced by non-container-based application deployments with the addition of the container management layer. As with other application deployments, we recommend that you continue to operate within best practices, including adherence to Open Web Application Security Project’s (OWASP) recommendations and best practices.

Container functions are typically architected to perform primary tasks, which in turn creates a distributed environment. The services implemented by containers become more network interdependent and necessitate scheduling, scaling, and resource management. Unlike virtual machines, containers share the operating system’s kernel. This setup can provide a common point of attack that can be leveraged to access all containers for a given host. When running multiple containers on a single operating system, all of the containers may share a common network interface. In this whitepaper, we will discuss the various architectures that you can build around AWS services to mitigate this security risk.