Architecting for HIPAA Security and Compliance on Amazon EKS
Publication date: March 27, 2022 (Document history)
Abstract
This whitepaper extends the technical and configuration-related information for Amazon EKS provided in the Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper, and outlines how customers may use AWS services to run regulated containerized workloads in accordance with their U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements.
This whitepaper focuses on the considerations pertaining to the HIPAA Privacy and Security Rules for protecting Protected Health Information (PHI); technical and configuration information regarding encrypting data in transit and at-rest; and, how Amazon Elastic Kubernetes Service (Amazon EKS) features can be used to run Kubernetes applications containing Protected Health Information (PHI). AWS does not provide legal or compliance advice. We recommend that customers consult their legal counsel if they have legal questions regarding HIPAA compliance. Customers are responsible for making their own independent assessment of the information in this paper and any use of AWS products or services, including whether the information or the AWS services meet their regulatory, compliance, or operational requirements.
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to “Covered Entities” and “Business Associates.” HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA and HITECH establish a set of federal standards intended to protect the security and
privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of
protected health information (PHI), appropriate safeguards to protect PHI, individual rights,
and administrative responsibilities. For more information on HIPAA and HITECH, see Health Information Privacy Home
Covered Entities and their Business Associates can use the secure, scalable, low-cost IT
components provided by Amazon Web Services (AWS) to architect applications in alignment with HIPAA and
HITECH compliance requirements. AWS offers commercial-off-the-shelf infrastructures with
industry-recognized certifications and audits such as ISO 27001
AWS enables covered entities and their business associates subject to HIPAA to securely
process, store, and transmit PHI. Additionally, as of July 2013, AWS offers a standardized
Business Associate Addendum (BAA) for such customers. Customers who execute an AWS BAA may
use any AWS service in an account designated as a HIPAA Account, but they may only process,
store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a
complete list of these services, see the HIPAA Eligible Services
Reference
AWS maintains a standards-based risk management program to ensure that the HIPAA-eligible services specifically support HIPAA administrative, technical, and physical safeguards. Using these services to store, process, and transmit PHI helps our customers and AWS to address the HIPAA requirements applicable to the AWS utility-based operating model.
At time of publication, AWS standard BAA requires customers to encrypt PHI stored in, or
transmitted using, HIPAA-eligible services in accordance with guidance from the Secretary of
Health and Human Services (HHS). Refer to this site
A service listed as HIPAA-eligible does not mean the use of the service by our customers automatically confirms HIPAA-related safeguards are in place. It more appropriately indicates the service has the ability to be configured to meet HIPAA-related safeguards. Where parameters are accessible and configurable by customers, it is the customer’s responsibility to ensure they are configured to meet compliance requirements.
AWS container solutions include managed services such as, Amazon Elastic Container Service
The benefits of transitioning workloads to container services include solutions independence, deployment speed, and resource efficiency. It’s important, as with any cloud workloads, to understand how to architect for security in containers. The transient and dynamic nature of container environments may make it difficult to assess.
Attack vectors for containerized applications are similar to those faced by
non-container-based application deployments with the addition of the container management
layer. As with other application deployments, we recommend that you continue to operate within
best practices, including adherence to Open Web Application Security Project’s
Container functions are typically architected to perform primary tasks, which in turn creates a distributed environment. The services implemented by containers become more network interdependent and necessitate scheduling, scaling, and resource management. Unlike virtual machines, containers share the operating system’s kernel. This setup can provide a common point of attack that can be leveraged to access all containers for a given host. When running multiple containers on a single operating system, all of the containers may share a common network interface. In this whitepaper, we will discuss the various architectures that you can build around AWS services to mitigate this security risk.