Case Study: Helping Swift Medical achieve HIPAA Compliance on AWS
Swift Medical is a leading provider of medical imaging applications for wound assessment. In order to ensure that their AWS platform had the highest level of security for customer protected health information (PHI), Swift Medical reached out to Casey Labs to ensure HIPAA compliance on their AWS deployment.
Through Amazon’s Shared Responsibility Model, Casey Labs helped architect a secure deployment for Swift Medical.
The Health Insurance Portability and Accountability Act (HIPAA) is an American law that ensures privacy and security regulations for medical data. With HIPAA, PHI data must be encrypted during transmission across servers, and while at rest in storage.
Customers wishing to achieve HIPAA compliance can sign a Business Associate Agreement (BAA) with AWS, where Amazon ensures that certain certified services on their side (e.g. EC2, RDS, etc) will also be HIPAA compliant.
Restricted scope of HIPAA-Compliant AWS services
It should be noted, however, that not all Amazon services fall underneath a Business Associate Agreement. For example, at the time of Swift Medical’s deployment, ElastiCache was not covered by a BAA. As such, Casey Labs developed a highly-available and encrypted Redis solution as an alternative.
At the beginning of 2016, the following services were available for a BAA on AWS:
- Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon Elastic MapReduce (EMR), Amazon Elastic Load Balancer (ELB), Amazon Glacier, Amazon Relational Database Service (RDS) (MySQL and Oracle engines only, however), Amazon Redshift, and Amazon S3.
Since not all services are covered by a BAA, custom solutions will need to be built for any service in which PHI will pass through (e.g. building your own Microsoft SQL Server deployment).
Data transmitted within a VPC must also be encrypted
It’s not enough to encrypt external web traffic to a load balancer with HTTPS. All servers within your VPC that could transmit PHI must have their traffic internally encrypted.
Data must be highly available
This means you’ll need not only a minimum of two availability zones between your servers, but highly-available servers as well, with the option of backing up/failing over to another AWS region.
Working in conjunction with Casey Labs, Swift Medical was able to create a highly-available, redundant, encrypted, HIPAA compliant architecture, providing the best in security and availability for their clients.