September 2015
« Aug   Nov »

Amazon EC2 : Enforcing HIPPA compliance hosting

HIPPA (Health Insurance Portability and Accountability Act) which directs the U.S. Department of Health and Human Services to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS. So any data which carry medical related information should be meet this HIPPA policy. So the data they are sharing over the web (on fly data) and the data those are stored in disk (on rest data) should be encrypted and secured.

These are the major aspects of HIPPA compliance which I’m explaining about.

1. Security of on fly data
2. Encryption of On Rest data
3. Backup data

my projects uses Linux platform and having 3 web servers, MySQL RDS and amazon S3 storage. I’ve configured one of the web server as a NFS file server for sharing common files with other node web servers. Prior to HIPPA compliance,

1. Migrate instance to dedicated instances

Most the customers are using On Demand instance type and default tenancy which is using a shared resources from Amazon cloud network.


There is no any option to convert On Demand instance to Dedicated one. First we need to create EBS AMI of on demand instance and choose the option “Dedicated tenancy(single tenant hardware)” which configuring replacement instance.


Now your instance become HIPPA compliance.

2. Using encrypted EBS volume (on Rest rule).
All the customer/medical related information should be stored in a encrypted disk/drive. So that no one can read the data if your storage was stolen. Windows 8 and Linux Operating systems have this kind of mechanism to set a password to unlock the drive. We need to set the password along with mount point when disk is attached to OS. So OS will not ask password. Back to Amazon EC2, we need to migrate existing volume to encrypted volume. So create new volume and enable encryption on it while you setting up the storage. You can easily create KIM


Or you can create snapshot of existing volume and set encryption when you create disk from it.

Note : We can not encrypt the EBS boot volume. So do not store any PHI (Patient Health Information) date on non-encrypted EBS volume.

3. Backup EBS volume should be encrypted.

You would need to encrypt the disk volume where you keep the backup and ensure that only authorized people can access it and logins/access are audited.

4. PHI data should be transmitted over SSL (https)
If you are using any web servers for populating medical data, you need to install SSL certificate and all the pages can be accessible only over https. So web server has set to force all the pages securely.

5.Securing Amazon S3 content
Amazon offers secure communication on the objects those are stored in the S3 storage. Pls be ensure that you are serving the s3 files only over https tunnel. Or you can encrypt and decrypt the files through your application if you have a need of it. But this may cost you more CPU cycles and delay which will be taken for this end to end encryption and decryption.

Once you’ve done the above 5 steps, your platform will be HIPPA compliance hopefully and you may go with BAA signing.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>