SlideShare a Scribd company logo
SECURING HEALTHCARE DATA ON
AWS FOR HIPAA COMPLIANCE
Patient Data is More Portable than it has even been
•  44% of healthcare orgs already host
clinical apps in the cloud (HIMSS)
•  More than 50% of US doctors are
receiving MU Incentives for EHR (HHS)
•  More than 40% of physicians use
mobile devices to access PHI (Deloitte)
Impact: Protecting the confidentiality, integrity, and
availability of this information (PHI) becomes crucial
The HIPAA Security Rule
•  Safeguard the confidentiality, integrity and
availability of ePHI
•  Protect ePHI systems and data against
reasonably anticipated threats
Stipulates processes for securing electronic
protected health records
Technical
Safeguards
Physical
Safeguards
Administrative
Safeguards
HIPAA Breach Notification rule
•  Safeguard the confidentiality, integrity and availability of
ePHI data
•  Protect ePHI systems and data against reasonably
anticipated threats
HIPAA Privacy rule
•  Safeguard the confidentiality, integrity & availability of
ePHI
•  Protect ePHI systems and data against reasonably
anticipated threats
The HIPAA Security Rule
HIPAA Security rule
•  Safeguard the confidentiality, integrity and availability of ePHI data
•  Protect ePHI systems and data against reasonably anticipated threats
Administrative Safeguards
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Evaluation
- Business Associate Contracts
Physical Safeguards
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
Technical Safeguards
- Access Control
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security
Technical
Safeguards
Physical
Safeguards
Administrative
Safeguards
Administrative Safeguards
Key Requirement:
•  Implement security measures for
protecting ePHI
•  Manage the conduct of the workforce in
relation protecting ePHI
How to comply:
•  Vulnerability Assessment (Risk analysis)
•  Intrusion Detection (Risk management,
protection from malicious s/w, incident
response)
•  Web App. Firewall (Risk management,
protection from malicious s/w, incident
response)
•  Log management/SIEM (Tracking
access authorization/modification,
backup services)
•  Security monitoring (Application and
data criticality analysis)
Addressing HIPAA Compliance Requirements
Technical
Safeguards
Physical
Safeguards
Administrative
Safeguards
Physical Safeguards
Key requirement:
•  Physical measures to protect
ePHI and related systems from
unauthorized intrusion and natural
hazards.
How to comply:
•  Log management/SIEM (Tracking
access control changes and data
backups, enabling disaster
recovery and integrity assurance
of logs)
Addressing HIPAA Compliance Requirements
Technical
Safeguards
Physical
Safeguards
Administrative
Safeguards
Technical Safeguards
Key requirement:
•  Technology that protects ePHI
and controls access to it:
How to Comply
•  Intrusion Detection (Automated
security analysis with pre-built
alerts and reports)
•  Log management/SIEM
(Automates log collection,
aggregation and normalization
across sources, tracks changes
in access control, cryptographic
services, audit services)
Addressing HIPAA Compliance Requirements
Using DevOps to Assist with Compliance
•  Deployment automation to automatically apply security agents and
configuration.
•  Leverage tools such as CloudFormation to deploy applications in a
consistent and reviewable manner.
•  Use CloudTrail to create an audit trail of infrastructure changes.
•  Leverage IAM to restrict users to BAA approved services,
constraints.
•  AWS Config Rules can help identify violations of volume
encryption, dedicated tenacny.
How Cloud Defender Works in AWS
AWS Service Log Collection Web and Network Security Events,
Application & server logs
Continuous Vulnerability Scanning
Configuration Assessments, and Environment
Visibility
AWS SERVICES INSTANCES & APPLICATIONS
Analytics Platform Threat Intel & Context Expert Analysis
Threat Detection with Remediation Tactics
YOUR TEAM
Vulnerability &
Configuration
Issues
Make HIPAA Easier with a Security Operations Center
•  24x7 monitoring by GIAC-certified security analysts
-  Proactive identification and response to suspicious activity
-  Incident response and escalation
-  Recommendations for resolution
•  Ongoing tuning delivers protection and application availability
-  Tuning in response to changing attacks and customer application changes
-  All team members are responsible for identifying new patterns of attacks that feed into building of
new security content
Summary: Alert Logic Provides Broad HIPAA Coverage
HIPAA Rule Alert Logic
Physical
Safeguards
164.310 (a) Facility access
controls ✔
164.310 (d) Device and media
controls ✔
Technical
Safeguards
164.312 (a) (1) Access control
✔
164.312 (b) Audit controls
✔
164.312 (c) Integrity
✔
164.312 (e) Transmission
security ✔
HIPAA Rule Alert Logic
AdministrativeSafeguards
164.308 (a) (1) Security
Management Process ✔
164.308 (a) (3) Workforce
Security ✔
164.308 (a) (4) Information
Access Management ✔
164.308 (a) (5) Security
Awareness and Training ✔
164.308 (a) (6) Security Incident
Procedures ✔
164.308 (a) (7) Contingency
Plan ✔
HIPAA Security rule
•  Safeguard the confidentiality, integrity and availability of ePHI data
•  Protect ePHI systems and data against reasonably anticipated threats
Thank you.

More Related Content

PPTX
#ALSummit: Realities of Security in the Cloud
PPTX
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
PPTX
#ALSummit: Live Cyber Hack Demonstration
PPTX
#ALSummit: Architecting Security into your AWS Environment
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
PDF
The Intersection of Security & DevOps
PDF
The AWS Shared Responsibility Model in Practice
PPTX
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Realities of Security in the Cloud
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Cyber Resiliency: Surviving the Breach
The Intersection of Security & DevOps
The AWS Shared Responsibility Model in Practice
#ALSummit: Alert Logic & AWS - AWS Security Services

What's hot (20)

PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
PDF
Realities of Security in the Cloud
PPTX
Alert Logic: Realities of Security in the Cloud
PPTX
Rethinking Security: The Cloud Infrastructure Effect
PDF
Managed Threat Detection & Response for AWS Applications
PPTX
Securing Applications in the Cloud
PDF
CSA SV Threat detection and prediction
PDF
CSS17: Houston - Azure Shared Security Model Overview
PPTX
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
PDF
SAP Cloud security overview 2.0
PPTX
Security and Compliance for Enterprise Cloud Infrastructure
PDF
Security OF The Cloud
PPTX
CSS 17: NYC - Protecting your Web Applications
PPTX
Webinar compiled powerpoint
PDF
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
PPTX
Technologies You Need to Safely Use the Cloud
PDF
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
PDF
Secure Cloud Development Resources with DevOps
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Rethinking Security: The Cloud Infrastructure Effect
Managed Threat Detection & Response for AWS Applications
Securing Applications in the Cloud
CSA SV Threat detection and prediction
CSS17: Houston - Azure Shared Security Model Overview
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
SAP Cloud security overview 2.0
Security and Compliance for Enterprise Cloud Infrastructure
Security OF The Cloud
CSS 17: NYC - Protecting your Web Applications
Webinar compiled powerpoint
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Technologies You Need to Safely Use the Cloud
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Secure Cloud Development Resources with DevOps
Ad

Similar to Securing Healthcare Data on AWS for HIPAA (20)

PDF
HIPAA Solutions on Cloud Foundry
PDF
HxRefactored - TrueVault - Jason Wang
PDF
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
PPTX
HIPAA Compliance in the AWS Cloud
PDF
Guide to hipaa compliance for containers
PDF
HIPAA Compliance For Small Practices
PDF
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
PDF
HIPAA Compliance for Developers
PDF
An Overview of HIPAA Laws and Regulations.pdf
PPTX
Introduction to Health Informatics Ch11 power point
PDF
Aws hipaa compliance_whitepaper
PDF
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
PDF
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
PPSX
Mbm Hipaa Hitech Ss Compliance Risk Assessment
PPTX
Comp8 unit6b lecture_slides
PDF
Healthcare CyberSecurity Update: Ensuring HIPAA Compliance with Cloud Service...
PDF
How to Become HIPAA Certified .pdf
PDF
HIPAA eBOOK: Avoid Common HIPAA Violations
PDF
A New Approach to Healthcare Security
PDF
MBM A Risk Management Approach to HITECH Whitepaper
HIPAA Solutions on Cloud Foundry
HxRefactored - TrueVault - Jason Wang
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
HIPAA Compliance in the AWS Cloud
Guide to hipaa compliance for containers
HIPAA Compliance For Small Practices
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
HIPAA Compliance for Developers
An Overview of HIPAA Laws and Regulations.pdf
Introduction to Health Informatics Ch11 power point
Aws hipaa compliance_whitepaper
HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health I...
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Comp8 unit6b lecture_slides
Healthcare CyberSecurity Update: Ensuring HIPAA Compliance with Cloud Service...
How to Become HIPAA Certified .pdf
HIPAA eBOOK: Avoid Common HIPAA Violations
A New Approach to Healthcare Security
MBM A Risk Management Approach to HITECH Whitepaper
Ad

More from Alert Logic (20)

PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
PDF
Managed Threat Detection and Response
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
PDF
Security Implications of the Cloud
PDF
Reducing Your Attack Surface
PDF
Reality Check: Security in the Cloud
PDF
The Intersection of Security & DevOps
PDF
The AWS Shared Responsibility Model in Practice
PDF
Security Spotlight: Presidio
PDF
Security Spotlight: Rent-A-Center
PDF
The Intersection of Security & DevOps
PDF
Security Spotlight: Presidio
PDF
Security Implications of the Cloud
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
PDF
Realities of Security in the Cloud
PDF
CSS 2018 Trivia
PDF
The AWS Shared Responsibility Model in Practice
PDF
Realities of Security in the Cloud
PDF
The Intersection of Security and DevOps
PDF
Security Spotlight: The Coca Cola Company
Extending Amazon GuardDuty with Cloud Insight Essentials
Managed Threat Detection and Response
Extending Amazon GuardDuty with Cloud Insight Essentials
Security Implications of the Cloud
Reducing Your Attack Surface
Reality Check: Security in the Cloud
The Intersection of Security & DevOps
The AWS Shared Responsibility Model in Practice
Security Spotlight: Presidio
Security Spotlight: Rent-A-Center
The Intersection of Security & DevOps
Security Spotlight: Presidio
Security Implications of the Cloud
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Realities of Security in the Cloud
CSS 2018 Trivia
The AWS Shared Responsibility Model in Practice
Realities of Security in the Cloud
The Intersection of Security and DevOps
Security Spotlight: The Coca Cola Company

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
PDF
Encapsulation theory and applications.pdf
PDF
Approach and Philosophy of On baking technology
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Empathic Computing: Creating Shared Understanding
PDF
Electronic commerce courselecture one. Pdf
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PDF
Unlocking AI with Model Context Protocol (MCP)
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
PDF
NewMind AI Monthly Chronicles - July 2025
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
MYSQL Presentation for SQL database connectivity
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
Encapsulation theory and applications.pdf
Approach and Philosophy of On baking technology
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
Understanding_Digital_Forensics_Presentation.pptx
Empathic Computing: Creating Shared Understanding
Electronic commerce courselecture one. Pdf
Advanced methodologies resolving dimensionality complications for autism neur...
Unlocking AI with Model Context Protocol (MCP)
“AI and Expert System Decision Support & Business Intelligence Systems”
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
Reach Out and Touch Someone: Haptics and Empathic Computing
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
Building Integrated photovoltaic BIPV_UPV.pdf
NewMind AI Monthly Chronicles - July 2025
Dropbox Q2 2025 Financial Results & Investor Presentation

Securing Healthcare Data on AWS for HIPAA

  • 1. SECURING HEALTHCARE DATA ON AWS FOR HIPAA COMPLIANCE
  • 2. Patient Data is More Portable than it has even been •  44% of healthcare orgs already host clinical apps in the cloud (HIMSS) •  More than 50% of US doctors are receiving MU Incentives for EHR (HHS) •  More than 40% of physicians use mobile devices to access PHI (Deloitte) Impact: Protecting the confidentiality, integrity, and availability of this information (PHI) becomes crucial
  • 3. The HIPAA Security Rule •  Safeguard the confidentiality, integrity and availability of ePHI •  Protect ePHI systems and data against reasonably anticipated threats Stipulates processes for securing electronic protected health records Technical Safeguards Physical Safeguards Administrative Safeguards
  • 4. HIPAA Breach Notification rule •  Safeguard the confidentiality, integrity and availability of ePHI data •  Protect ePHI systems and data against reasonably anticipated threats HIPAA Privacy rule •  Safeguard the confidentiality, integrity & availability of ePHI •  Protect ePHI systems and data against reasonably anticipated threats The HIPAA Security Rule HIPAA Security rule •  Safeguard the confidentiality, integrity and availability of ePHI data •  Protect ePHI systems and data against reasonably anticipated threats Administrative Safeguards - Security Management Process - Assigned Security Responsibility - Workforce Security - Information Access Management - Security Awareness and Training - Security Incident Procedures - Contingency Plan - Evaluation - Business Associate Contracts Physical Safeguards - Facility Access Controls - Workstation Use - Workstation Security - Device and Media Controls Technical Safeguards - Access Control - Audit Controls - Integrity - Person or Entity Authentication - Transmission Security
  • 5. Technical Safeguards Physical Safeguards Administrative Safeguards Administrative Safeguards Key Requirement: •  Implement security measures for protecting ePHI •  Manage the conduct of the workforce in relation protecting ePHI How to comply: •  Vulnerability Assessment (Risk analysis) •  Intrusion Detection (Risk management, protection from malicious s/w, incident response) •  Web App. Firewall (Risk management, protection from malicious s/w, incident response) •  Log management/SIEM (Tracking access authorization/modification, backup services) •  Security monitoring (Application and data criticality analysis) Addressing HIPAA Compliance Requirements
  • 6. Technical Safeguards Physical Safeguards Administrative Safeguards Physical Safeguards Key requirement: •  Physical measures to protect ePHI and related systems from unauthorized intrusion and natural hazards. How to comply: •  Log management/SIEM (Tracking access control changes and data backups, enabling disaster recovery and integrity assurance of logs) Addressing HIPAA Compliance Requirements
  • 7. Technical Safeguards Physical Safeguards Administrative Safeguards Technical Safeguards Key requirement: •  Technology that protects ePHI and controls access to it: How to Comply •  Intrusion Detection (Automated security analysis with pre-built alerts and reports) •  Log management/SIEM (Automates log collection, aggregation and normalization across sources, tracks changes in access control, cryptographic services, audit services) Addressing HIPAA Compliance Requirements
  • 8. Using DevOps to Assist with Compliance •  Deployment automation to automatically apply security agents and configuration. •  Leverage tools such as CloudFormation to deploy applications in a consistent and reviewable manner. •  Use CloudTrail to create an audit trail of infrastructure changes. •  Leverage IAM to restrict users to BAA approved services, constraints. •  AWS Config Rules can help identify violations of volume encryption, dedicated tenacny.
  • 9. How Cloud Defender Works in AWS AWS Service Log Collection Web and Network Security Events, Application & server logs Continuous Vulnerability Scanning Configuration Assessments, and Environment Visibility AWS SERVICES INSTANCES & APPLICATIONS Analytics Platform Threat Intel & Context Expert Analysis Threat Detection with Remediation Tactics YOUR TEAM Vulnerability & Configuration Issues
  • 10. Make HIPAA Easier with a Security Operations Center •  24x7 monitoring by GIAC-certified security analysts -  Proactive identification and response to suspicious activity -  Incident response and escalation -  Recommendations for resolution •  Ongoing tuning delivers protection and application availability -  Tuning in response to changing attacks and customer application changes -  All team members are responsible for identifying new patterns of attacks that feed into building of new security content
  • 11. Summary: Alert Logic Provides Broad HIPAA Coverage HIPAA Rule Alert Logic Physical Safeguards 164.310 (a) Facility access controls ✔ 164.310 (d) Device and media controls ✔ Technical Safeguards 164.312 (a) (1) Access control ✔ 164.312 (b) Audit controls ✔ 164.312 (c) Integrity ✔ 164.312 (e) Transmission security ✔ HIPAA Rule Alert Logic AdministrativeSafeguards 164.308 (a) (1) Security Management Process ✔ 164.308 (a) (3) Workforce Security ✔ 164.308 (a) (4) Information Access Management ✔ 164.308 (a) (5) Security Awareness and Training ✔ 164.308 (a) (6) Security Incident Procedures ✔ 164.308 (a) (7) Contingency Plan ✔ HIPAA Security rule •  Safeguard the confidentiality, integrity and availability of ePHI data •  Protect ePHI systems and data against reasonably anticipated threats