HIPAA Reference Architecture on the AWS Cloud

Quick Start Reference Deployment

QS

June 2021
Tom Burge, Justin Stanley, Donny Wilson, Kevin Cox, Rich Nahra, Bakha Nurzhanov, and Vanessa Jacobs, AWS Healthcare team
Andrew Gargan, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This guide provides instructions for deploying the U.S. Health Insurance Portability and Accountability Act (HIPAA) Reference Architecture Quick Start on the AWS Cloud.

This Quick Start is for people in the healthcare industry who are looking for guidance on implementing HIPAA-ready environments in the AWS Cloud.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architectures to help managed service providers, cloud-provisioning teams, developers, integrators, and information-security teams follow strict security, compliance, and risk-management controls. For other Quick Starts in this category, see the Quick Start catalog.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.
IMPORTANT—PLEASE READ

You must have an AWS Business Associate Addendum (BAA) in place, and follow its configuration requirements, before running protected health information (PHI) workloads on AWS. You should not use your AWS account in connection with PHI until you have accepted the AWS BAA and configured your AWS account as required by the AWS BAA. Under HIPAA regulations, covered entities and business associates are responsible for putting in place a business associate agreement between themselves and each of their business associates. You are solely responsible for determining whether you and your organization need a business associate agreement with AWS. If you determine that you need a business associate agreement with AWS, you can accept the AWS BAA through a self-service portal in AWS Artifact. It is your responsibility to obtain a BAA from AWS. For more information about the AWS BAA, visit the AWS HIPAA Compliance webpage.

This Quick Start does not address state-specific laws that may apply to you. This Quick Start only addresses requirements set forth under HIPAA, a U.S. federal law. Many individual states have adopted rules that are different and in some cases, stricter than those that are federally mandated under HIPAA.

This Quick Start will not, by itself, make you HIPAA-compliant. The information contained in this Quick Start package is not exhaustive, and must be reviewed, evaluated, assessed, and approved by you in connection with your organization’s particular security features, tools, and configurations. Download the security controls matrix, a spreadsheet included with this Quick Start, for an explanation of how this Quick Start can be used to help support your compliance with certain requirements under the HIPAA Privacy and Security Rules. However, it is the sole responsibility of you and your organization to determine which HIPAA regulatory requirements are applicable to you, and to ensure that you comply with those applicable requirements. Importantly, most of the requirements under HIPAA are not technical but administrative (that is, people- and process-oriented). Although the security controls matrix that is included with this Quick Start lists and discusses both the technical and administrative requirements, this Quick Start cannot help you comply with the nontechnical HIPAA requirements.

Does HIPAA apply to your organization?

Customers are solely responsible for determining whether HIPAA applies to them, and if so, for complying with their obligations under HIPAA, the AWS BAA, and all other applicable laws, rules, and regulations. AWS does not provide legal or compliance advice. Customers should consult with qualified legal counsel or consultants, as needed, to ensure that their use of AWS complies with HIPAA, the terms of the AWS BAA, and other applicable laws, rules, and regulations.

HIPAA Reference Architecture on AWS

The HIPAA Reference Architecture Quick Start helps automate building a baseline architecture that fits within your organization’s larger HIPAA-compliance program. Like other AWS compliance architectures, it helps streamline, automate, and implement secure baselines in AWS—from initial design to operational security readiness. It incorporates the expertise of AWS solutions architects, security, and compliance personnel to help you build a secure and reliable architecture through automation.

This Quick Start includes AWS CloudFormation templates, which can be integrated with AWS Service Catalog, to automate building a baseline architecture that fits within your organization’s larger HIPAA-compliance program. It also includes a downloadable security controls matrix (Microsoft Excel spreadsheet), which maps HIPAA regulatory requirements to AWS Quick Start implementation. Figure 1 provides an excerpt of the information in that spreadsheet.

security-controls-matrix-excerpt
Figure 1. Security controls matrix (excerpt)

You must process, store, and transmit protected health information (PHI) using only HIPAA-eligible AWS services, as defined in the AWS BAA. You may use the full range of AWS services with non-PHI data, even in a HIPAA account under the AWS BAA. For the current list of HIPAA-eligible services, see HIPAA Eligible Services Reference.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This Quick Start does not require additional licenses for deployment.

Architecture

Deploying this Quick Start with default parameters builds the following HIPAA Reference Architecture environment in the AWS Cloud.

Architecture
Figure 2. HIPAA Reference Architecture Quick Start on AWS

As shown in Figure 2, the Quick Start sets up the following:

  • A highly available architecture that spans two Availability Zones.

  • Three virtual private clouds (VPCs): management, production, and development. The VPCs are configured with subnets, according to AWS best practices, to provide you with your own virtual network on AWS.

  • In the management VPC:

    • An internet gateway, which serves as a highly available centralized point of egress for internet traffic.

    • Public subnets that include managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.

    • Private subnets for deploying your security and infrastructure controls.

    • Flow logs for auditing.

  • In the production VPC:

    • Private subnets for deploying your production workloads.

    • Flow logs for auditing.

  • In the development VPC:

    • Private subnets for deploying your development workloads.

    • Flow logs for auditing.

  • AWS Transit Gateway for VPC-to-VPC communication and customer connectivity.

  • For logging and audit controls:

    • Amazon CloudWatch for metric monitoring and threshold alarms. This service delivers flow logs to an S3 bucket.

    • AWS Config with the conformance pack for HIPAA, maps HIPAA requirements to AWS configuration items. This service delivers flow logs to an S3 bucket.

    • AWS CloudTrail for AWS access logging. This service delivers flow logs to an S3 bucket.

  • For customer connectivity:

    • AWS Site-to-Site VPN or AWS Direct Connect to connect with AWS Transit Gateway.

  • For access control and alerting:

    • Amazon Simple Notification Service (Amazon SNS) for sending email alerts from alarms.

    • AWS Identity and Access Management (IAM) for access control and authorization.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start also assumes familiarity with basic concepts in the areas of networking, configuration management, and data encryption.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

3

Elastic IP addresses

2

S3 buckets

3

IAM roles

3

IAM instance profile

1

SNS topic

1

Supported Regions

This Quick Start supports the following AWS Regions.

  • us-east-1, US East (N. Virginia)

  • us-east-2, US East (Ohio)

  • us-west-1, US West (N. California)

  • us-west-2, US West (Oregon)

  • ca-central-1, Canada (Central)

  • eu-central-1, Europe (Frankfurt)

  • eu-west-1, Europe (Ireland)

  • eu-west-2, Europe (London)

  • eu-west-3, Europe (Paris)

  • eu-north-1, Europe (Stockholm)

  • ap-south-1, Asia Pacific (Mumbai)

  • ap-northeast-1, Asia Pacific (Tokyo)

  • ap-northeast-2, Asia Pacific (Seoul)

  • ap-southeast-1, Asia Pacific (Singapore)

  • ap-southeast-2, Asia Pacific (Sydney)

  • sa-east-1, South America (São Paulo)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare for the deployment

Ensure that at least one Amazon IAM service-linked role for AWS Config exists in your AWS account where you plan to deploy the Quick Start. Make note of the Amazon Resource Name (ARN). You need it during deployment.

For more information:

Deployment options

This Quick Start provides one deployment option:

  • Deploy HIPAA Reference Architecture. You build a new AWS environment consisting of a new VPC, subnets, NAT gateways, security groups, and other infrastructure components. You then deploy HIPAA Reference Architecture into this VPC. With this Quick Start’s template, you can configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and HIPAA Reference Architecture settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

Each deployment takes about 15 minutes to complete.

  1. Sign in to your AWS account, and launch the Quick Start. (View the template.)

  2. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where you build the network infrastructure. The template launches in us-east-1 by default. See Supported Regions earlier in this guide.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the HIPAA Reference Architecture deployment is ready.

  9. To view the created resources, see the values displayed in the Outputs tab for the stack.

Resources

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained, and the instance keeps running so that you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for deploying HIPAA Reference Architecture

Table 1. AWS Config configuration
Parameter label (name) Default value Description

AWS Config service-linked-role ARN (AWSConfigARN)

Blank string

Amazon Resource Name for the AWS Config service-linked role.

AWS Config recorder (CreateConfigRecorder)

Yes

Choose "No" if you’ve already used AWS Config in this Region.

AWS Config delivery channel (CreateConfigDeliveryChannel)

Yes

Choose "No" if you’ve already used AWS Config in this Region.

Table 2. AWS logging configuration
Parameter label (name) Default value Description

SNS alarm-notification email address (SNSAlarmEmail)

Blank string

Amazon SNS notification email address for CloudWatch alarms.

S3 Lifecycle expiration days (LifecycleExpirationDays)

2555

Number of days after objects are created that Amazon S3 automatically deletes them.

S3 Lifecycle transition-to-standard-IA days (LifecycleTransitionStandardIADays)

90

Number of days after objects are created that Amazon S3 automatically transitions them to the S3 Standard-IA storage class.

S3 Lifecycle transition-to-S3-Glacier days (LifecycleTransitionGlacierDays)

180

Number of days after objects are created that Amazon S3 automatically transitions them to the S3 Glacier storage class.

CloudTrail log-retention days (CloudTrailLogRetentionDays)

90

Number of days that CloudTrail logs are retained.

Table 3. Development VPC configuration
Parameter label (name) Default value Description

Development VPC CIDR block (DevVPCCIDRBlock)

172.18.0.0/16

CIDR block for the development VPC.

Development VPC subnet 1 CIDR block (DevVPCSubnet1)

172.18.11.0/24

CIDR block for subnet 1 in the development VPC.

Development VPC subnet 2 CIDR block (DevVPCSubnet2)

172.18.12.0/24

CIDR block for subnet 2 in the development VPC.

Development VPC flow-log log-group retention (DevVPCFlowLogLogGroupRetention)

90

Number of days that the flow-log log group is retained for the development VPC.

Table 4. Production VPC configuration
Parameter label (name) Default value Description

Production VPC CIDR block (ProdVPCCIDRBlock)

172.17.0.0/16

CIDR block for the production VPC.

Production subnet 1 CIDR block (ProdVPCSubnet1)

172.17.11.0/24

CIDR block for subnet 1 in the production VPC.

Production subnet 2 CIDR block (ProdVPCSubnet2)

172.17.12.0/24

CIDR block for subnet 2 in the production VPC.

Production VPC flow-log log-group retention (ProdVPCFlowLogLogGroupRetention)

90

Number of days that the flow-log log group is retained for the production VPC.

Table 5. Management VPC configuration
Parameter label (name) Default value Description

Management VPC CIDR block (MgmtVPCCIDRBlock)

172.16.0.0/16

CIDR block for the management VPC.

Management public subnet 1 CIDR block (MgmtVPCPublicSubnet1)

172.16.1.0/24

CIDR block for public subnet 1 in the management VPC.

Management public subnet 2 CIDR block (MgmtVPCPublicSubnet2)

172.16.2.0/24

CIDR block for public subnet 2 in the management VPC.

Management private subnet 1 CIDR block (MgmtVPCPrivateSubnet1)

172.16.11.0/24

CIDR block for private subnet 1 in the management VPC.

Management private subnet 2 CIDR block (MgmtVPCPrivateSubnet2)

172.16.12.0/24

CIDR block for private subnet 2 in the management VPC.

Management VPC flow-log log-group retention (MgmtVPCFlowLogLogGroupRetention)

90

Number of days that the flow-log log group is retained for the management VPC.

Table 6. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-1

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-compliance-hipaa/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.