Setting up and Operating a HIPAA Cloud for a Precision Health Testing Platform

03/09/2020

In 1996, the U.S Congress passed the Health Insurance Portability and Accountability Act. This act provides a string of complicated rules for the way electronically Protected Health Information (ePHI) and Protected Health Information (PHI). At Ixlayer, we strictly adhere to a HIPAA compliant infrastructure. In addition, follow all the processes and procedures to ensure a secure, private, monitored and compliant system. 

Below is an overview of the steps taken by the Ixlayer cloud security team to ensure compliance with HIPAA.

  • Technical:
    • We practice secure private source code control, analysis, unit testing, and security testing.
    • We avoid security issues by ensuring all server packages are up-to-date.
    • Communication is encrypted as an added security measure via HTTPS using  AES encryption, AES 256 encryption, TLS 1.2 and SHA-256 certificates.
    • Encryption of all databases and file systems.
    • Isolation of instances between both private and public subnets.
    • Security groups restricting access to relevant services ONLY.
    • As an additional layer of network security, the network access control list (ACL) rules to filter traffic into subnets.
    • A secured bastion host instance to facilitate restricted login access for system administrator actions.
    • Standard IAM policies with associated groups and roles, exercising the least privilege.
    • Monitoring and logging; alerts and notifications for critical events.
    • S3 buckets (with security features enabled) for logging, archive, and application data.
    • Implementation of proper load balancing and SSL certificate termination, and management.
    • HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security Policy.
    • We use Amazon Guard Duty to monitor intrusion and CloudTrail to log all changes in the environment.
    • All Cloudwatch alarms and other alarms are sent to PagerDuty to notify Operations personnel of any issues.
    • We manage to patch for system software and libraries. 
    • We keep audit logs to track access requests and changes via tickets.
    • Quarterly PEN and Intrusion testing via external vendors.
    • Limited access to a specific host with the use of SSH.
  • Physical:
    • We use strong Passwords and 2-Factor Authentication for IT and backend systems.
    • Workstations
      • We do not store sensitive data on workstations permanently.
      • We securely configure and manage workstations. 
      • We enable disk encryption on all workstations.
    • Mobile
      • Mobile devices are restricted from accessing sensitive data.
      • If mobile devices are misplaced or stolen, sensitive data can ONLY be retrieved through the use of encrypted password(s) and remote wiping.
  • Administrative:
    • We use HIPAA compliant cloud services and sign BAA with our cloud provider.
    • Human resources security:
      • Operations employees are background checked upon hiring.
      • HIPAA Training & Documentation for employees.
      • Basic security awareness training for employees.
      • Laptop/Mobile Security.
      • Phishing/Social Engineering training.
    • Operations security
      • Permission to access the production environment is granted ONLY by the operations team.
      • Access to the environments and Amazon account are done through individual SSH keys and are logged.
      • Limited access to minimum operations personnel with HIPAA training.
      • Regular Security testing and compliance.
      • We perform annual security and penetration testing by using third-party companies.
      • We use automated configuration management and deployment systems for cloud instances.
      • Use 2FA to access deployment.

Amazon Web Services – Our HIPAA compliant Cloud Provider

At Ixlayer, we have carefully scrutinized the major cloud providers out there and have selected AWS as our cloud provider. AWS offers a commercial-off-the-shelf infrastructure platform with industry-recognized certifications and audits such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3). AWS services and data centers have multiple layers of operational and physical security to help ensure the integrity and safety of sensitive customer data.

AWS enables covered entities and their business associates subject to HIPAA to securely process, store, and transmit PHI. In addition, AWS offers standardized Business Associate Addendum (BAA) agreements for companies such as Ixlayer. Ixlayer executes an AWS BAA and utilizes a good number of AWS s services using accounts designated as HIPAA Accounts. Ixlayer stores and transmits PHI using the HIPAA-eligible services defined in the AWS BAA. 

The following HIPAA eligible services are used by Ixlayer:

  • AWS Batch
  • AWS Backup
  • AWS Certificate Manager
  • CloudFormation
  • CloudTrail
  • CloudWatch
  • CloudWatch Logs
  • AWS Config
  • Amazon ElastiCache (Redis)
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Amazon Elastic Container Registry (ECR)
  • Elastic Load Balancing
  • Amazon GuardDuty
  • AWS Key Management Service
  • AWS Lambda
  • AWS Organizations
  • Amazon QuickSight
  • Amazon Route 53
  • AWS Secrets Manager
  • AWS Security Hub
  • Amazon Simple Notification Service (SNS)
  • Amazon Simple Storage Service (Amazon S3)
  • AWS Web Application Firewall (WAF)

For a complete list of these services, see the HIPAA Eligible Services Reference page ( HIPAA Eligible ). 

For a complete description of the HIPAA services offered by AWS, refer to (HIPAA Compliance)

Securing Data

By being HIPAA compliant and strictly adhering to the best industry standard for security practices, Ixlayer is able to secure both the sensitive data and PHI of all our clients. We spare no effort in keeping track of all our client’s data and prevent them from falling into the wrong hands.

HIPAA permits healthcare professionals and other users to utilize web browsers and mobile devices to access data. However, each mobile device, along with each computer and other endpoints, must be protected by multiple layers of security. Those measures include:

  • Password Complexity and History – All administrator and infrastructure passwords are machine-generated complex passwords. The timeframe for the use of all the passwords is short and they must be changed regularly.
  • Network firewalls – We use network firewalls and security groups on AWS to control physical network requests to backend systems and also filter OWASP vulnerabilities ( Verification )
  • Sessions that time out – All the systems utilized have session settings with short durations and they can be preemptively reset.
  • Two-factor authentication –  We use Multi-Factor Authentication (MFA) devices to control access to email, administrative, and backend systems.
  • Data encryption that meets or exceeds industry standards – We encrypt all HTTPS communications using AES 256 encryption, TLS 1.2 and SHA-256 certificates. All storage devices such as volumes and buckets on AWS are stored using AES 256 encryption.
  • Intrusion detection programs – We use multiple Intrusion detection systems on AWS to monitor the network, server access, and configuration changes. Every access is monitored, logged with notifications sent out immediately in the event of irregular or unauthorized access.
  • Ixlayer security team follows a ‘Principle of Least Privilege’ (PoLP) security model to make sure each user ONLY has the authority to access the information necessary for his or her job.

In addition, Ixlayer provides regular training sessions to ensure employees are using best practices and are able to recognize the warning signs of hacks or phishing scams. Moreover, everyone at Ixlayer including those who deal directly with user data, are trained in HIPAA and information is on a need-to-know basis. It is illegal to share a patient’s ePHI with anyone outside of the business unless the person is requesting for the data has a HIPAA release form. (This document must also include the patient’s verified signature.) 

Incident Management

What happens when an unauthorized person gains access to someone’s ePHI? This is a situation which could occur as a result of an employee error or as a result of hacking. There are guidelines that we strictly adhere to in the event of this incident occurring, these are highlighted below;

  1. Upon detection of any security incident, a team will be formed to identify and record the details as well as the severity of the incident.
  2. All logs, database snapshots, security settings, and account information will be captured.
  3. All affected systems will be quarantined and account disabled, and. Also, network security groups will be changed in order to isolate the affected systems.
  4. Client Representatives and Security Teams will be notified of the incident by both phone calls and email.
  5. The Security Team will investigate the source, causes, and timeline of the incident to understand how to prevent such incidents in the future.
  6. Any affected system will be erased once the investigation is complete. 
  7. The team will restore proper operation of the system by making changes to the security keys and credentials.
  8. A plan is drafted with the client to notify the affected user(s).

Conclusion

Ixlayer Precision Health Testing Platform complies with HIPAA in three fundamental steps. These steps include – Technical, Physical and Administrative. Ixlayer is a cloud infrastructure precision care software specifically designed to meet the needs of clients for diagnostic health solutions. Clients can safely store, analyze, and also gain insights from health data without having to bother about the underlying infrastructure.

Ixlayer utilises a number of HIPAA services, some of which include; AWS Batch, AWS Backup, AWS Certificate Manager, CloudFormation, CloudTrail and CloudWatch. In addition, Ixlayer is able to secure the PHI and other sensitive information of clients. With HIPAA in place, healthcare providers are obliged to access data via mobile or web browsers. There are many security measures in place to safeguard data from unscrupulous entities. Some of these measures include Session Time-outs, Network Firewalls, Secure Passwords, Two Factor Authentication and Intrusion Detection Programs.

Finally, incident management is one more thing that is crucial to data protection. In the case of an unauthorized access of sensitive data by a cyber-intruder, there are preconceived guidelines that would be followed in both halting a further invasion and preventing future attacks.