Within the HIPAA Security Rule are Administrative, Physical, and Technical Safeguards. These safeguards are as important to understand as they are to implement, so let’s dive into one:
164.312(e)(1) - Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Associated implementation specifications:
- 164.312(e)(2)(i) - Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
- 164.312(e)(2)(ii) - Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Explanation:
The spirit of this guideline is to protect data during transmission. To accomplish this, all data transmission points must be known and mechanisms must be used to provide encryption in transit and integrity verification.
How can a customer address this and how does Cloudticity help?
Important: All specifications must have associated company policies to explicitly indicate how each are addressed. If a requirement is not applicable, this should also be indicated in policies to address it explicitly.
- To meet transmission security guidelines:
- AWS provides services that allow for encryption and decryption using networking protocols. Services providing encryption include KMS, S3, RDS, EFS, and EMR. AWS recommends using Transport Layer Security (TLS) or IPsec. AWS labs also provides a TLS library, s2n, that allows developers to implement transport security.
- Cloudticity ensures that all necessary AWS services are configured correctly, including but not limited to the ones mentioned above. This does not include the s2n TLS library.
- Cloudticity verifies that access keys are rotated on a regular basis and provides professional services to help developers with encryption in transit upon request. For more information related to encryption, check out our access control blog post.
- Customer applications, for all cases where PHI is transmitted, must meet these transmission security guidelines. Some simple ways to verify that encryption is being used include verifying redirects from HTTP to HTTPS, verifying encryption between each resource, and doing a complete end-to-end walkthrough of data movement to verify that all locations processing or storing sensitive data are accounted for. Customer applications must rotate keys on a regular basis. Cloudticity recommends rotating keys every 90 days.