Healthcare organizations are increasingly recognizing the important advantages that cloud services can deliver compared with on-premises environments. For example, organizations using cloud services such as AWS, Azure, or Google Cloud can avoid the costs of purchasing and maintaining physical infrastructure. They can also scale cloud-based resources quickly and easily. Moreover, they can tap into emerging technologies, such as AI and machine learning, which are available as services from cloud providers.
But as healthcare organizations contemplate a move to the cloud, many have concerns about regulatory compliance. How can an organization remain in full compliance with HIPAA (the Health Insurance Portability and Accountability Act of 1996) if all its protected health data is in the cloud?
The good news is that you can still ensure compliance with healthcare regulations while operating in the cloud. Adopting the HITRUST Common Security Framework (CSF) can help you put into place necessary controls and practices to protect sensitive data and comply with regulations. You could use the framework to conduct a self-directed readiness assessment and identify gaps with regulatory requirements. Or, by going through a rigorous assessment process, your organization could earn HITRUST certification—the gold standard for demonstrating compliance with government regulations in the healthcare industry.
Choosing AWS as your cloud provider can help streamline the HITRUST certification process. By selecting HITRUST-Certified services on AWS and capitalizing on AWS resources for speeding provisioning, you can take full advantage of cloud services while strengthening security and maintaining regulatory compliance.
What Is HITRUST?
There are multiple regulatory bodies that govern protected health information (PHI). HITRUST—a privately held company founded in 2007—set out to create a single set of guidelines to help organizations meet the stringent demands of HIPAA and other regulations.
The HITRUST CSF brings together multiple regulations and standards into a single reference. In addition to HIPAA, it covers, for example:
- Health Information Technology for Economic and Clinical Health (HITECH) Act rules
- National Institute of Standards and Technology (NIST) standards
- International Organization for Standardization (ISO) standards
- European Union’s General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
The framework spans a wide range of security areas, including risk management, access control, network security, and incident management. Implementing the privacy and security controls listed in the framework is a key part of achieving HITRUST certification.
What Is HITRUST Certification?
Beyond adopting the HITRUST framework, your organization might decide to validate your adherence to the guidelines by embarking on the HITRUST certification process. HITRUST certification clearly signals your compliance with key regulations, such as HIPAA and HITECH. In the past, organizations could not easily prove that they were adequately securing protected health information (PHI)—and partner businesses and patients did not realize that many organizations were not in fact complying with the HIPAA Security Rule.
Though complying with HIPAA is mandatory, HITRUST certification is voluntary. Still, a growing number of hospitals and other institutions require their vendors to be certified. Earning HITRUST certification will give you an additional means of competitive differentiation. Moreover, working toward HITRUST certification can help you create a more robust security program. Consequently, many organizations are integrating HITRUST certification into their ongoing compliance efforts.
You can choose from three levels of assessments and certifications offered by HITRUST:
- HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.
- HITRUST Implemented 1-year (i1) Assessment: An assessment that provides a moderate level of assurance that organizations have adequately addressed cybersecurity threats.
- HITRUST Risk-based 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.
The r2 assessment is the most time-consuming, resource-intensive process. But it also helps you to demonstrate the highest level of security and compliance.
How Is HITRUST CSF Certification Earned?
There are several steps to the assessment and certification process. First, you need to select an external, third-party assessor firm. The assessor firm’s compliance professionals will work with your team to evaluate your security controls and risk management practices against the requirements of the HITRUST framework.
The framework takes a risk-based approach to security. Using the framework, the assessor helps identify the risks to security, determine the likelihood of a breach, evaluate the potential impact of a breach, and identify additional safeguards that could mitigate that impact. The framework enables you to customize security control baselines according to your type of organization, regulatory requirements relevant to your organization, and other factors.
With help from the assessor, you conduct a readiness assessment and gap analysis, reviewing your organization’s security controls, policies, and procedures. You construct a gap remediation plan and then begin to fill the gaps, implementing whatever controls and practices are needed.
Next, the assessor conducts the HITRUST validated assessment. This assessment examines several different areas, including but not limited to:
- Network security: Evaluating security for WiFi connections, outbound internet access, and wireless devices, making sure traffic is encrypted.
- Audit trail: Ensuring proper log configuration.
- Physical security: Preventing access to servers and drives. Maintaining a chain of custody for removable devices such as laptops and flash drives.
- Employee education: Verifying employees understand security practices and are carrying them out routinely.
- Disaster management and recovery: Making sure there is a solid, tested plan in place to mitigate damage and ensure quick recovery from unexpected events.
If any issues are identified during the assessment, the assessor provides a report outlining the findings and recommendations for remediation. Your organization would need to address any findings and provide evidence of remediation to the assessor before the assessor submits your work to HITRUST for review. HITRUST can approve or deny certification depending on whether your organization has met the requirements of the HITRUST framework.
How Much Does HITRUST Certification Cost?
The cost of HITRUST certification can vary according to the assessment you choose and your organization’s risk profile. See how much HITRUST certification might cost for your organization:
Try the free Cloudticity HITRUST Cost Calculator tool ✔
What AWS Services Are HITRUST Certified?
More than 160 AWS services are HITRUST certified. Here are just a few examples:
- Amazon API Gateway
- Amazon CloudWatch
- Amazon Cognito
- Amazon ElastiCache
- Amazon Location Service
- Amazon Route 53
- Amazon SimpleDB
- Amazon Virtual Private Cloud (VPC)
- AWS IoT Core, Device Management, and Events
- AWS Outposts
- Elastic Load Balancing
If your organization uses one of those services, you can inherit controls from AWS and apply them to your HITRUST assessment. Inheriting controls can significantly reduce the time and effort you need to invest in the certification process.
Read Next: Achieve HITRUST Faster with AWS and Cloudticity – white paper
The Shared Responsibility Model
Like other major cloud providers, AWS employs a shared responsibility model for security. There are two, interrelated tiers of responsibility:
- Security in the cloud
- Security of the cloud
AWS is responsible for ensuring the security of the cloud. The company takes every measure to protect the actual infrastructure—hardware, software, networking, and facilities—from cyberattacks, physical attacks, and intrusions.
Customers are responsible for security in the cloud. Customers select the AWS services they want to use and configure them as they wish.
Simply using the AWS environment doesn’t guarantee your organization will be operating within the scope of HITRUST or HIPAA. You’ll need to double-check the configuration parameters that support the required security.
Benefits of Using AWS
AWS is considered the leading cloud service provider for several reasons.
Competitive Pricing
AWS costs less than competitors in many situations. Even when this isn’t the case, AWS pricing is always competitive and—more important—flexible. The pay-as-you-go pricing model enables organizations to avoid massive capital investments upfront. And because AWS resources can be scaled up or down easily, organizations can avoid overprovisioning (buying more than they need) and underprovisioning (which might cause them to run out of capacity when they need it).
AWS also offers volume-based discounts. This works especially well for larger companies with large amounts of records to archive, for example. They can take advantage of the lower, volume-priced Amazon Simple Storage Service (Amazon S3) storage tiers.
Resources
AWS offers a wealth of training and certification resources for developers. There are also hundreds of AWS training and certification programs available from third-party vendors, including both in-classroom and online options. Additional types of resources—such as podcasts, Twitch streaming, presentations, and tech talks—are available on the AWS website.
Security
AWS recognizes that its reputation is tied to its ability to safeguard apps and data. The AWS security team continuously monitors the dynamic threat matrix and makes modifications to the organization’s security posture. The team also updates its published best practices so customers can follow AWS recommendations to mitigate threats.
Scalability
Many healthcare organizations move to the cloud for its scalability. Healthcare providers, for example, might need greater IT resources for their services during certain times of the year, such as in the winter months, when respiratory illnesses often peak.
Scaling with AWS is easy. Your organization can scale up—or down—as needed. You no longer have to purchase infrastructure for the busy times and then let that infrastructure sit idle for the rest of the year.
Massive Ecosystem
AWS offers more than 200 AWS services—and many of them are fully HITRUST certified. You can choose from databases, analytics capabilities, AI services, security tools, a virtual private cloud, and more. There are very few limits on what you can build or run on AWS.
Speeding Provisioning with the HITRUST on AWS Quick Start
AWS strives to simplify the provisioning and management of cloud environments on AWS. It offers CloudFormation capabilities, for example, that enable you to create templates for service or application architectures. CloudFormation then uses those templates for repeatable provisioning.
AWS also offers Quick Start reference implementations, which include CloudFormation templates and detailed deployment guides for popular IT workloads. The HITRUST on AWS Quick Start deploys a model environment on AWS that can help you align with the HITRUST CSF.
You can choose the HITRUST deployment configuration through the console. The Quick Start then deploys the following environment:
- A highly available architecture that spans two availability zones.
- A management VPC and production VPC configured with public and private subnets to provide you with your own virtual network on AWS. The management and production VPCs have VPC peering enabled.
- Standard Amazon VPC security groups for EC2 instances and load balancers used in the sample application stack. The security groups limit access to only necessary services and disallow unencrypted traffic.
- An Amazon S3 bucket for encrypted log content.
- A Secure Sockets Layer (SSL) certificate managed by AWS Certificate Manager (ACM) on the load balancer to encrypt all traffic between the internet and the load balancer. Separate self-signed certificates are generated on the EC2 instances to encrypt traffic between the load balancer and the application instances.
- AWS Config rules to monitor the deployment configuration.
- An Amazon Route 53 record set that maps the fully qualified domain name (FQDN) to the load balancer Domain Name System (DNS).
- Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules.
Resource Quotas
If you use the HITRUST Quick Start, you need to make sure you have adequate service quotas. Visit the service quotas console to view your current usage. It should meet or exceed the following:
- VPCs - 2
- Elastic IP addresses 5
- AWS Identity and Access Management (IAM) roles - 8
- Security Groups - 6
- Auto Scaling groups - 2
- Amazon Simple Storage Service (S3) Buckets -2
- Application Load Balancers -2
- T3.small instances - 3 to 5
- EC2 key pairs - 2
Other Settings
If you are trying to deploy this Quick Start anywhere other than the default region, you must make sure that any services you are using are supported within it. You’ll know it’s not supported if you receive an “unrecognized resource type” error.
Your IAM permissions need to be set correctly. The “AdministratorAccess” managed policy contains an adequate level of permissions. However, some organizations will want to customize this setting to be more restrictive.
For additional steps and configuration settings, take advantage of all the resources available to correctly deploy the HITRUST CloudFormation template on your VPC.
Testing the Deployment
It should take around 30 minutes for the deployment to complete. The first post-deployment step is to test it. Validate all services added and settings that are changed.
From the outputs tab on the sample application stack, click “LandingPageURL.” This is where you’ll be able to see if the deployment was successful.
The page will include a sample WordPress application as a testbed and reference architecture. You’ll also see a diagram of the architecture. It should read that it is:
- Secure
- Elastic
- Fault-tolerant
Be sure to disable read access for your S3 buckets to make sure they aren’t visible to the public, though, for added security. Any logs placed in them should be encrypted. You’ll know if they are properly configured when you see the word “Compliant” under “Resource compliance status.”
HITRUST Acceleration
Using AWS can help you significantly reduce the work needed to achieve HITRUST certification. When you use HITRUST-certified services on AWS, you can inherit security controls. In addition, the AWS Quick Start for HITRUST can speed provisioning of an environment that aligns with the HITRUST framework. While many healthcare organizations are already considering a cloud migration, the ability to streamline HITRUST certification on the cloud should drive even more organizations to make the move.
Learn how Cloudticity can help further accelerate HITRUST certification on AWS. Read the white paper, Get HITRUST Certified Faster with AWS and Cloudticity. Or schedule a free consultation to learn how we can help today.