HITRUST on the AWS Cloud: Guide to Getting Started

| Author , tagged in HITRUST, aws
Cloudticity, L.L.C.

Cloud migration comes with some incredible advantages over on-premises data operations. The scaling in terms of storage and computing processes simply can’t be beat. The ability to eliminate the expense and hassle of maintaining physical servers can give any company a huge boost when it comes to efficiency and profitability.

In addition, there are the emerging technologies of machine learning and artificial intelligence that have been brought to the masses through cloud technology.

Once a company selects a cloud service provider like Amazon AWS services, Google Cloud Platform or Microsoft Azure, a new and uncertain reality sets in. How can a company remain in full compliance with the Health Insurance Portability and accountability act (HIPAA) if all their protected health data is in the cloud?

The good news is that there are a variety of ways to ensure compliance. One of them is to adopt the Health Information Trust Alliance Common Security Framework, or HITRUST CSF. Once adopted, adherence to all of the best practices laid out within that framework can be verified by earning one of the HITRUST certifications, or at the very least, performing a self-assessment.

Let’s explore the ins and outs of getting started with following the HITRUST Framework while using the Amazon Web services (AWS) Cloud.

What is HITRUST?

There are dozens of different regulatory bodies that govern protected health information (PHI) both in the US and globally. It can be difficult for organizations even to know where to start to meet all of these requirements. 

The bottom line is that the requirements are there to protect data through security and compliance, especially when data is on a cloud platform like AWS. The Health Information Trust decided to create one set of guidelines to help companies and organizations meet the stringent demands of HIPAA and other regulations.

The guidelines are known as the Health Information Trust Alliance Common Security Framework, HITRUST CSF. It is tailored to meet the demands of several governmental and non-governmental agencies, including but not limited to:

  • Centers for Medicare and Medicaid Services (CMS)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • International Organization for Standardization (ISO)
  • General Data Protection Regulation (GDPR)
  • And more.

Health-specific IT professionals helped to develop this voluntary certification program. While it does incorporate HIPAA into its framework, it is of benefit to companies globally.

What is HITRUST Certification? 

Organizations who wish to not only adopt the HITRUST framework on AWS, but wish to also validate their adherence to the guidelines can embark on a process of assessment. There are multiple levels of assessment based on the level of validation an organization desires.

On the low end, companies can opt for the basic self-assessment. It’s not a validation or certification per se, but it helps ensure a company organization is on the right track for meeting its baseline architecture of security while using AWS.

On the higher end are certifications that are good for one or two years and involve a lengthy and relatively expensive process of auditing and validation.

This provides an assurance program to any other third parties that an organization deals with that they are meeting the highest level of security with the HITRUST environment.

How is HITRUST CSF Certification Earned?

Validated assessment is carried out by a completely independent HITRUST CSF assessor. The HITRUST CSF-validated assessment will look at several different areas, including but not limited to:

  • Network security: WiFi, outbound internet access, wireless devices, ensuring to encrypt traffic, and more.
  • Audit trail: ensuring proper log configuration.
  • Physical security: preventing access to servers and drives. Maintaining a chain of custody over removable devices like laptops, flash drives, etc.
  • Employee education: verifying the employees understand security practices and are carrying them out routinely.
  • Disaster management and recovery: things are certain to go wrong at some point. Making sure a solid, tested plan is in place to mitigate damage and ensure quick recovery.

The HITRUST Validated assessment will perform a score on all of these and other parameters ranging from “not in compliance” to “fully compliant.” Based on the findings of the assessment, certification can be approved or denied as having met, or not met the HITRUST Framework.

Does AWS Meet the Demands of the HITRUST Framework?

The good news for companies that have selected the AWS Service as their cloud platform is that they certainly do. AWS was assessed under the HITRUST program and found to meet all certification criteria.

It’s important to understand what this does and does not mean. AWS itself meets the demands of the HITRUST CSF assurance program. The service itself is capable of meeting all of the demands of the framework. Whether or not the consumer of the cloud platform services configures and uses them in such a way that is compliant is a different story. 

Let’s now examine how cloud users can make sure their Amazon Web Services cloud is set up in such a way that will meet the HITRUST requirements.

Achieving AWS HITRUST CSF with Quickstart:

Amazon Web Services, inc., is known for its ease and configuration flexibility for the AWS Cloud. One of the resources is the AWS CloudFormation template that allows for quick and easy loading of HITRUST-friendly configurations.

Customers will want to choose the HITRUST deployment configuration through the console. The quick start will then deploy as follows:

  • The architecture will be highly available and span two availability zones.
  • Management VPC and Production VPC configured with public and private subnets with peering enabled.
  • For public subnets: managed network address translation (NAT) that allows outbound internet access for private subnets.
  • Linux bastion hosts an auto-scaling group that allows inbound secure shell (SSH), allowing access to the AWS Amazon Elastic Compute Cloud (EC2) in the private subnets.
  • Security groups for AWS EC2 instances and load balancers. Security groups limit access to just what’s necessary, and disallow unencrypted traffic.
  • Amazon Simple Storage Service (S3) bucket for holding encrypted log content.
  • Encrypted multi-AZ amazon relational database service (Amazon RDS), MySQL database. Additionally, a standby instance in a second private subnet.
  • Secure Sockets Layer Certificate managed by the AWS Certificate Manager on the load balancer. This encrypts all incoming and outgoing traffic between the load balancer, internet and application instances.
  • AWS Config rules monitor the deployment configuration.
  • Amazon Route 53 record that maps the fully qualified domain name (FQDN).
  • Use of AWS Cloudtrail, Amazon CloudWatch for logging and monitoring.

Deployment Planning

If all of this sounds confusing, you’re not alone. The good news is that AWS customers have dozens of various resources to learn about AWS. Making an investment in the training of your IT team is especially important when it comes to properly deploying HITRUST-compliant configurations in AWS services.

Taking advantage of AWS Training and certification programs is an essential first step. Companies that don’t have a large IT staff might consider contracting with third-party businesses to fast-track their deployment.

Resource Quotas:

One thing is for sure, businesses who wish to load the HITRUST quickstart will need to have adequate service quotas. Visit the service quotas console to view your current usage. It should meet or exceed the following:

  • VPCs - 2
  • Elastic IP addresses 5
  • AWS Identity and Access Management roles - 8
  • Security Groups - 6
  • Auto Scaling groups - 2
  • Amazon Simple Storage Service (S3) Buckets -2
  • Application Load Balancers -2 
  • T3.small instances - 3 to 5
  • EC2 key pairs - 2

Other Settings:

If you are trying to deploy this quick start anywhere other than the default region, you must make sure that any services you are using are supported within it. You’ll know it's not supported if you receive an “unrecognized resource type” error.

Your IAM permissions need to be set correctly. The “AdminsitratorAccess” managed policy contains an adequate level of permissions. However, some organizations will customize this setting to be more restrictive.

Obviously, this isn’t intended as a complete list of steps that need to be taken or configurations that need to be set. Make sure to take advantage of all the resources available to correctly deploy the HITRUST CloudFormation template on your VPC.

Testing the Deployment

It should take around 30 minutes for the deployment to complete. The first post-deployment step, of course, is to test it. This is just an initial test, and you’ll want to validate all services as they are added, and settings are changed.

From the outputs tab on the sample application stack, click “LandingPageURL.” This is where you’ll be able to see if the deployment was successful. 

The page will include a sample WordPress application as a testbed and reference architecture. You’ll also see a diagram of the architecture. It should read that it is:

  • Secure
  • Elastic
  • Fault-tolerant

It’s very important to disable read access for your S3 buckets to make sure they aren’t visible to the public, though, for added security, any logs placed in them should be encrypted. You’ll know if they are properly configured when you see the word “Compliant” under “Resource compliance status.”

The Shared Responsibility Model

Amazon has adopted a model of two, interrelated tiers of responsibility for information security. The two tiers are:

  • Security in the cloud
  • Security of the cloud

AWS is the responsible party for ensuring the security of the cloud. They take every measure to protect their actual infrastructure from cyber or physical attacks and intrusion. They take this responsibility very seriously as their entire business reputation rests upon success. 

Customers are responsible for security in the cloud. The customer selects the AWS services they use, and configures them as they wish. Therefore, remember that following the AWS config rules are the responsibility of the customer.

Simply using the AWS environment doesn’t guarantee you will be operating within the scope of HITRUST or HIPAA. You’ll need to double-check the configuration parameters that support the required security.

What AWS Services are in the Scope of HITRUST?

Amazon web services (AWS) encourages its customers to talk with their business representatives about the HITRUST workloads they seek to perform. This way, they can help ensure that any utilized services are compliant with HITRUST. 

The good news is that many different AWS services are already compliant. We’ll list a few of the major ones here, but the list is quite long.

  • Amazon API Gateway
  • Amazon CloudWatch
  • Amazon Cognito
  • Amazon ElastiCache
  • Amazon Location Service
  • Amazon Route 53
  • Amazon SimpleDB
  • Amazon Virtual Private Cloud
  • Amazon IoT Core, Device Management, and Events
  • AWS Outposts
  • Elastic Load Balancing

How AWS Helps with HITRUST Certification

Typically, HITRUST certification is incredibly complex and difficult to achieve. Companies have to attest to hundreds of controls and have them validated by their external assessor – a process that takes several months or even years for most.

But if you use AWS you can accelerate the path to HITRUST by inheriting controls that your cloud service provider has already met via the Shared Responsibility Model. 

How AWS Accelerates HITRUST Certification - on-demand webcast
Reduce the Work Needed to Achieve HITRUST with AWS and Cloudticity – white paper

Benefits of Using the AWS Infrastructure

As of 2022, AWS Services is currently the leader in the cloud platform industry market share. There are several reasons for this. Let’s take a look at some of the most important reasons why companies of all sizes are turning to the AWS Cloud.


AWS costs less than its competitors in many situations. While there may be some situations where this isn’t the case, AWS pricing is always competitive and, more important, flexible. The “Pay as you go” model is popular with many companies who don’t want to make a massive capital investment upfront. This also allows businesses to avoid two pitfalls: overprovisioning, and spending more than necessary on unused resources; or running out of capacity when they need it the most.

As usage increases, AWS offers volume-based discounts. This works especially well for larger companies with large amounts of records to archive, taking advantage of the lower, volume-priced S3 storage tiers.

Resources for AWS

As the earliest entrant into the cloud services market, there are probably more resources available for training and getting certified to become developers on AWS than for any other platform.

AWS has large amounts of resources and media available right on their website including:

  • Podcasts
  • Twitch streaming
  • Tech Talks

The “Let’s Build” series has several series of viewable presentations that discuss topics like:

  • Cloud Migration
  • Serverless architecture
  • Data protection
  • Building IoT apps

In addition, there are hundreds of AWS Training and certification programs available from third-party vendors, both in-classroom and online.


The fact that AWS enthusiastically volunteered to become HITRUST certified should tell you everything. Amazon’s entire reputation for cloud technology rests on customers feeling secure that their data will remain private while on amazon servers and storage.

The Amazon security team is one of the best there is in the industry. They continually monitor the dynamic threat matrix and make adjustments as necessary. They also update the AWS Best Practices so that customers are following their own procedures to mitigate any threats.

Your Own Virtual Network

Every AWS Account comes with AWS Virtual Private Cloud. With this huge benefit, you can select an IP Address range, and create subnets. It also maps HITRUST controls if you configure it properly.


One of the main reasons for moving to the cloud, especially for the healthcare industry is scaling. Healthcare providers know that certain times of the year require a much higher workload than others.

For instance, winter is a time when respiratory illnesses like colds and flu spike. While these diseases aren’t usually severe on their own, the extra patient load on top of regular operations can put a strain on resources.

Scaling with AWS is easy. Providers and other entities don’t need to purchase hardware and computing resources for the busiest times, only to have them sit unused the rest of the year.

Massive Ecosystem

With nearly 200 different services, many of them fully HITRUST certified, there is no limit to what infrastructure architects can build. These include databases, every application imaginable, security and encryption tools, and much more.

HITRUST Acceleration

When you use AWS you can reduce the work needed to achieve HITRUST Certification because AWS has already met many HITRUST benchmarks that you can inherit attestation to. This HITRUST acceleration is such a value add for healthcare companies, in fact, many healthcare companies are migrating to AWS for the purpose of simplifying the HITRUST process.

Want to learn more about how you can accelerate HITRUST on AWS? Read the white paper, Reduce the Work Needed to Achieve HITRUST with AWS and Cloudticity. Or schedule a free consultation to learn how we can help today.

How Much Does HITRUST Certification Cost?

How much HITRUST costs will depend on your organization's risk profile. Want to find out how much HITRUST might cost for your organization? Try our free HITRUST Cost Calculator tool for a free estimate

New call-to-action


Subscribe Today

Get notified with product release updates and industry news.