At Perficient, our Data Solutions team has worked closely with our Healthcare division to implement Redshift for HIPAA and HITECH compliance. Snowflake offers healthcare organizations a secure data warehouse environment with many HIPAA compliance features. Perficient’s implementation team includes Snowflake and health industry subject matter experts. We’ll take a look at Snowflake’s benefits for healthcare providers looking to improve their HIPAA and HITECH compliance efforts and some specific strategies that you can use.
HIPAA and AWS
HIPAA is a law that affects businesses that are health care providers or have health care information. The HITECH Act made HIPAA stronger in 2009. These laws contain rules for using and disclosing protected health information (PHI). They also have rules for safety and individual rights.
Amazon Web Services (AWS) provides healthcare and insurance companies with the IT components they need to make their applications HIPAA and HITECH compliant. AWS has many security measures in place that help ensure customers’ data is safe. AWS provides a pre-built infrastructure platform with industry-recognized certifications and checks such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3).
The AWS HIPAA Privacy Rule Compliance program is a standards-based risk management procedure to guarantee that the HIPAA-compliant services are suited to HIPAA administrative, technical, and physical safeguards. Using these services to store, process, and transmit PHI aids our clients and AWS in meeting HIPAA requirements associated with the utility-based operating model.
The HIPAA Security Rule requires covered entities to securely handle, store, and transmit protected health information. AWS offers a standardized Business Associate Addendum (BAA) to correspondingly secure such clients since July 2013. Customers who sign an AWS BAA may utilize any AWS service in a HIPAA Account, however, they can only process, store, and transmit health data with the HIPAA eligible services listed in the AWS BAA. Customers using AWS’s BAA are required to encrypt PHI stored in or transferred through HIPAA-eligible services per instructions from the Secretary of Health and Human Services (HHS).
AWS has enough services available for use by covered entities under its BAA to implement most use cases.
End-To-End Encryption
AWS is designed to minimize risk by providing services to encrypt data at rest and in motion. End-to-end encryption (E2EE) is a form of communication in which no one but end users can read the data. The E2EE architecture minimizes attack surface exposure. Regardless of whether a security breach affects the cloud platform’s infrastructure, data is secured due to its encryption, regardless of whether an internal or external attacker causes the breach.
Encryption
Customers can encrypt data at rest and protect it with Redshift’s database encryption. Amazon Redshift encrypts all data, including backups, using hardware-accelerated Advanced Encryption Standard (AES)-256 symmetric keys when clients enable encryption for a cluster. Redshift’s encryption is protected by a four-tiered, key-based architecture. These keys include data encryption keys, a database key, a cluster key, and a master key.
Data encryption keys encrypt data blocks in the cluster. Data encryption keys are encrypted by using the database key for the cluster. The database key, which is stored on disk in a separate network from the Redshift cluster and passed to the cluster across a secure channel, encrypts data encryption keys in the cluster. The cluster key encrypts the database key cluster. Customers can either manage the cluster key with AWS KMS or an AWS CloudHSM (Hardware Security Module).
For data in transit, Redshift enables secure connections with SSL (Secure Sockets Layer) for encrypting data and server certificates to verify the server certificate that the client connects. This includes hardware accelerated SSL used for communication with Amazon S3 or Amazon DynamoDB for COPY, UNLOAD, backup, and restore operations. Additionally, you can connect to Redshift clusters through JDBC and ODBC connections using SQL client tools.
Key Lifecycle
The National Institute of Standards and Technology (NIST) recommends limiting the lifetime of a key to enhance security. Snowflake’s Encryption Key Rotation service changes keys automatically regularly. When you enable automatic key rotation for a customer-managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also keeps the older cryptographic material of the KMS key forever so it may be used to decrypt data that the KMS key encrypted. Until you delete the KMS key, AWS KMS does not delete any rotated key material.
Amazon KMS presents a single point to manage your keys consistently across your entire AWS portfolio.
Governance
Data governance in healthcare is a way to prevent unauthorized access to patients’ personal health information. Data governance’s objective is to define clear PHI and establish rules for the protection of health data and privacy. Previously, to manage such situations, the Views or AWS Lake Formation on Amazon Redshift Spectrum was utilized. This increases overhead in terms of creating and maintaining views as well as Amazon Redshift Spectrum. The view-based approach is also tough to scale and might result in a lack of security safeguards. Now, by allowing configuration of access controls to databases, tables and views, as well as specific columns in tables, Redshift allows for precise control over who has access to what. This is the preferred method of managing access to PII/PHI and other sensitive data on Redshift.
Governance in Redshift is implemented using:
- column-level security
- row-level security
Column-level Security
Column-level security is implemented using GRANT on REVOKE statements for a user or group against tables or views. If a user or group does not have permission to access a column in a SELECT or UPDATE statement, a permission denied error will be returned. There is no native option for masking or tokenization.
Row-level Security
Row-level access control is not natively supported in Redshift. It is possible to implement using a view-based approach, but this comes with administrative difficulties owing to the development, maintenance and security overhead that is baked into this type of solution.
Your data is HIPAA compliant, however usage of the data without masking and tokenization may not be.
Conclusion
Amazon Web Services (AWS) provides healthcare and insurance companies with the IT components they need to make their applications HIPAA and HITECH compliant. AWS has many security measures in place that help ensure customers’ data is safe. AWS provides a pre-built infrastructure platform with industry recognized certifications and checks such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3).
However, the lack of support for tokenization and data masking make it difficult to provide for many data science and business intelligence use cases. Because tokenization provides a distinct value for each string of characters, records may be classified based on this numerical value without disclosing sensitive information.
AWS has a very compelling HIPAA-compliant offering. However, strongly consider a third-party option like Immuta before committing to Redshift.
If you’re ready to move to the next level of your data-driven enterprise journey in the heavily regulated healthcare space, contact Juliet.Silver@perficient.com with Healthcare or Bill.Busch@perficient.com with Data Solutions.