AWS Documentation
Is Amazon Redshift HIPAA Eligible?
This cloud service is HIPAA-eligible
Amazon Redshift is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use Redshift to store and transmit protected health information (PHI).
What is Amazon Redshift?
Amazon Redshift is Amazon’s managed cloud data warehouse offering. Redshift allows cloud users to manage data and scale to unlimited concurrency. Redshift can be used to manage and query large datasets (Exabytes sized data lakes). Users can connect Redshift to S3 and S3 Data Lakes to build robust services and applications. Redshift can be used for Business Intelligence (BI), Predictive Analytics, and Realtime applications. For raw file and data storage, AWS clients may consider Amazon S3 for HIPAA compliant cloud storage or Amazon RDS for a HIPAA compliant database.
Amazon Redshift Compliance Requirements
Amazon Redshift can be used to store production data and protected health information (PHI) but must be configured to comply with HIPAA regulations and be used as a HIPAA compliant data store. Organizations must manage permissions and system access, encryption standards, audit logging, and overall services availability. These compliance controls should be built around the organization’s set System Access Policy, Data Integrity and Auditing Policies.
Redshift manages many operational concerns for data warehousing and has many options for security configuration, it is the cloud user’s responsibility to properly configure HIPAA administrative and technical safeguards.
Encryption and Amazon Redshift
HIPAA requires that organization implement encryption for PHI. AWS clients that utilize Redshift with PHI should ensure that Redshift data is encrypted at-rest as well as in-transit via SSL. Backups and log data should also be treated as PHI and encrypted as well. For Redshift, organizations should encrypt all clusters and require an SSL connection for all queries.
System Access and Amazon Redshift
HIPAA follows the principle of “Granting Least Privilege”, meaning that only necessary staff members should have access to PHI. Organizations should follow this principle when providing users with access to Redshift. Only the minimal necessary staff should have access to production Redshift services. Organizations should use separate development and production environments and avoid storing PHI inside development environments.
Availability and Amazon Redshift
HIPAA requires that PHI must account for potential service outages and must be available in case of emergency. This means that organizations should have a disaster recovery policy and plan for incidents leading to Redshift unavailability. Organizations should create backups of Redshift/S3 data in-case of data loss or error. Additionally, Redshift services should be configured for high availability across multiple availability zones (AZs) to minimize the impact of a service outage. Organizations may consider creating two or more identical Redshift clusters across multiple AWS availability zones.
Audit Logging and Amazon Redshift
HIPAA requires that organizations collect and analyze audit logs related to PHI access. For Redshift data warehouses containing PHI, organizations must collect access logs. Collecting these logs allows security teams the ability to detect suspicious activity and respond to potential security threats. Audit logging should be dictated alongside an Audit Logging Policy, with logs being reviewed periodically to analyze compliance issues.
Potential Threats to Compliance
- Redshift cluster(s) open to the public could allow unauthorized users to access to PHI
- Unencrypted Redshift cluster(s) can be vulnerable to unauthorized users
- Redshift cluster(s) not using SSL/TLS can be vulnerable to unauthorized users
- Redshift cluster(s) without backup processes could lose PHI data
Security and HIPAA Compliance Controls
Dash Compliance Automation – Redshift Security Controls
HIPAA Safeguards
164.308(a)(1)(ii)(B) Risk Management
164.312(c)(1) Integrity
Dash Administrative Controls
System Access Policy
Configuration Management Policy
Dash Technical Controls
Redshift Security Group allows all
Redshift cluster database encryption disabled
Redshift cluster does not allow version upgrade
Redshift cluster is publicly accessible
Redshift cluster user activity logging disabled
Redshift parameter group does not require SSL
