AWS Documentation
Is AWS Lambda HIPAA Eligible?
This cloud service is HIPAA-eligible
Amazon Lambda is listed on the AWS HIPAA Eligible Services List. This means that organizations that sign Amazon’s Business Associates Agreement (BAA) and fulfill the AWS shared responsibility model may use Lambda with protected health information (PHI). In order to utilize Lambda, you must implement administrative and technical requirements of shared responsibilities.
What is AWS Lambda?
AWS Lambda is a serverless computing platform provided by Amazon Web Services. It is an event-driven computing service that runs code in response to events. As a serverless offering, Lambda requires no server configuration and automatically scales. Lambda can be used for virtually any application or backend service, with little administration. Cloud users only pay when code in Lambda is running. Users can configure Lambda code to be automatically triggered from other AWS services or called from applications.
AWS Lambda Compliance Requirements
AWS Lambda can be utilized for creating HIPAA compliant serverless applications. In order to utilize AWS Lambda in a HIPAA compliant manner, organizations must account for all technical safeguards regarded Lambda access, data storage, transmission. AWS Lambda is based on a fleet of highly available Amazon EC2 instances which addresses many security protects. Cloud users must still manage how Lambda interacts with other AWS services and protected health information (PHI). Administrative policies should be in place to dictate who can access Lambda services and how they are updated. Access to Lambda procedures that utilize PHI should be limited to only necessary users.
Encryption and AWS Lambda
HIPAA requires that organization implement “all necessary” security requirements for encrypting PHI at-rest and in-transit. To ensure that PHI remains encrypted while using AWS Lambda, connections to external resources should use an encrypted protocol such as HTTPS or SSL/TLS.
- Use SSL/TLS when connecting to other AWS services. For example, when S3 is accessed from a Lambda procedure, it should be addressed with https://bucket.s3-aws-region.amazonaws.com.
- If any PHI is placed at rest or idled within a running procedure, it should be encrypted client-side or server-side with keys obtained from AWS KMS or AWS CloudHSM.
Audit Logging and AWS Lambda
HIPAA requires that organizations collect and analyze audit logs related to PHI access. For Lambda protocols, cloud customers should generate logs about access to PHI. Collecting logs allows security teams the ability to detect suspicious activity and respond to potential security threats. Audit logging should be dictated alongside an Audit Logging Policy, with logs being reviewed periodically to analyze compliance issues.
- Security teams should collect key Lambda logs using Cloudwatch or an appropriate 3rd party solution.
- Audit logs should be reviewed quarterly to analyze suspicious activity.
Potential Threats to Compliance
- AWS Lambda connections to unencrypted (non-SSL/TLS) services could lead to PHI being leaked.
- Event data that is used with Lambda and contains PHI could be accessed by unauthorized users.
- Security and compliance controls for AWS services connected to Lambda (S3, RDS, etc) must be implemented in-order to build a HIPAA compliant solution. Technical safeguards such as encryption, audit logging, and backup and disaster recovery must be addressed.
Security and HIPAA Compliance Controls
Dash Compliance Automation – Lambda Security Controls
HIPAA Safeguards
164.308(a)(5)(ii)(B) – Protection from Malicious Software
164.312(a)(2)(iv) – Encryption and Decryption
164.312(b) – Audit Controls
164.312(c)(1) – Integrity
Dash Administrative Controls
System Access Policy
Configuration Management Policy
Auditing Policy
Dash Technical Controls
S3 Bucket: Access Logging Disabled
S3 Bucket: Default Encryption Disabled
Security Group: All ports open to all
Security Group: Unrestricted network traffic within security group
Security Group: DB ports open to all
Security Group: Large port range(s) open to all
EBS volume is unencrypted
VPC Flow Logs are not enabled
VPC Network ACLs allow all egress
VPC Network ACLs allow all ingress
