HIPAA Hardening & Methods

Under HIPAA, cloud service providers are classified as business associates , and thus do not require certification. In order to meet with HIPAA requirements, Amazon Web Services (AWS) aligns their security policies with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA, HITECH, and HITRUST Security Rules.

In addition to this, AWS also adheres to a Business Associate Addendum (BAA) contract that ensures AWS appropriately safeguards protected health information.This requires entities that desire to run protected health information (PHI) workloads in AWS to accept the AWS BAA through a self-service portal in AWS ArtifactBefore running PHI workloads on AWS, you must have an AWS BAA in place. Additional information on the BAA can be found here.

According to AWS:

Understanding how to build healthcare applications on AWS means understanding the shared responsibility model. In the AWS Cloud, security is shared between AWS and the customer, meaning that certain elements of security – such as physical security of the underlying infrastructure – are now the responsibility of AWS. Customers are still responsible for other aspects of security, such as the security measures used to protect your applications – which is no different than if your application was running in a traditional data center.

This AMI abstracts the extra configuration that must be done to ensure the immediate compliance, on an operating system level, of CentOS resources created in Amazon Elastic Compute Cloud (EC2).


The HIPAA Image starts as a base CentOS Image, maintained by Faro Source, that’s been configured to meet base AWS security rules and guidelines. The image is then hardened through Ansible, a configuration management tool that’s used to configure systems and orchestrate IT tasks.

What exact security steps that need to be taken are provided by National Institute of Standards and Technology (NSIT) certified Red Hat product OpenSCAP. OpenSCAP is an open-source tool that allows for the obtainment of security requirements in a format that’s suitable for machine processing. OpenSCAP follows Security Content Automation Protocol (SCAP), which is used to bridge the gap between generalized policy requirements and specific implementation applicable to specific computer environments and software products.

OpenSCAP also enables the quick retrieval of reports that identify the current state of a machine against various security guidelines and requirements. This report is generated in Extensible Configuration Checklist Description Format (XCCDF), a specification language for writing security checklists

Additional Resources

How to Use AWS Artifact to Accept an Agreement for Your Account

Accept a BAA with AWS for all accounts in your organization

AWS Services in Scope by Compliance

HIPAA Compliance Checklist

OpenSCAP Documentation

Ready to switch to CentOS?