Serverless used for HIPAA

aws
#1

Hello

Has anyone used Serverless to manage/create a HIPAA compliant application?

We already have the BAA, but the Amazon recommended architectures build a very large back end infrastructure, and we’re just in development currently.

I used the ‘search’ feature but the world HIPAA didn’t appear anywhere!

    == John ==
#2

From the Amazon whitepaper: https://d1.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

AWS Lambda lets customers run code without provisioning or managing servers on their own. AWS Lamba uses a compute fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances across multiple Availability Zones in a region, which provides the high availability, security, performance, and scalability of the AWS infrastructure.To ensure that PHI remains encrypted while using AWS Lambda, connections to external resources should use an encrypted protocol such as HTTPS or SSL/TLS. For example, when S3 is accessed from a Lambda procedure, it should be addressed with https://bucket.s3-aws-region.amazonaws.com. If any PHI is placed at rest or idled within a running procedure, it should be encrypted client-side or server-side with keys obtained from AWS KMS or AWS CloudHSM. Follow the related guidance for AWS API Gateway when triggering AWS Lambda functions through the service. When using events from other AWS services to trigger AWS Lambda functions, the event data should not contain (in and of itself) PHI. For example,when a Lambda procedure is triggered from an S3 event, such as the arrival of an object on S3, the object name which is relayed to Lambda should not have any PHI, although the object itself can contain such data.

#3

Also from their reference

NOTE: If you are a Covered Entity or Business Associate as defined by the Health Insurance Portability and Accountability Act of 1996 (as amended, “HIPAA”), you agree not to use these HIPAA Eligible Services for any purpose or in any manner involving Protected Health Information (as defined by HIPAA) without first entering into an AWS business associate agreement.

#4

Yup, I saw that. I was hoping someone had the cloud code to create the structure, as they do for a regular Server based HIPAA example. Oddly, the Amazon Serverless pages even point to the server template as an example, which is clearly incorrect.

Thanks,

    == John ==