HIPAA compliant serverless

[waltermvp]

Are there any example (existing or planned) to have a demo project that is HIPAA compliant and uses the serverless stack?

[rupakg]

HIPAA compliance is provided by cloud providers. I know AWS does. The Serverless stack would not limit or add to that effect.

[waltermvp]

@rupakg Thank you for the response, I understand your point. Perhaps I'm asking the wrong question, but I would like to find examples that encrypt database information etc when dealing with PHI. Some sort of vetted example that is designined with PHI in mind.

[DavidWells]

@waltermvp do SSM secrets fall under HIPPA? https://serverless.com/blog/serverless-v1.22.0/

[damianesteban]

AWS recently announced that Lambda is covered under the BAA. We are currently running HIPAA compliant microservices on AWS and have started to incorporate Lambda - right now we have about 25 functions and we are planning to add many more. Send me an email if you would like to chat more :)

[waltermvp]

@DavidWells I believe so.

@damianesteban thank you

[waltermvp]

@damianesteban So I know that data at rest needs to be encrypted and SSL should always be used for network calls. However given I've never built one before I'm not aware of what else may be required. With some sort of checklist I would be able to get an example going (if there is any interest here are as an example or independently as an open source project).

[damianesteban]

@waltermvp

There is quite a bit that needs to be in place. I suggest first looking over the AWS HIPAA Compliance Resources here:

https://aws.amazon.com/compliance/resources/

And the HIPAA-Compliant Refarch here:

https://aws.amazon.com/quickstart/architecture/accelerator-hipaa/

One of the most important rules you have to follow is to always encrypt data at rest. Setting up AWS Config and CloudTrail to help you monitor everything helps tremendously.

I would be very interested in working on a HIPAA compliant Serverless refarch. My development team at BetterPT would contribute as well.

[damianesteban]

One more thing to mention - while DynamoDB is covered under the BAA, AWS has officially released an encryption library for Java only. We are going to open source our node.js library soon.

[waltermvp]

@damianesteban thats great. Please update this thread when you do. It would be awesome to have some sort of example with documentation about audit, how its used, etc from a HIPAA perspective. Would love to contribute and add it to the examples section or create its own standalone repo.

[waltermvp]

@DavidWells do you think this is something that would be considered for the examples section?

[damianesteban]

@waltermvp We were prepping for a major release, sorry. I'm going to speak to my team this coming week and see if we can put some things together.

[waltermvp]

@damianesteban awesome great news

[aneilbaboo]

@damianesteban - Any updates on that encrypted DynamoDB node.js library? Will it work with https://github.com/clarkie/dynogels?

[aneilbaboo]

For anyone coming across this thread, AWS provides a CloudFormation template in their HIPAA Quick Start guide:

You can download it here: https://fwd.aws/54z9P

You can see the list of resources deployed here: https://aws.amazon.com/quickstart/architecture/compliance-hipaa/

[waltermvp]

@aneilbaboo yes i saw that it's a great start, the trick would be to have:

Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services.

replaced with something like lambda

[waltermvp]

@damianesteban pinging just in case you have an update to share

[jgwinner]

The Amazon Quickstart has nothing to do with Serverless. It's an extremely server heavy install, and the server images they use aren't obvious (Wordpress install, which isn't the most HIPAA compliant app).

Just saying.

An example / reference architecture would be fantastic.

[waltermvp]

@damianesteban shameless ping 😁