The fastest way to launch HIPAA-compliant apps on AWS

The fastest way to launch HIPAA-compliant apps on AWS

Build your apps on top of HIPAA-compliant reference applications. Deploy your apps onto battle-tested AWS architectures that have been certified via third party auditors.

Step 1. Get HIPAA-compliant infrastructure, out of-the-box

Deploy an off-the-shelf, production-grade AWS Architecture that is HIPAA compliant out-of-the-box. The architecture includes:

  • Multi-account Landing Zone
  • Networking (VPCs, VPN, SSH, DNS)
  • Orchestration (EKS, ECS, EC2)
  • Data Storage (RDS, ElastiCache, ElasticSearch)
  • CI / CD (CircleCI, Jenkins, GitLab)
  • Monitoring (CloudWatch, CloudTrail, AWS Config)
  • End-to-end encryption (TLS, secrets management)
  • And much more (see the full list of features)

Step 2. Bootstrap your app with our HIPAA-compliant reference applications

Build on top of reference applications for a variety of languages and frameworks (e.g., Node.js/Express, Java/Spring, Ruby/Rails) that show you how to build HIPAA compliant and cloud-native apps, including how to do service discovery, secrets management, schema migrations, encryption, server hardening, and much more (see full list of features here).

Step 3. Work with us to define requirements that meet your needs

We’ll work with you to ensure that our implementation of the HIPAA requirements satisfies the needs of your organization—and those of your auditors!

Step 4. We’ll help you pass your audit

Our team will support you throughout your audit process. If your auditor identifies any issues with the technical safeguards in your infrastructure, the Gruntwork team will jump in to get them fixed.

Step 5. Stay up to date automatically via Terraform pull requests

The tools we all rely on (AWS, Terraform, Kubernetes, Docker), DevOps best practices, and auditor expectations are constantly changing. To help you remain HIPAA compliant, we offer commercial support and maintenance for our app and infrastructure code, all of which is semantically versioned, so you can stay completely up-to-date with the latest compliance requirements, security patches, and AWS/DevOps best practices via simple version number bumps.

Ensure all images come from a trusted registry
      
        package kubernetes.admission

        deny[msg] {
            input.request.kind.kind == "Pod"
            some i
            image := input.request.object.spec.containers[i].image
            not startswith(image, "gruntwork.io")
            msg := sprintf("image '%v' comes from untrusted registry", [image])
        }
       
    

Step 6. Verify all future code changes against Open Policy Agent (OPA) policies

Gruntwork's HIPAA Architecture comes with a CI/CD pipeline that runs your code against a library of OPA policies to validate that every commit remains in compliance with HIPAA requirements.

Step 7. Ensure ongoing compliance with scanning tools

Gruntwork's HIPAA Reference Architecture is configured out-of-the-box to work with compliance scanning tools, so you have continuous monitoring and alerts on your compliance status.

Gruntwork Early Access Program

The Gruntwork Early Access Program (EAP) is the fastest way for you to achieve HIPAA compliance on AWS. Over the last 5 years, Gruntwork has helped hundreds of companies and thousands of developers go to prod on AWS, including achieving CIS Compliance, and we are now actively developing our HIPAA compliance on top of that foundation.

If you join the EAP, we'll deploy a CIS Compliant pre-prod environment for you on day 1 and a HIPAA-compliant prod environment for you as soon as it's available, plus a number of other exclusive early-access benefits, including audit assistance and prioritized bug fixes.

See the table below for all the HIPAA requirements you'll meet with Gruntwork today, out of the box, as well as those that are currently in progress.

Title Standard Description Availability
Protection from malicious software §164.308(a)(5)(ii)(B) We offer a number of techniques for protecting against malicious software, including least-privilege-based security group rules, network access control lists, regularly updated machine images, hardened operating systems, and more.
Available now
Log in monitoring §164.308(a)(5)(ii)(C) We include code to monitor for and send notifications about unusual and unauthorized log in activity.
Available now
Password management §164.308(a)(5)(ii)(D) The AWS IAM user password policy is defined in code. We also provide patterns for handling secrets securely.
Available now
Encryption §164.312(a)(2)(iv) Our modules use encryption by default. Databases, disk volumes, S3 buckets, and machine images are all encrypted. Network connections are encrypted.
Available now
Audit controls §164.312(b) Audit data from multiple levels in the infrastructure are aggregated in a dedicated, compartmentalized logging account, including AWS Config, CloudTrail, GuardDuty, and VPC flow logs.
Available now
Authorization §164.308(a)(4)(ii)(B) All user access is tracked in code, including users and a pre-defined set of roles and groups.
Available now
Inventory and categorize systems §164.308(a)(1)(ii)(A) We've devised a system of resource tags to help you perform live reports on which system contain PHI.
Coming soon
Conduct a risk assessment §164.308(a)(1)(ii)(A) We have conducted a risk assessment for all of the infrastructure code, including a threat analysis, list of potential vulnerabilities, and a security control review, all wrapped up in a risk assessment report.
Coming soon
Update risk assessments §164.308(a)(1)(ii)(A) Gruntwork will help you keep your infrastructure up-to-date, and we'll update the risk assesssment as we go.
Coming soon
Select appropriate security controls §164.308(a)(1)(ii)(B) We have built-in controls to mitigate the risks identified by the assessment. We provide documentation and procedures to help you understand and operate the environment accordingly.
Coming soon
Access control §164.308(a)(4)(ii)(C) We include code that regularly monitors user access and sends a notification when unused accounts are detected.
Coming soon
Policy violations §164.308(a)(1)(ii)(C) You'll need documented policies and processes that lay out what individual actions will be taken if HIPAA safeguards are violated.
Customer Responsibility
Assign responsibility for security §164.308(a)(2) Identify an individual who is responsible for implementing the policies and procedures within the organization.
Customer Responsibility

To learn about how a Gruntwork subscription compares to building it from scratch, check out our comparison chart.

What's included

Protection from malicious software

§164.308(a)(5)(ii)(B)

We offer a number of techniques for protecting against malicious software, including least-privilege-based security group rules, network access control lists, regularly updated machine images, hardened operating systems, and more.


Available now

Log in monitoring

§164.308(a)(5)(ii)(C)

We include code to monitor for and send notifications about unusual and unauthorized log in activity.


Available now

Password management

§164.308(a)(5)(ii)(D)

The AWS IAM user password policy is defined in code. We also provide patterns for handling secrets securely.


Available now

Encryption

§164.312(a)(2)(iv)

Our modules use encryption by default. Databases, disk volumes, S3 buckets, and machine images are all encrypted. Network connections are encrypted.


Available now

Audit controls

§164.312(b)

Audit data from multiple levels in the infrastructure are aggregated in a dedicated, compartmentalized logging account, including AWS Config, CloudTrail, GuardDuty, and VPC flow logs.


Available now

Authorization

§164.308(a)(4)(ii)(B)

All user access is tracked in code, including users and a pre-defined set of roles and groups.


Available now

Inventory and categorize systems

§164.308(a)(1)(ii)(A)

We've devised a system of resource tags to help you perform live reports on which system contain PHI.


Coming soon

Conduct a risk assessment

§164.308(a)(1)(ii)(A)

We have conducted a risk assessment for all of the infrastructure code, including a threat analysis, list of potential vulnerabilities, and a security control review, all wrapped up in a risk assessment report.


Coming soon

Update risk assessments

§164.308(a)(1)(ii)(A)

Gruntwork will help you keep your infrastructure up-to-date, and we'll update the risk assesssment as we go.


Coming soon

Select appropriate security controls

§164.308(a)(1)(ii)(B)

We have built-in controls to mitigate the risks identified by the assessment. We provide documentation and procedures to help you understand and operate the environment accordingly.


Coming soon

Access control

§164.308(a)(4)(ii)(C)

We include code that regularly monitors user access and sends a notification when unused accounts are detected.


Coming soon

Policy violations

§164.308(a)(1)(ii)(C)

You'll need documented policies and processes that lay out what individual actions will be taken if HIPAA safeguards are violated.


Customer Responsibility

Assign responsibility for security

§164.308(a)(2)

Identify an individual who is responsible for implementing the policies and procedures within the organization.


Customer Responsibility