Skip to content

HIPPA Compliant Serverless Architecture? Not So Fast

For anyone building any serverless applications or infrastructure within AWS that involve HIPPA or PHI data, be aware that the available options are limited at this time, in regards to what products you can use, and how you use them.  At the time of this writing, here are the only services offered that meet HIPPA compliance.

Here are a few good links that explain in more detail.

  1. AWS HIPPA Compliance Whitepaper
  2. HIPPA Security Blog
  3. FAQ regarding HIPPA  Compliance in the AWS Cloud

What’s missing from this list?  Well, a major  component of serverless architecture, AWS Lambda is not HIPPA compliant and can not be used.  No PHI data can be sent through AWS Lambda, so this means that you may have to do what I am doing on my current  project, and implement a solution that uses both AWS Lambda for non-PHI data, and  then use dedicated EC2 instances to host  services and other needed functionality that deal with PHI data and HIPPA compliance.  Unfortunately this adds a lot of complexity to the implementation as you loose the full ecosystem that is available and a major pillar of serverless architecture.  In addition, other products like SNS, SQS, ECS, and more are not HIPPA Compliant per AWS regulations either.  You can use these  products but you must not send any PHI data  through them. Oh, and if your using DynamoDB for example which is approved by AWS for HIPPA  compliance, you still must roll your own encryption so that the data is encrypted while at rest. Then you loose the ability to query against that encrypted data, unless you first encrypt any of your query parameters.  Over time, I’m sure this will all be resolved, but until then, it’s a reality that must be dealt with accordingly.  I have also done research on other  cloud providers and they are even further behind than AWS is.  In the end my solution involved a blend of Serverless Architecture and  Dedicated EC2 servers.

Written for ServerlessArchitecture.com
Written by Jeff Mangan

One thought on “HIPPA Compliant Serverless Architecture? Not So Fast

  1. Pingback: گوگل

Leave a Reply