For anyone building any serverless applications or infrastructure within AWS that involve HIPPA or PHI data, be aware that the available options are limited at this time, in regards to what products you can use, and how you use them. At the time of this writing, here are the only services offered that meet HIPPA compliance.
- Amazon DynamoDB
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Elastic MapReduce (Amazon EMR)
- Amazon Glacier
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS) using only MySQL and Oracle engines
- Amazon Simple Storage Service (Amazon S3) excluding use of Amazon S3 Transfer Acceleration
- Elastic Load Balancing (ELB)
Here are a few good links that explain in more detail.
What’s missing from this list? Well, a major component of serverless architecture, AWS Lambda is not HIPPA compliant and can not be used. No PHI data can be sent through AWS Lambda, so this means that you may have to do what I am doing on my current project, and implement a solution that uses both AWS Lambda for non-PHI data, and then use dedicated EC2 instances to host services and other needed functionality that deal with PHI data and HIPPA compliance. Unfortunately this adds a lot of complexity to the implementation as you loose the full ecosystem that is available and a major pillar of serverless architecture. In addition, other products like SNS, SQS, ECS, and more are not HIPPA Compliant per AWS regulations either. You can use these products but you must not send any PHI data through them. Oh, and if your using DynamoDB for example which is approved by AWS for HIPPA compliance, you still must roll your own encryption so that the data is encrypted while at rest. Then you loose the ability to query against that encrypted data, unless you first encrypt any of your query parameters. Over time, I’m sure this will all be resolved, but until then, it’s a reality that must be dealt with accordingly. I have also done research on other cloud providers and they are even further behind than AWS is. In the end my solution involved a blend of Serverless Architecture and Dedicated EC2 servers.