Amazon Web Services – Architecting for HIPAA Security and Compliance
Page 41
service, you must separately accept any such push notification platform
provider's terms and conditions. If you plan to send push notifications that
contain PHI, it's your responsibility to determine whether a HIPAA-compliant
business associate agreement should be established between you and each push
notification service provider.
The SMS (text message) and Voice message capabilities of Amazon Pinpoint are
not HIPAA eligible at this time. You should not use these channels to transmit
PHI.
Amazon Pinpoint is integrated with CloudTrail, a service that captures API calls
made by or on behalf of Amazon Pinpoint in the customer's AWS account and
delivers the log files to an Amazon S3 bucket.
Amazon SES
You must ensure that encryption is enforced on any emails that contain PHI.
You can configure Amazon Simple Email Service (SES) to only send encrypted
emails by configuring it to require TLS connections. For more information, see
Amazon SES and Security Protocols at
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/security.html#securi
ty-ses-to-receiver.
Amazon SES is integrated with CloudTrail, a service that captures API calls
made by or on behalf of Amazon SES in the customer's AWS account and
delivers the log files to an Amazon S3 bucket.
Auditing, Back-Ups, and Disaster Recovery
HIPAA's Security Rule also requires in-depth auditing capabilities, data back-up
procedures, and disaster recovery mechanisms. The services in AWS contain
many features that help customers address these requirements.
In designing an information system that is consistent with HIPAA and HITECH
requirements, customers should put auditing capabilities in place to allow
security analysts to examine detailed activity logs or reports to see who had
access, IP address entry, what data was accessed, etc. This data should be
tracked, logged, and stored in a central location for extended periods of time, in
case of an audit. Using Amazon EC2, customers can run activity log files and