# random

Haider Abbas

09/17/2021, 7:22 PM
Hey Folks!, I am looking for some advice to secure PHI Data (as per HIPPA Compliance) which is submitted in referral form through 
Web_App(AWS S3)/Mobile_Apps(App/Play Store)
App_Server(API Layer deployed on AWS EC2)
 and finally it will be stored in 
DB_Server(AWS RDS)
. Storage and retrieval of data will be completely secured (or 
 etc) whether is in transit or at rest. Except 
Mobile_Apps(App/Play store)
 all components will be deployed within 
AWS Infrastructure
. May be some of you guys gone through this security scenario. Any ideas/suggestions on how could i achieve this? Great Thanks for your precious time!


09/17/2021, 11:56 PM
Your setup right now is fine
The reality is HIPPA isn't a real security standard and you'll just need to answer a checklist customer by customer. They typically just vaguely ask about encryption at rest / in transit. The more managed services you use the easier this becomes to answer since they have to accept AWS's certifications
If you're managing your own EC2 instances you're going to get a bunch of questions around hardening and patching. Maybe can dodge them but I recommend using Fargate because then you can explain that you have no access to the host
The reason I found serverless in the first place is because I was looking for ways to reduce my compliance burden

Haider Abbas

09/18/2021, 7:41 PM
Thanks thdrx!, I agree with you. But i am facing difficulty how should i achieve this. Any Process flow diagram suggestions which i can follow. Right now we have AWS S3, EC2, RDS in picture but facing challenge to convert above components in to HIPPA compliance. I mean to say if i use AWS Certifications then where, AWS Secrets Manager where, AWS Config Where etc. Project stakeholder doesn't forcing me to use Encryption, 2FA but they simply want their PHI data secured and how i will achieve this it's a challenge for me to present in front of Project Stakeholders Any help on this would mean a lot for me.. Great Thanks!