3

We develop a PWA that needs hipaa compliance based on AWS. In this paper writes AWS AWS Architecture Whitepaper when PHI is stored in DynamoDB needs to encrypt before is stored in DynamoDB. Now has AWS relased Enryiption at Rest at some DynamoDB regions. Is it required to encrypt PHI when i enable encryption at DynamoDB level to be hipaa compliance?

Aron
  • 1,179
  • 15
  • 29
  • 2
    I believe that requirement relates to DynamoDB *prior* to DynamoDB native at-reset encryption. Note that the new encryption features are available in some regions, but not all regions right now. – jarmod Feb 28 '18 at 18:57
  • Yes i think the same – Aron Feb 28 '18 at 18:59

1 Answers1

4

Using DynamoDB's server-side encryption option is sufficient. You do not need to pre-encrypt the data before sending it to DynamoDB for encryption. The data also needs to be encrypted in transit to DynamoDB, of course.

Note that while HIPAA itself requires encryption at rest, AWS additionally requires that you store the data in an AWS HIPAA-eligible service (which DynamoDB is).

You must additionally execute an AWS BAA and then you may use any AWS service (even those not on the HIPAA-eligible list) in an account designated as a HIPAA Account, but you may only process, store and transmit PHI data using the HIPAA-eligible services.

Update November 2018: all DynamoDB tables are encrypted at rest.

jarmod
  • 71,565
  • 16
  • 115
  • 122
  • Thanks for the answer. The Encryption at the motion to DynamoDB is easy with https or need this more then ssl/tls ? – Aron Mar 02 '18 at 05:01
  • TLS 1.0 or later, with supported ciphers, is my understanding. See https://luxsci.com/blog/level-ssl-tls-required-hipaa.html – jarmod Mar 02 '18 at 05:14
  • 1
    # Encryption by default. * DynamoDB transparently encrypts and decrypts all tables when they are written to disk. There is no option to disable encryption at rest. * see https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/client-server-side.html – Ali Payne Nov 23 '19 at 17:56
  • 1
    note of caution: "AWS HIPAA-eligible service" simply means the service allows the customer to apply their own controls for HIPAA compliance. The service itself is not likely to offer the HIPAA controls inherently, thus "HIPAA-eligible". – Stof Mar 10 '21 at 00:34
  • 1
    Apply this logic with consideration to the shared responsibility model. AWS responsibility starts and ends with them allowing the customer to add their own security controls in most cases, AWS typically offer none by default but they are available for a customer to use so as the customer you must take on the task to ensure you are "compliant" because AWS do not give you the service (any service) as a compliant service as-is – Stof Mar 10 '21 at 00:35