AWS offers AWS HealthLake — a managed FHIR R4 data store — alongside the full suite of security and compliance controls needed to run HIPAA-eligible workloads. AWS signs a Business Associate Agreement (BAA) covering HealthLake, S3, RDS, ECS, and most other services.
A production HIPAA-compliant FHIR deployment on AWS typically uses these components:
All S3 buckets must have SSE-KMS enabled with customer-managed keys. RDS instances must use encrypted storage. EBS volumes must be encrypted. Enable TLS 1.2+ on all load balancers and reject older protocols explicitly.
# Enforce TLS 1.2+ on ALB listener
aws elbv2 modify-listener --listener-arn arn:aws:... --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06Enable CloudTrail with S3 log delivery and CloudWatch Logs integration. Create metric filters for unusual API activity — for example, more than 100 GetObject calls per minute from a single IAM principal.
Place all compute (ECS tasks, Lambda, RDS) in private subnets. Use a NAT Gateway for outbound traffic. Expose only the API Gateway endpoint publicly. Use VPC Endpoints for S3 and DynamoDB to keep traffic off the public internet.
HIPAA requires a documented incident response plan. Use AWS Security Hub findings to trigger automated responses via EventBridge and Lambda — for example, automatically revoking IAM credentials when GuardDuty detects compromised access keys.
Have questions about implementing this in your healthcare platform? Get in touch with the Akhester team.