Some Questions about Express Plus and AWS Template Modifications

Does the json template for Express Plus setup a “best case configuration” of OpenEMR in the AWS cloud? Why I ask is when creating an express plus configuration on cloudformation using the github json template, the os, is ubuntu? so the version in the template is not the latest LTS server os… Just wondering why?

And if I created a VPC before using the json template in cloudformation, would it be easy to modify the json template to incorporate express plus into the VPC created previously? Im just thinking that you want to “not” serve the express plus instance open to the internet at first, just for egress nat access and even then you want to whitelist in the firewall what the server is communicating with on the internet.

I’ve utilized pfsense plus instances as the starting point for access to anything beyond it available on private subnets in the vpc. OpenVPN is incorporated natively on the pfsense plus offerings and as such has a simple way to configure a VPN to private subnet in a VPC. And while gaining access to private subnet, you can configure pfsense to do egress NAT so that the private subnet can talk out to the computers on the internet…

Basically, does modifying the current express plus template, so that it uses most current server os version and such, make it no longer hipaa eligible?

TL;DR
Using a VPN and updating the Docker image to use the latest Linux version doesn’t affect HIPAA at all.

I’m not a lawyer, but I have read thru the HHS site on HIPAA.
Only Covered Entities (CEs) can be HIPAA compliant, and that’s through the process, not any product or specific practice. Anyone telling you their product or training is required for HIPAA compliance is making

• Misleading Marketing Claims

Look at

What’s REQUIRED:

• CEs make a WRITTEN security risk analysis covering the items detailed by HHS at HiTECH and review/update it annually
• CEs have a WRITTEN security and privacy policy which they follow and review/update annually
• CEs have a security officer
  *See Administrative Requirements at Summary of the HIPAA Privacy Rule | HHS.gov
  Many people believe CEs must or must not do x or y. That’s generally not true. You have to ASSESS the risk and address it.

https://www.hhs.gov/hipaa/for-professionals/faq/2014/does-the-security-rule-mandate-minimum-operating-system-requirements/index.html

https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html

.
.
If you use cloud data storage, you must have a Business Associate Agreement(BAA) with the cloud storage, and follow it.

Amazon’s BAA requires data encryption at rest and in transit.

Hope this helps.

When you see us use the phrase “HIPAA eligible”, it means that we’ve made no technical decisions known to contravene HIPAA’s requirements – we’re consciously choosing to avoid making any claims that it’s compliant, because that’s a whole thing you have to discuss with your compliance officer. Nothing in openemr-devops bears any certification or guarantee your changes would breach.

I 100% encourage you to modify the Express Plus template to better suit your needs. Review openemr-devops/stack.py at master · openemr/openemr-devops · GitHub for a much clearer picture of what’s going on in that template; the stack builder is creating a bunch of resources it then uses, but I see no reason you couldn’t hardcode your own resources into it, or have the stack builder query your own Amazon environment to make new unique subnets in your hardcoded VPC, or skip the hardcoding and seek out tagged resources, or even do those things and then call CloudFormation to launch your newly-constructed template directly.

The template is using Ubuntu 16 primarily because it (like basically all our AWS stuff) is leveraging the Lightsail script launcher and that uses Ubuntu 16 and I haven’t updated it to 20. The pressure’s been increasing though and it looks like I should get that done soon. Any changes you want to make to refresh this or that are quite reasonable

Thank you to Asher- you answered his question more specifically than I did.

We agree HIPAA compliance is a property of CEs following the process to assess risk and decide what’s appropriate for their situation.
Regarding security, HHS and OIG have been appropriately stricter on large organizations than solo offices.

I appreciate the technical expertise that goes into making the Express Plus templates more secure and the professional dedication that gets them updated.

.
Eg regarding plain old email–One privacy policy I’ve seen says explicitly that if a patient uses a communication channel to communicate PHI to the office, they can respond with the same channel.
The primary goal of HIPAA was to encourage secure communication, collaboration and sharing information to improve health care.

45 CFR § 164.312 - Technical safeguards
(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

(2) Implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
(Emphasis added.)

In other words, CEs need to balance ease of use for patients with security of their PHI. If a patient runs out of meds because they can’t use encrypted email, that’s not a win.
There’s no universal correct answer.
HIPAA is actually a rare victory in its flexibility and focus on what’s important.

Lightsail Script Update looks like it’s good, and I’ve updated the Express Plus CF template to use Ubuntu 20 AMIs from here out.