Leading CRM Provider Improves Configuration Checks on AWS Resources to Comply with HIPAA Framework Published on June 16, 2023 Challenge A globally-recognised CRM provider engaged Protiviti to assist them in determining methods to better protect customer data while complying with each customer's unique regulatory requirements. The client needed an efficient method to perform configuration checks on AWS resources to ensure it would remain compliant with the HIPAA framework so that it could grow its footprint in the healthcare industry. Client Snapshot: Profile This leading CRM provider has built its globally recognised brand by earning the trust of its customers through transparency, security, compliance, privacy and performance to deliver the industry's most trusted infrastructure. Client Situation The client needed to more effectively protect customer data and comply with each customer’s regulatory requirements. Work Performed Protiviti worked with the client to implement AWS Config, manage AWS Config rules, conformance packs, and aggregators to build a comprehensive solution. Outcome/Benefits Provided a master list of all in-scope resources that can enable or disable encryption at rest. Identified risk areas across 50+ AWS resources to be adjusted prior to declaring a HIPAA self-certification. SolutionThe first major concern involved checking encryption across all services. To do so, Protiviti leveraged AWS Config to deploy rules that perform resource checks consistent with HIPAA’s stringent requirements. Protiviti also implemented a custom conformance pack to package desired rules and deploy them across all relevant regions and production accounts within the client’s AWS environment.Utilising AWSThroughout the engagement, Protiviti utilised AWS Config, managed AWS Config rules, conformance packs, and aggregators to build a comprehensive solution. The conformance pack consisted of 27 AWS managed rules and covered 16 services utilised by the client, allowing them to easily package rules for deployment. In addition, an aggregator was configured to centralise results from all production accounts and regions to one location.Protiviti also developed custom AWS Config rules with AWS Lambda to perform more complex checks on AWS IAM resources to ensure least privilege and company policies are being followed. Lastly, Protiviti leveraged Amazon CloudTrail and CloudWatch to log and monitor API calls to AWS Config.OutcomeProtiviti provided the client with a master list of all in-scope resources that can enable or disable encryption at rest. The project team also identified risk areas across 50+ AWS resources to be adjusted and re-reviewed prior to declaring a HIPAA self-certification. This process saved the client’s GRC and engineering teams 6000+ hours to perform sampling of various AWS resources across all services in use. The client's GRC and engineering teams saved 6000+ hours in sampling AWS resources across all its conformance pack services. Topics Cybersecurity and Privacy IT Management, Applications and Transformation Risk Management and Regulatory Compliance