Security & Compliance | Fast Healthcare Interoperability Resources (FHIR)

Security & Compliance for FHIR on AWS

Australian healthcare FHIR implementations must comply with stringent security and privacy regulations including IRAP PROTECTED assessment, ISM controls, Privacy Act 1988, and data residency requirements. AWS provides comprehensive compliance programs and services to meet these obligations.

This module covers IRAP PROTECTED assessment, ISM controls, AWS Artifact for compliance documentation, Australian data residency (Sydney/Melbourne regions), and implementation of security controls using AWS services.

Compliance is Shared

While AWS provides compliant infrastructure, customers remain responsible for configuring services securely, managing access controls, encrypting data, and maintaining audit trails.

IRAP PROTECTED: Australian Government security assessment
ISM: Information Security Manual controls from ASD
AWS Artifact: On-demand compliance reports
Data Residency: Sydney (ap-southeast-2) and Melbourne (ap-southeast-4)
Privacy Act 1988: Australian Privacy Principles (APPs)
Notifiable Data Breaches (NDB) scheme requirements

IRAP PROTECTED Assessment

IRAP (Information Security Registered Assessors Program) is the Australian Government's security assessment framework. PROTECTED is the highest assessment level, suitable for sensitive government and healthcare data.

IRAP Assessment Levels

IRAP assessment classifications

Level	Data Classification	Applicability
UNCLASSIFIED	Public information	General websites, public APIs
PROTECTED	Sensitive government/healthcare data	My Health Record, patient data, government systems

AWS IRAP PROTECTED Services

Multiple AWS services have achieved IRAP PROTECTED assessment:

Amazon EC2 (compute instances)
Amazon S3 (object storage)
Amazon RDS/Aurora (databases)
Amazon VPC (networking)
AWS Lambda (serverless compute)
Amazon API Gateway (API management)
AWS KMS (key management)
Amazon CloudWatch (monitoring)
AWS CloudTrail (audit logging)
Amazon Cognito (identity)

IRAP Documentation

IRAP assessment reports are available through AWS Artifact. Customers must review the Statement of Applicability (SoA) to understand which controls are AWS responsibility vs. customer responsibility.

Key IRAP Controls for FHIR

IRAP controls mapped to AWS services

Control	Requirement	ISM Reference	AWS Service
Identification & Authentication	Unique user identifiers, strong authentication	IA-1, IA-2, IA-3	IAM, Cognito, MFA
Access Control	Least privilege, role-based access	AC-1, AC-2, AC-3	IAM Policies, SCPs, Resource Policies
Audit & Accountability	Comprehensive logging, 7-year retention	AU-1, AU-2, AU-3	CloudTrail, CloudWatch Logs, S3
Configuration Management	Secure baselines, change control	CM-1, CM-2, CM-6	Config, Systems Manager, CloudFormation
Identification & Authentication	Unique identification, MFA for privileged	IA-1, IA-2, IA-8	IAM, Cognito, MFA
Incident Response	Incident handling, notification procedures	IR-1, IR-2, IR-4	Security Hub, GuardDuty, SNS
Maintenance	Controlled maintenance, remote access	MA-1, MA-4	Systems Manager, Session Manager
Media Protection	Encryption, secure disposal	MP-1, MP-4, MP-6	KMS, S3 Encryption, Macie
Physical Protection	Physical access controls (AWS responsibility)	PE-1, PE-2, PE-3	AWS Data Centers (managed by AWS)
Risk Assessment	Periodic risk assessments	RA-1, RA-3	Security Hub, Inspector, Artifact
System & Communications Protection	Encryption in transit, boundary protection	SC-1, SC-7, SC-8	TLS, WAF, Shield, VPC
System & Information Integrity	Malware protection, vulnerability scanning	SI-1, SI-2, SI-3	Inspector, GuardDuty, Macie

AWS IRAP Assessment

AWS IRAP PROTECTED assessment documentation

AWS IRAP Page

Information Security Manual (ISM)

The Information Security Manual (ISM) is published by the Australian Signals Directorate (ASD) and outlines cybersecurity controls for protecting information and communications technology systems.

ISM Control Categories

Governance (G): Risk management, policies, oversight
Asset Management (AM): Inventory, classification, handling
Access Control (AC): Authentication, authorization, least privilege
Cryptography (CY): Encryption, key management
System Security (SS): Hardening, patching, configuration
Network Security (NS): Segmentation, firewalls, monitoring
Incident Management (IM): Detection, response, recovery
Personnel Security (PS): Screening, training, awareness
Physical Security (PHY): Facilities, equipment protection
System Development (SD): Secure development lifecycle
Data Management (DM): Backup, recovery, disposal

Essential Eight Maturity Model

The ACSC Essential Eight are prioritized mitigation strategies:

Application Control (allow-list approved applications)
Patch Applications (update within 48 hours for critical)
Configure Microsoft Office Macro Settings
User Application Hardening (disable Flash, Java)
Restrict Administrative Privileges (least privilege)
Patch Operating Systems (update within 14 days)
Multi-Factor Authentication (MFA for all remote access)
Daily Backups (immutable, tested restoration)

Essential Eight on AWS

AWS services support Essential Eight implementation: Systems Manager for patching, IAM for privilege restriction, Cognito for MFA, Backup for daily backups, and WAF for application control.

Encryption Requirements

ISM encryption requirements

Data State	Requirement	AWS Implementation
At Rest	AES-256 or equivalent	KMS with CMKs, S3 SSE-KMS, EBS encryption
In Transit	TLS 1.2 or higher	ALB/CloudFront TLS, API Gateway HTTPS
Key Management	Secure key storage, rotation	KMS with automatic rotation, CloudHSM for FIPS

Information Security Manual

ASD ISM official documentation

ASD ISM

AWS Artifact: Compliance Documentation

AWS Artifact provides on-demand access to AWS compliance reports, security documents, and online agreements. It is the primary source for IRAP assessment reports and other compliance documentation.

Artifact Report Types

IRAP Assessment Reports (PROTECTED)
SOC Reports (SOC 1, SOC 2, SOC 3)
ISO Certifications (27001, 27017, 27018)
PCI DSS Attestation of Compliance
HIPAA Eligibility Letters
FedRAMP Authorization Packages
Country-specific reports (Australia, UK, EU)

AWS Compliance Programs

AWS compliance programs for healthcare

Program	Description	Applicability	AWS Status
IRAP PROTECTED	Australian Government security assessment for cloud services	Government agencies, healthcare, sensitive data	Multiple services assessed
SOC 2 Type II	Service Organization Control for security, availability, confidentiality	All AWS customers	All regions and services
ISO 27001	International information security management standard	Global organizations	Certified across all regions
ISO 27017	Cloud security controls (extension of ISO 27001)	Cloud service users	Certified for AWS cloud services
ISO 27018	Protection of PII in public clouds	Privacy-sensitive workloads	Certified for PII protection
HIPAA	US health information privacy and security	Healthcare organizations (also relevant for AU)	HIPAA-eligible services available
Privacy Act 1988 (APPs)	Australian Privacy Principles	All Australian organizations	AWS services support APP compliance
Essential Eight	ACSC mitigation strategies for cyber incidents	Australian organizations	AWS services support implementation

Accessing Artifact Reports

Sign in to AWS Management Console
Navigate to AWS Artifact service
Select "Reports" tab
Filter by region (ap-southeast-2 for Australia)
Download IRAP PROTECTED assessment report
Review Statement of Applicability (SoA)
Identify customer-responsible controls

NDA Requirements

Some compliance reports require accepting a Non-Disclosure Agreement (NDA) before download. AWS Artifact Online Agreements streamline this process.

AWS Artifact

AWS Artifact compliance portal

AWS Artifact

AWS HIPAA Compliance

AWS HIPAA eligibility and compliance program details

HIPAA-Eligible Services

Reference list of AWS services eligible for HIPAA workloads

Australian Data Residency

Australian healthcare data is subject to data residency requirements mandating that certain data remain within Australian borders. AWS operates two regions in Australia to support compliance.

AWS Australian Regions

AWS regions in Australia

Region	Location	Launch Date	Availability Zones
ap-southeast-2	Sydney	2012	3 (a, b, c)
ap-southeast-4	Melbourne	2023	3 (a, b, c)

Data Residency Requirements

Australian data residency obligations

Requirement	Location	AWS Region	Legislation
My Health Record data	Must remain in Australia	ap-southeast-2 (Sydney) or ap-southeast-4 (Melbourne)	My Health Records Act 2012
Government PROTECTED data	Must remain in Australia	IRAP-assessed Australian regions	ISM, PSPF
Healthcare provider records	Recommended to remain in Australia	Australian regions for compliance	Privacy Act 1988, state health records acts
Personal information (APP 8)	Cross-border disclosure restrictions	Ensure recipient country has similar protections	Privacy Act 1988 - APP 8

Privacy Act 1988 - APP 8

Australian Privacy Principle 8 governs cross-border disclosure of personal information:

Before disclosing overseas, ensure recipient is bound by similar protections
Australian organization remains accountable for overseas handling
Exceptions: consent, required by law, permitted by general circumstances
AWS Australian regions help comply with APP 8 by keeping data in Australia

Cross-Region Replication

Even with data in Australian regions, be cautious of cross-region replication, backup strategies, and disaster recovery plans that might transfer data outside Australia.

Notifiable Data Breaches (NDB) Scheme

The NDB scheme requires notification of eligible data breaches:

Notify OAIC (Office of the Australian Information Commissioner)
Notify affected individuals
Timeline: As soon as practicable after becoming aware
Eligible breach: Unauthorized access likely to result in serious harm
AWS GuardDuty, Macie, and Security Hub help detect breaches

OAIC NDB Scheme

Notifiable Data Breaches scheme guidance

OAIC NDB Scheme

Shared Responsibility Model

The AWS Shared Responsibility Model defines security obligations: AWS secures the cloud infrastructure, customers secure what they put in the cloud.

Responsibility Division

AWS Shared Responsibility Model

100%drag to pan

Loading diagram...

AWS Responsibility (Security OF the Cloud)

Physical security of data centers
Hardware and infrastructure maintenance
Network infrastructure and edge locations
Hypervisor and virtualization layer
Regional and Availability Zone resilience
Compliance certifications for infrastructure

Customer Responsibility (Security IN the Cloud)

Customer data encryption and classification
IAM policies, users, groups, and roles
Security group and NACL configuration
Operating system patching (EC2)
Application security and hardening
Audit logging and monitoring configuration
Backup and disaster recovery planning

Common Misconception

Many customers mistakenly believe AWS handles all security. In reality, misconfigured S3 buckets, weak IAM policies, and unencrypted databases are customer responsibilities and common causes of breaches.

Service-Specific Responsibility

Responsibility by service type

Service Type	AWS Manages	Customer Manages
Infrastructure (EC2, VPC)	Physical security, hypervisor, network	OS, applications, data, IAM, firewall rules
Container (ECS, EKS)	Control plane, infrastructure	Container images, workloads, data
Managed (RDS, HealthLake)	OS, database engine, patching, backups	Data, encryption, access control, parameters
Serverless (Lambda, API Gateway)	Runtime, infrastructure, scaling	Code, data, permissions, configuration

AWS Well-Architected Security Pillar

AWS security best practices framework

ACSC Cloud Security Guidelines

Australian Cyber Security Centre cloud guidance

Implementing IRAP Controls with AWS

NASH PKI Requirement

Australian healthcare B2B integrations normally combine two controls: mTLS with a NASH certificate at the API boundary, and OAuth 2.0 scopes for application authorization. The certificate is not a standalone API hop; it is part of the transport/authentication layer.

Terraform: IRAP-Compliant Infrastructure

Terraform IRAP-Compliant KMS and CloudTrail

Terraform

# KMS Key with rotation for PROTECTED data
resource "aws_kms_key" "protected_data" {
  description             = "KMS key for IRAP PROTECTED FHIR data"
  deletion_window_in_days = 30
  enable_key_rotation     = true
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow CloudTrail to encrypt logs"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
        Action   = "kms:GenerateDataKey*"
        Resource = "*"
        Condition = {
          StringLike = {
            "kms:EncryptionContext:aws:cloudtrail:arn" = "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
          }
        }
      }
    ]
  })
  
  tags = {
    Name        = "protected-data-key"
    Compliance  = "IRAP-PROTECTED"
    Environment = "production"
  }
}

# CloudTrail with encryption and integrity validation
resource "aws_cloudtrail" "compliance" {
  name                          = "compliance-audit-trail"
  s3_bucket_name                = aws_s3_bucket.audit_logs.id
  s3_key_prefix                 = "cloudtrail"
  include_global_service_events = true
  is_multi_region_trail         = true
  enable_log_file_validation    = true
  kms_key_id                    = aws_kms_key.protected_data.arn
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type   = "AWS::S3::Object"
      values = ["${aws_s3_bucket.fhir_data.arn}/"]
    }
    
    data_resource {
      type   = "AWS::Lambda::Function"
      values = ["arn:aws:lambda"]
    }
  }
  
  tags = {
    Name       = "compliance-trail"
    Compliance = "IRAP-PROTECTED"
  }
}

# S3 bucket for audit logs with encryption
resource "aws_s3_bucket" "audit_logs" {
  bucket = "fhir-audit-logs-${data.aws_caller_identity.current.account_id}"
  
  tags = {
    Name       = "audit-logs"
    Compliance = "IRAP-PROTECTED"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "audit_logs" {
  bucket = aws_s3_bucket.audit_logs.id
  
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.protected_data.arn
    }
  }
}

resource "aws_s3_bucket_versioning" "audit_logs" {
  bucket = aws_s3_bucket.audit_logs.id
  
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_policy" "audit_logs" {
  bucket = aws_s3_bucket.audit_logs.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AWSCloudTrailAclCheck"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
        Action   = "s3:GetBucketAcl"
        Resource = aws_s3_bucket.audit_logs.arn
      },
      {
        Sid    = "AWSCloudTrailWrite"
        Effect = "Allow"
        Principal = {
          Service = "cloudtrail.amazonaws.com"
        }
        Action   = "s3:PutObject"
        Resource = "${aws_s3_bucket.audit_logs.arn}/cloudtrail/*"
        Condition = {
          StringEquals = {
            "s3:x-amz-acl" = "bucket-owner-full-control"
          }
        }
      }
    ]
  })
}

Terraform: VPC with Private Subnets

Terraform VPC for FHIR Workloads

Terraform

# VPC for FHIR workloads
resource "aws_vpc" "fhir" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name       = "fhir-vpc"
    Compliance = "IRAP-PROTECTED"
  }
}

# Private subnets (no direct internet access)
resource "aws_subnet" "private_1" {
  vpc_id            = aws_vpc.fhir.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "ap-southeast-2a"
  
  tags = {
    Name = "fhir-private-1"
    Type = "private"
  }
}

resource "aws_subnet" "private_2" {
  vpc_id            = aws_vpc.fhir.id
  cidr_block        = "10.0.2.0/24"
  availability_zone = "ap-southeast-2b"
  
  tags = {
    Name = "fhir-private-2"
    Type = "private"
  }
}

# VPC Endpoints for private AWS service access
resource "aws_vpc_endpoint" "s3" {
  vpc_id       = aws_vpc.fhir.id
  service_name = "com.amazonaws.ap-southeast-2.s3"
  vpc_endpoint_type = "Gateway"
  
  tags = {
    Name = "s3-endpoint"
  }
}

resource "aws_vpc_endpoint" "dynamodb" {
  vpc_id       = aws_vpc.fhir.id
  service_name = "com.amazonaws.ap-southeast-2.dynamodb"
  vpc_endpoint_type = "Gateway"
  
  tags = {
    Name = "dynamodb-endpoint"
  }
}

resource "aws_vpc_endpoint" "kms" {
  vpc_id            = aws_vpc.fhir.id
  service_name      = "com.amazonaws.ap-southeast-2.kms"
  vpc_endpoint_type = "Interface"
  
  subnet_ids        = [aws_subnet.private_1.id, aws_subnet.private_2.id]
  security_group_ids = [aws_security_group.vpc_endpoint.id]
  
  private_dns_enabled = true
  
  tags = {
    Name = "kms-endpoint"
  }
}

AWS Security Best Practices for Healthcare

AWS healthcare security whitepaper

NIST Cybersecurity Framework

NIST framework for critical infrastructure cybersecurity

IRAP PROTECTED Control Mapping

IRAP PROTECTED compliance requires mapping ASD ISM controls to specific AWS service configurations. This section provides a comprehensive control mapping for FHIR workloads.

ASD ISM Controls to AWS Service Mapping

ISM control categories mapped to AWS services

ISM Control	Requirement	AWS Service	Implementation
IA-1: Identification & Authentication	Unique user identifiers for all users	IAM, Cognito	IAM users with unique names, Cognito user pools with MFA
IA-2: User Authentication	MFA for privileged and remote access	IAM MFA, Cognito MFA	Hardware/virtual MFA for IAM, TOTP for Cognito
AC-1: Access Control Policy	Least privilege access control	IAM Policies, SCPs	Fine-grained IAM policies, Service Control Policies
AU-1: Audit & Accountability	Comprehensive audit logging	CloudTrail, CloudWatch Logs	Multi-region CloudTrail, centralized log aggregation
AU-2: Audit Events	Log all security-relevant events	CloudTrail, VPC Flow Logs	Data events for S3, Lambda; Flow Logs for VPC
AU-3: Audit Retention	Minimum 7-year log retention	S3 Glacier, CloudWatch Logs	S3 lifecycle policies to Glacier, 7+ year retention
SC-8: Transmission Confidentiality	Encrypt data in transit	TLS, ACM, CloudFront	TLS 1.2+ enforced, ACM certificates, HTTPS-only
SC-12: Cryptographic Key Management	Secure key generation and storage	KMS, CloudHSM	CMKs with rotation, CloudHSM for FIPS 140-2 L3
SC-13: Cryptographic Protection	FIPS-validated cryptography	KMS, CloudHSM	FIPS 140-2 validated endpoints, CMKs
SI-2: Flaw Remediation	Security updates and patches	Systems Manager, Inspector	Automated patching, vulnerability scanning
SI-4: Information Monitoring	Monitor for security events	GuardDuty, Security Hub	GuardDuty threat detection, Security Hub findings
IR-4: Incident Handling	Incident response procedures	SNS, Lambda, Security Hub	Automated alerts, incident response playbooks

Data Sovereignty Requirements

IRAP PROTECTED requires data to remain within Australian borders:

Primary Region: ap-southeast-2 (Sydney) - IRAP assessed
Secondary Region: ap-southeast-4 (Melbourne) - IRAP assessed
No cross-region replication outside Australia
Backup and DR must remain in Australian regions
CloudTrail must log all regions but store in Australia
AWS Global Accelerator endpoints restricted to Australia

Encryption Requirements

Encryption requirements for PROTECTED data

Data State	Requirement	AWS Implementation	ISM Reference
At Rest - FHIR Data	AES-256 encryption	HealthLake SSE-KMS, DynamoDB encryption, CMK rotation	SC-12, SC-13
At Rest - Backups	AES-256 encryption	S3 SSE-KMS, AWS Backup encryption	SC-12
In Transit - API	TLS 1.2 or higher	ALB/CloudFront TLS 1.2+, ACM certificates	SC-8
In Transit - Internal	TLS 1.2 or higher	VPC endpoints, private subnets, TLS enforcement	SC-8
Key Management	CMK with rotation, audit logging	KMS CMKs, annual rotation, CloudTrail logging	SC-12, AU-2

Audit Logging Architecture

CloudTrail: Multi-region trail with log file validation
S3 Bucket: Encrypted, versioned, MFA delete for audit logs
CloudWatch Logs: Application and system logs
VPC Flow Logs: Network traffic monitoring
GuardDuty: Threat detection and anomaly alerts
Security Hub: Centralized compliance dashboard
Retention: 7+ years via S3 lifecycle to Glacier

Compliance Checklist

IRAP PROTECTED compliance checklist for FHIR

Control Area	Checklist Item	AWS Service	Status
Data Residency	Deploy in ap-southeast-2 or ap-southeast-4	All	☐
Encryption	KMS CMKs with rotation enabled	KMS	☐
Encryption	TLS 1.2+ enforced on all endpoints	ACM, CloudFront	☐
Access Control	MFA for all privileged users	IAM, Cognito	☐
Access Control	Least privilege IAM policies	IAM	☐
Audit	CloudTrail multi-region enabled	CloudTrail	☐
Audit	7+ year log retention configured	S3, Glacier	☐
Network	Private subnets for FHIR workloads	VPC	☐
Network	VPC endpoints for AWS services	VPC Endpoints	☐
Monitoring	GuardDuty enabled	GuardDuty	☐
Monitoring	Security Hub enabled	Security Hub	☐
Backup	Automated backups with encryption	AWS Backup	☐
Incident Response	Alerting configured for security events	SNS, Lambda	☐

IRAP Assessment Process

IRAP PROTECTED requires formal assessment by an IRAP assessor. Engage early, document all controls, and use AWS Artifact reports as evidence of AWS control implementation.

AWS IRAP Assessment

IRAP PROTECTED assessment details

AWS IRAP

AWS Artifact

Download IRAP assessment reports

AWS Artifact

Summary & Key Takeaways

Australian healthcare FHIR implementations must comply with IRAP PROTECTED, ISM controls, Privacy Act 1988, and data residency requirements. AWS provides comprehensive compliance programs and services to meet these obligations.

Core Concepts Recap

IRAP PROTECTED: Highest Australian Government security assessment
ISM: ASD cybersecurity controls for system protection
AWS Artifact: On-demand compliance reports and agreements
Data Residency: Sydney and Melbourne regions for Australian data
Shared Responsibility: AWS secures cloud, customers secure data
Essential Eight: Prioritized mitigation strategies from ACSC

Compliance Checklist

Review IRAP PROTECTED SoA in AWS Artifact
Deploy in ap-southeast-2 or ap-southeast-4
Enable encryption at rest (KMS) and in transit (TLS 1.2+)
Implement MFA for all privileged access
Enable CloudTrail across all regions
Configure least privilege IAM policies
Implement VPC with private subnets
Enable GuardDuty and Security Hub
Establish 7+ year log retention
Document NDB response procedures

Next Steps

After understanding compliance requirements, explore B2B integration (NASH certificates, mTLS), SMART on FHIR authorization, and real-world implementation patterns.

ASD ISM Controls Catalog

Detailed ISM control catalog from ASD

OAIC Privacy Act Guidance

Office of the Australian Information Commissioner privacy guidance

Knowledge Check

Test your understanding with this quiz. You need to answer all questions correctly to mark this section as complete.

Quiz Progress

Question 1 of 25

Which AWS service maps to ISM control AU-1 (Audit & Accountability)?

← PreviousAWS Infrastructure Next →B2B Integration

Level

Data Classification

Applicability

UNCLASSIFIED

Public information

General websites, public APIs

PROTECTED

Sensitive government/healthcare data

My Health Record, patient data, government systems

Control

Requirement

ISM Reference

AWS Service

Identification & Authentication

Unique user identifiers, strong authentication

IA-1, IA-2, IA-3

IAM, Cognito, MFA

Access Control

Least privilege, role-based access

AC-1, AC-2, AC-3

IAM Policies, SCPs, Resource Policies

Audit & Accountability

Comprehensive logging, 7-year retention

AU-1, AU-2, AU-3

CloudTrail, CloudWatch Logs, S3

Configuration Management

Secure baselines, change control

CM-1, CM-2, CM-6

Config, Systems Manager, CloudFormation

Identification & Authentication

Unique identification, MFA for privileged

IA-1, IA-2, IA-8

IAM, Cognito, MFA

Incident Response

Incident handling, notification procedures

IR-1, IR-2, IR-4

Security Hub, GuardDuty, SNS

Maintenance

Controlled maintenance, remote access

MA-1, MA-4

Systems Manager, Session Manager

Media Protection

Encryption, secure disposal

MP-1, MP-4, MP-6

KMS, S3 Encryption, Macie

Physical Protection

Physical access controls (AWS responsibility)

PE-1, PE-2, PE-3

AWS Data Centers (managed by AWS)

Risk Assessment

Periodic risk assessments

RA-1, RA-3

Security Hub, Inspector, Artifact

System & Communications Protection

Encryption in transit, boundary protection

SC-1, SC-7, SC-8

TLS, WAF, Shield, VPC

System & Information Integrity

Malware protection, vulnerability scanning

SI-1, SI-2, SI-3

Inspector, GuardDuty, Macie

Data State

Requirement

AWS Implementation

At Rest

AES-256 or equivalent

KMS with CMKs, S3 SSE-KMS, EBS encryption

In Transit

TLS 1.2 or higher

ALB/CloudFront TLS, API Gateway HTTPS

Key Management

Secure key storage, rotation

KMS with automatic rotation, CloudHSM for FIPS

Program

Description

Applicability

AWS Status

IRAP PROTECTED

Australian Government security assessment for cloud services

Government agencies, healthcare, sensitive data

Multiple services assessed

SOC 2 Type II

Service Organization Control for security, availability, confidentiality

All AWS customers

All regions and services

ISO 27001

International information security management standard

Global organizations

Certified across all regions

ISO 27017

Cloud security controls (extension of ISO 27001)

Cloud service users

Certified for AWS cloud services

ISO 27018

Protection of PII in public clouds

Privacy-sensitive workloads

Certified for PII protection

HIPAA

US health information privacy and security

Healthcare organizations (also relevant for AU)

HIPAA-eligible services available

Privacy Act 1988 (APPs)

Australian Privacy Principles

All Australian organizations

AWS services support APP compliance

Essential Eight

ACSC mitigation strategies for cyber incidents

Australian organizations

AWS services support implementation

Region

Location

Launch Date

Availability Zones

ap-southeast-2

Sydney

2012

3 (a, b, c)

ap-southeast-4

Melbourne

2023

3 (a, b, c)

Requirement

Location

AWS Region

Legislation

My Health Record data

Must remain in Australia

ap-southeast-2 (Sydney) or ap-southeast-4 (Melbourne)

My Health Records Act 2012

Government PROTECTED data

Must remain in Australia

IRAP-assessed Australian regions

ISM, PSPF

Healthcare provider records

Recommended to remain in Australia

Australian regions for compliance

Privacy Act 1988, state health records acts

Personal information (APP 8)

Cross-border disclosure restrictions

Ensure recipient country has similar protections

Privacy Act 1988 - APP 8

Service Type

AWS Manages

Customer Manages

Infrastructure (EC2, VPC)

Physical security, hypervisor, network

OS, applications, data, IAM, firewall rules

Container (ECS, EKS)

Control plane, infrastructure

Container images, workloads, data

Managed (RDS, HealthLake)

OS, database engine, patching, backups

Data, encryption, access control, parameters

Serverless (Lambda, API Gateway)

Runtime, infrastructure, scaling

Code, data, permissions, configuration

ISM Control

Requirement

AWS Service

Implementation

IA-1: Identification & Authentication

Unique user identifiers for all users

IAM, Cognito

IAM users with unique names, Cognito user pools with MFA

IA-2: User Authentication

MFA for privileged and remote access

IAM MFA, Cognito MFA

Hardware/virtual MFA for IAM, TOTP for Cognito

AC-1: Access Control Policy

Least privilege access control

IAM Policies, SCPs

Fine-grained IAM policies, Service Control Policies

AU-1: Audit & Accountability

Comprehensive audit logging

CloudTrail, CloudWatch Logs

Multi-region CloudTrail, centralized log aggregation

AU-2: Audit Events

Log all security-relevant events

CloudTrail, VPC Flow Logs

Data events for S3, Lambda; Flow Logs for VPC

AU-3: Audit Retention

Minimum 7-year log retention

S3 Glacier, CloudWatch Logs

S3 lifecycle policies to Glacier, 7+ year retention

SC-8: Transmission Confidentiality

Encrypt data in transit

TLS, ACM, CloudFront

TLS 1.2+ enforced, ACM certificates, HTTPS-only

SC-12: Cryptographic Key Management

Secure key generation and storage

KMS, CloudHSM

CMKs with rotation, CloudHSM for FIPS 140-2 L3

SC-13: Cryptographic Protection

FIPS-validated cryptography

KMS, CloudHSM

FIPS 140-2 validated endpoints, CMKs

SI-2: Flaw Remediation

Security updates and patches

Systems Manager, Inspector

Automated patching, vulnerability scanning

SI-4: Information Monitoring

Monitor for security events

GuardDuty, Security Hub

GuardDuty threat detection, Security Hub findings

IR-4: Incident Handling

Incident response procedures

SNS, Lambda, Security Hub

Automated alerts, incident response playbooks

Data State

Requirement

AWS Implementation

ISM Reference

At Rest - FHIR Data

AES-256 encryption

HealthLake SSE-KMS, DynamoDB encryption, CMK rotation

SC-12, SC-13

At Rest - Backups

AES-256 encryption

S3 SSE-KMS, AWS Backup encryption

SC-12

In Transit - API

TLS 1.2 or higher

ALB/CloudFront TLS 1.2+, ACM certificates

SC-8

In Transit - Internal

TLS 1.2 or higher

VPC endpoints, private subnets, TLS enforcement

SC-8

Key Management

CMK with rotation, audit logging

KMS CMKs, annual rotation, CloudTrail logging

SC-12, AU-2

Control Area

Checklist Item

AWS Service

Status

Data Residency

Deploy in ap-southeast-2 or ap-southeast-4

All

☐

Encryption

KMS CMKs with rotation enabled

KMS

☐

Encryption

TLS 1.2+ enforced on all endpoints

ACM, CloudFront

☐

Access Control

MFA for all privileged users

IAM, Cognito

☐

Access Control

Least privilege IAM policies

IAM

☐

Audit

CloudTrail multi-region enabled

CloudTrail

☐

Audit

7+ year log retention configured

S3, Glacier

☐

Network

Private subnets for FHIR workloads

VPC

☐

Network

VPC endpoints for AWS services

VPC Endpoints

☐

Monitoring

GuardDuty enabled

GuardDuty

☐

Monitoring

Security Hub enabled

Security Hub

☐

Backup

Automated backups with encryption

AWS Backup

☐

Incident Response

Alerting configured for security events

SNS, Lambda

☐

Knowledge Tree

Security & Compliance for FHIR on AWS

Compliance is Shared

IRAP PROTECTED Assessment

IRAP Assessment Levels

AWS IRAP PROTECTED Services

IRAP Documentation

Key IRAP Controls for FHIR

AWS IRAP Assessment

Information Security Manual (ISM)

ISM Control Categories

Essential Eight Maturity Model

Essential Eight on AWS

Encryption Requirements

Information Security Manual

AWS Artifact: Compliance Documentation

Artifact Report Types

AWS Compliance Programs

Accessing Artifact Reports

NDA Requirements

AWS Artifact

AWS HIPAA Compliance

HIPAA-Eligible Services

Australian Data Residency

AWS Australian Regions

Data Residency Requirements

Privacy Act 1988 - APP 8

Cross-Region Replication

Notifiable Data Breaches (NDB) Scheme

OAIC NDB Scheme

Shared Responsibility Model

Responsibility Division

AWS Shared Responsibility Model

AWS Responsibility (Security OF the Cloud)

Customer Responsibility (Security IN the Cloud)

Common Misconception

Service-Specific Responsibility

AWS Well-Architected Security Pillar

ACSC Cloud Security Guidelines

Implementing IRAP Controls with AWS

Access Control Implementation

IRAP Access Control Flow

Audit & Accountability

IRAP Audit & Log Persistence Architecture

Encryption Implementation

IRAP Cryptographic Controls

Network Security

IRAP Network Boundary Protection

B2B Authentication Flow (NASH + OAuth 2.0)

B2B FHIR API authentication with NASH certificates

NASH PKI Requirement

Terraform: IRAP-Compliant Infrastructure

Terraform: VPC with Private Subnets

AWS Security Best Practices for Healthcare

NIST Cybersecurity Framework

IRAP PROTECTED Control Mapping

ASD ISM Controls to AWS Service Mapping

Data Sovereignty Requirements

Encryption Requirements

Audit Logging Architecture

Compliance Checklist

IRAP Assessment Process

AWS IRAP Assessment

AWS Artifact

Summary & Key Takeaways

Core Concepts Recap

Compliance Checklist

Next Steps

ASD ISM Controls Catalog

OAIC Privacy Act Guidance

Knowledge Check

Which AWS service maps to ISM control AU-1 (Audit & Accountability)?

Knowledge Tree

Security & Compliance for FHIR on AWS

Compliance is Shared

IRAP PROTECTED Assessment

IRAP Assessment Levels

AWS IRAP PROTECTED Services

IRAP Documentation

Key IRAP Controls for FHIR