Access Control Policy¶
HIPAA Rule: §164.308(a)(3), §164.312(a)(1), §164.312(a)(2)
Purpose¶
Define how access to PHI systems and data is granted, managed, reviewed, and revoked.
Principles¶
- Least privilege: Users and systems receive only the minimum access required.
- Unique user IDs: No shared accounts. Each user has a unique IAM identity.
- Role-based access: Access is granted via IAM roles/groups, not individual user policies.
- MFA required: All human IAM users must use MFA for console access.
- Automatic access review: IAM Access Analyzer reviews unused access quarterly.
AWS IAM Standards¶
| Requirement | Implementation |
|---|---|
| MFA for all users | SCP: require-mfa.json enforced at Org level |
| No root account usage | Root account has no active access keys; MFA enabled |
| No long-lived access keys | Use IAM roles; rotate any keys < 90 days |
| Least-privilege policies | IAM roles scoped to specific resources and actions |
| Cross-account access | Via assumed role only (NVS → NHC scoped role) |
Access Request Process¶
- Access request submitted to DevOps team (Slack / ticketing system)
- DevOps reviews request against least-privilege principle
- Access granted via IAM role assignment
- Access reviewed and revoked when no longer needed (offboarding checklist)
Privileged Access¶
- Admin access to NHC account is "break-glass" only
- Break-glass access is logged via CloudTrail
- SSM Session Manager used for all EC2 access (no SSH keys distributed)
Automatic Logoff¶
- AWS Console sessions: configured for 1-hour idle timeout
- Application sessions: Django and Laravel session timeouts must be set to ≤ 30 minutes of inactivity
Access Review Schedule¶
| Scope | Frequency | Owner |
|---|---|---|
| IAM user list | Quarterly | DevOps |
| IAM role permissions | Quarterly | DevOps |
| EC2 SSM session access | Quarterly | DevOps |
| Application user accounts | Semi-annual | App team |
Sanctions¶
Unauthorized access to PHI systems results in immediate access revocation and review per the Incident Response Plan.