Learn how healthcare organizations are using Amazon Web Services with protected health information (PHI)
Amazon Web Services (AWS) currently provides a business associates addendum (BAA) and many “HIPAA-eligible” services that organizations can leverage in order to build HIPAA compliant application in AWS. This BAA is signed and executed by AWS and outlines how security responsibilities are divided by the cloud provider and the cloud customer.
Most cloud providers, including AWS operate under a cloud shared responsibility model for managing HIPAA security standards. Under this model, AWS addresses many physical safeguards, but your team must configure proper technical and administrative safeguards required under HIPAA.
While AWS offers a BAA and has many security services, it is up to your organization to architect HIPAA compliant applications and ensure that your AWS cloud environment is compliant with HIPAA standards detailed below.
AWS provides security certifications and attestations that can jumpstart an organization’s compliance efforts, and provides a Business Associates’ Agreement that outlines HIPAA security responsibilities for the cloud provider and the cloud customer. Under the AWS BAA, Amazon provides customers with specific physical and technical safeguards such as:
AWS provides organizations with the ability to freely provision and scale cloud infrastructure. These cloud services provide DevOps teams and security staff with a lot of flexibility around security configuration. Individual AWS services have settings available to address security standards including:
While AWS handles many of physical safeguards required by HIPAA, it is the cloud customers responsibilities to implement all remaining administrative and technical safeguards.
HIPAA requires that organizations implement specific administrative policies and procedures for security compliance. Organizations should build policies around meet their staff structure and technology stack. Policies should be written in a realistic manner and must be reviewed and updated on a periodic basis.
Administrative policies must address process and standards including:
In addition to adopting administrative policies, organizations must ensure that proper technical controls and security safeguards are in place for each individual cloud resource in order to achieve HIPAA compliance. For example:
These security settings may be different depending on the cloud service. Teams must ensure that security controls are properly implemented and enforced across cloud services. Security standards need to be applied when new resources are created, and services are modified. Organizations can ensure the integrity of security controls by implementing a process for continuous compliance monitoring.
Teams can learn more about architecting HIPAA Compliant AWS services, in our AWS HIPAA Whitepaper.
After an organization has signed a BAA with AWS, they are responsible for building a HIPAA security program that includes administrative policies and technical safeguards. An organization may not be compliant with HIPAA in AWS due to the following issues.
Organizations must adopt administrative policies and follow through on policy procedures such as performing annual risk assessments, reviewing system logs, reviewing user access to PHI, and performing employee training. Lack of documentation and administrative follow through could cause the organization into falling out of compliance.
If an AWS cloud service is misconfigured or has incorrect security settings the organization could fall out of compliance. For example, DevOps and security staff must ensure that S3 buckets with PHI are not opened to the public. and be suspectable to a security breaches.
Organizations may only store and/or process PHI within AWS cloud services on the “HIPAA-eligible” service list. While this list is pretty comprehensive, teams must ensure they utilize PHI only in HIPAA-eligible services or risk not being compliant with HIPAA regulations.
Amazon Web Services (AWS) provides many scalable and price efficient cloud services to quickly build applications and services. For organizations operating in the healthcare industry there are specific security responsibilities teams must put in place to achieve and maintain HIPAA compliance in AWS.
Dash ComplyOps provides teams with a compliance management solution for building custom administrative policies, setting cloud security controls, and enforcing policies via continuous compliance monitoring. Dash can be easy deployed to your cloud environment via the AWS Marketplace and utilized to build a robust AWS HIPAA security program.
Dash is comprised of cloud and healthcare compliance experts an AWS Advanced Technology Partner and Healthcare Competency Partner. Learn how your team can leverage Dash ComplyOps can rapidly achieve HIPAA compliance in AWS.
Deploy Dash ComplyOps into your Amazon Web Services (AWS) account via the AWS Marketplace.
Build Your AWS Cloud Security Program