Resources

Using the AWS Business Associates Agreement (BAA)

Using the AWS Business Associates Agreement (BAA)



Overview of The Amazon Web Services BAA

Amazon Web Services (AWS) is an established public cloud provider with a number of security programs and certifications that clients can take advantage of.

Amazon’s Business Associates Addendum (AKA. Business Associates Agreement BAA) defines HIPAA safeguards managed by AWS and breaks down how compliance responsibilities are split between the cloud platform and the clients. It is the client organization’s responsibility to make sure that they are properly fulfilling the agreement and managing their security responsibilities to comply with HIPAA.

Healthcare organizations and companies that plan to utilize AWS cloud services with protected health information (PHI) must execute an Amazon’s BAA.

 

What HIPAA Safeguards Does Amazon Manage Under The BAA

HIPAA requirements break into three core categories: Administrative Safeguards, Technical Safeguards, and Physical Safeguards.

Security and compliance in AWS follows a shared responsibility model. Meaning that HIPAA compliance is has security responsibilities shared between the client and the cloud provider. AWS has defined a number of HIPAA eligible cloud services that are covered under the AWS BAA. Client’s must ensure that PHI is only being utilized in these eligible services.

AWS manages many of the physical safeguards for securing PHI. The AWS BAA details physical safeguards including physically locking servers and infrastructure and limiting employee access to physical machines.

 

What Are Your Responsibilities Under the Amazon BAA?

Just signing a BAA with AWS does not make an organization HIPAA compliant. AWS clients are responsible for specific administrative and technical safeguards to maintain compliance in Amazon Web Services. It is possible to utilize HIPAA compliant services in AWS and not be HIPAA compliant.

Organizations must adopt administrative policies and procedures to address administrative safeguards. Policies must include standard operating procedures for risk assessments, employee training, backup and recovery, and other system access policies.

Organizations must also implement required technical safeguards and technical controls. This includes implementing solutions for disaster recovery (DR), audit logging, intrusion detection, and firewall/networking protections. AWS and third-party vendors provide many ways of implementing these requirements, but organizations must ensure that they have properly setup technical controls for all individual AWS services that will be utilizing PHI.

 

HIPAA Mis-configurations In AWS

When using AWS’ HIPAA eligible services, cloud mis-configurations can cause an organization to be non-compliant with HIPAA. Consider the following examples:

  1. An organization has an S3 bucket containing patient protected health information. If this S3 bucket is publicly readable and writable by all, then a security breach may occur.
  2. An organization has different EC2 instances or services containing PHI. If a data volume attached to an instance is unencrypted or a port is left open to the public, a security breach could occur.

These examples can be solved by setting proper policies and enforcing proper security controls across the cloud account. Organizations must set a security baseline when using and consistently monitor AWS service settings to confirm that AWS services are configured and utilized in a secure and compliant manner. Dash Continuous Compliance Monitoring makes it easy for healthcare organizations to monitor AWS services, and receive instant insight and notifications when cloud services fall out of compliance.

 

Are Dedicated Instances Required for Complying with The AWS BAA?

Previously, Amazon Web Services required organizations to utilize only “Dedicated Instances” when building HIPAA compliant services. This made HIPAA compliant workloads a lot costlier. Startups and organizations that did not have large-scale offerings had a difficult time building HIPAA compliant services in AWS.

In the May of 2017, AWS announced removal of this dedicated instance requirement, meaning that organizations can leverage the AWS HIPAA Security program with any size instance. Organizations can now use any size EC2 service alongside the many other HIPAA-eligible services when building HIPAA compliant application in AWS.

 

Building HIPAA Compliant Services In AWS

AWS offers a lot of flexibility when building healthcare services. Signing the AWS BAA is the first step when creating compliant workloads. Once executed, it is your organization’s job to ensure that administrative polices and technical controls are in place. Utilizing a service like Dash Compliance Automation, makes it easy to establish a HIPAA security plan maintain compliance across AWS services. Dash allows organizations to create custom HIPAA administrative policies and manage compliance issues through continuous compliance monitoring.

It is important to remember that HIPAA is not a one-time item that stops after signing a business associates’ agreement. It is your team’s responsibility to continually maintain HIPAA safeguards across your organization and infrastructure.