Is AWS HIPAA Compliant?

Whether you’re providing technical support to healthcare providers, or you are directly employed by a healthcare organization, you’ve probably wondered about cloud technology and HIPAA compliance.

In this article, we’ll discuss the particulars of Amazon Web Services and whether Amazon’s cloud service complies with HIPAA regulations. 

If you’re not familiar with HIPAA, I suggest checking out this introductory article by ComplianceHome.

Amazon, AWS and ensuring HIPAA compliance  

Amazon does it’s best to promote Amazon Web Services (AWS) as being HIPAA compliant. Butwhilst Amazon have made it possible for AWS to fully comply with HIPAA, it is down to the healthcare providers, their staff and any outside contractors employed by the healthcare organization to make sure HIPAA guidelines are met.  By law, healthcare providers have to protect Personal Health Information (PHI), otherwise the US Department of Health & Human Services (HHS) can take action against those that fail to do so. HHS recommends that organizations regularly check the security of systems linked to HIPAA, that users and staff are provided with HIPAA training, and that access is restricted. Neither Amazon nor AWS are responsible for meeting HIPAA requirements but healthcare providers are. 

Healthcare providers that use AWS need to review the following to comply with HIPAA:

  • Who has access?
  • Is encryption available?
  • Can data be transferred securely?
  • Who are the authenticated users?
  • Are users fully audited?
  • The security of transactions?

Which AWS services are compliant with HIPAA? 

It is possible to make AWS fully compliant using S3 bucket, RDS or ES2 instances as long as these are used correctly.

While AWS can become HIPAA compliant by using any of these sytes, the exact security strategy required will depend on the size of the organization, what information it gathers and how it is stored after use. To make AWS secure enough to meet HIPAA compliance criteria here are some pointers:

  • If RDS is running with AWS make sure that it has been encrypted through keys in the AWS Key Management system (the AWS KMS)
  • It is best practice to encrypt data at rest in AWS by the use of a full level encryption 
  • Provide yourself with the ability to have an audit trail in AWS by configuring Virtual Private Crowd access logs to view all instances involving PHI. 
  • If needed force the connections using HTTPS when using PHI, which is stored in S3 buckets

When AWS is not compliant with HIPAA?

For AWS with a S3 bucket, you can consider yourself HIPAA compliant after a BAA has been signed, all users have been shown how to use the system correctly, and when all permissions and access have been set properly. 

If these thingsare not set up correctly then all of the information can be accessed by anybody who has the knowledge to look in the right places. Information is easily available on the correct way to set up S3 services to effectively manage both access and permissions. However, as there are a few different methods to provide permissions there are equally several points when mistakes can be made. Even a small mistake can have dire consequences in terms of AWS failing to comply with HIPAA. 

There have been many times when security reserchers have tested the S3 buckets of healthcare providers they have found the PHI data to be unprotected. Yet security experts are not the only ones that can find unprotected data, hackers will find it too. Hackers have no problems getting into cloud storage such as AWS especially when permissions are so easy to obtain. 

A common mistake repeatedly made is setting access for all authenticated users. Companies and organizations assume wrongly that only means the users they give permission to. The problem is that Amazon regard an authenticated user as being any individual that has an AWS account, and anybody can apply for a free account. 

Amazon recently emailed companies it regarded at been at the greatest risk of misconfiguring for S3 buckets. Theywarned these companies to check their settings and restrict access so that people outside their organization cannot gain access to unprotected data. 

There have been some very large breeches of security regarding S3 AWS buckets and some were by healthcare providers. These loses of data have sometimes risked the private information of millions of customers or patients. A company failed to protect the data of 200 million voters, while another company that has to comply with HIPAA left 47GB exposed. 

There are simple ways to check for these risks, and just as simple fixes available. 

AWS Parameter Store 

Amazon has developed and made available AWS manager systems and all organizations should usethese systems. Using the manager systems will drastically reduce the risk of data losses and failing to comply with HIPAA.  

Those that want to be certain their AWS is completely secure should go to the Parameter Store. The good thing about the Parameter store is that everything is free and the assistance will ensure that your organization will comply with HIPAA by using it.