In this article, we’ll go through the facets of Amazon Web Services and whether Amazon’s cloud service adheres with HIPAA regulations.
Amazon markets Amazon Web Services (AWS) as HIPAA compliant. However, while Amazon has made it possible for AWS to fully adhere with HIPAA, it is down to the healthcare providers, their staff and any outside contractors employed by the healthcare outfit to make ensure HIPAA guidelines are complied with. Under the legislation, healthcare providers have to protect Personal Health Information (PHI), otherwise, the US Department of Health & Human Services (HHS) can take action against those that fail to do so. HHS recommends that outfits regularly review the security of systems connected to HIPAA, that users and staff are provided with HIPAA training, and that access is limited.
Healthcare providers that use AWS need to investigate the following to adhere with HIPAA:
- Who can access it?
- Can encryption be enabled?
- Can data be shared securely?
- Who is authenticated as a user of the database?
- Will users be completely audited?
- How safe are transactions?
AWS can be made fully compliant using S3 bucket, RDS or ES2 instances as long as these are used properly.
While AWS can be made HIPAA compliant by using any of these sites, the exact security strategy required will depend on the size of the group, what information it collects and how it is stored following use. To make AWS safe enough to meet HIPAA compliance criteria here are some pointers:
- If RDS is operating with AWS ensure that it has been encrypted through keys in the AWS Key Management system (the AWS KMS)
- You should encrypt data at rest in AWS via full level encryption
- Implement an audit trail in AWS by configuring Virtual Private Crowd access logs to view all instances involving PHI.
- Run connections through HTTPS when using PHI
For AWS operating with an S3 bucket, you can think of yourself as HIPAA compliant after a BAA has been completed, all users have been shown how to use the system properly, and when all permissions and access have been set correctly.
If these things are not configured properly then all of the information can be accessed by anybody who has the knowledge to look in the right places. Data that is easily available on the correct way to set up S3 services to effectively monitor both access and permissions. However, as there are a few different ways to provide permissions there are equally several points when errors can be made.
Amazon has created and made available AWS manager systems and all outfits should use these systems. Using the management systems will greatly reduce the risk of data losses and failing to adhere to HIPAA.
Those that wish to be certain their AWS is completely secure should visit the Parameter Store. Here everything is free and the assistance will ensure that your organization will comply with HIPAA by availing of it.