AWS – Is It HIPAA Compliant?
Is Amazon Web Services or AWS HIPAA Complaint? This is a question that many healthcare providers have a hard time finding a real answer to. However, we at LuxSci have put in the effort to answer the question once and for all. Hopefully, you’ll find it helpful.
To begin with, AWS definitely includes features that can be used to help you meet all of the requirements of the HIPAA Security Rule. Amazon will even sign a BAA (Business Associate Agreement) with healthcare customers.
All of this can create the impression that using AWS is automatically HIPAA compliant. However, this isn’t the whole story.
You see, it is still very easy to commit information architecture or configuration mistakes that leave data, or in this case, Protected Health Information (ePHI) exposed to unauthorized access, which is a clear HIPAA violation. It is also easy to omit security controls, such as access auditing, logging, backups, and encryption, that are essential for compliance.
Understanding the confusion
Amazon obviously supports HIPAA compliance and ensures that AWS can be leveraged in a way that is compliant. But, the cold hard truth at the end of the day is that AWS is simply a cloud-based platform, and like any flexible platform, compliance isn’t enforced. Complete compliance ultimately boils down exactly to how you use the service.
For instance, let’s look at S3 (the Simple Storage Service). AWS offers S3 to help with data storage, data sharing, and so on. As long as you are connected to the internet, you can access S3-stored data. Of course, AWS’s data centers are secure and the systems holding the data are secure; however, Amazon also needs to make the data easy to access no matter what your particular business and software requirements are. This is where the whole configuration thing comes into play.
S3 is secure as long as the data is stored properly, only the right people have access to it, and you track access as needed. One mistake in the way permissions are set or access is configured is all it takes for the data to end up being exposed.
So, S3 isn’t immune to risk and therefore, cannot guarantee HIPAA compliance. If you were to leave S3 buckets unprotected and open to free access, you’d be in violation of HIPAA’s policies — and this has definitely happened! So, make sure your S3 buckets are secured. Some of the latest breaches in healthcare companies using AWS has been due to PHI being left open to free access.
S3 buckets offer all the security options you need. However, it is completely up to you to enable and properly employ the features needed for your particular application’s security.
S3 is also one of the simpler of Amazon’s services — others through which ePHI may flow or in which ePHI may be stored are much more complicated and require deeper levels of understanding with respect to security-related choices to prevent compliance issues.
Easier said than done
As soon as you sign a BAA for AWS, you agree to have gone through their instructions to ensure proper use of the service. This includes agreeing to set access controls and permissions properly. If you don’t get the configuration right, Amazon will not be held responsible. On the contrary, it is you who will be answering for the HIPAA violation.
AWS makes things easier by providing all the necessary documentation to ensure proper configuration. However, there are multiple ways to provide access controls and permissions, which means there are several points of vulnerability that can be exploited. Additionally, it requires software engineers skilled in security and familiar with HIPAA compliance to be able to take AWS’ recommendations and create a compliant solution that uses AWS.
Many AWS S3 buckets have been found in an unprotected state by security researchers who have then gone on to alert the healthcare organizations about the fact that their PHI has been left exposed. Ironically enough, this means that even hackers can detect exposed PHI. To make things worse, it is much easier to steal via the cloud than it is through any other alternative method. Hackers just need the data to be exposed.
So, in short, AWS is not as HIPAA compliant as you want it to be. In fact, it is hardly HIPAA compliant. The only things that AWS offers are services that allow for HIPAA compliance. But, most of the compliance work needs to come from your side. This is analogous to purchasing web hosting services from a HIPAA-compliant web hosting provider. The provider gives you an environment that is compliant, but it is up to you to do the right things in that environment; doing the “right things” requires experience.
Needless to say, this is confusing for healthcare organizations who simply want cloud services that are efficient and secure; services that are not completely dependent on the user to ensure HIPAA compliance.
For those without extensive experience in software development, security, and compliance, it is best to look to security providers that build on top of AWS and similar systems. They, like LuxSci, do more if the security and compliance work and you have less to worry about.