Is AWS HIPAA Compliant?
Learn how healthcare organizations are using Amazon Web Services with protected health information (PHI)
HIPAA Compliance In AWS
Amazon Web Services (AWS) currently provides a business associates addendum (BAA) and many “HIPAA-eligible” services that organizations can leverage in order to build HIPAA compliant application in AWS. This BAA is signed and executed by AWS and outlines how security responsibilities are divided by the cloud provider and the cloud customer.
Most cloud providers, including AWS operate under a cloud shared responsibility model for managing HIPAA security standards. Under this model, AWS addresses many physical safeguards, but your team must configure proper technical and administrative safeguards required under HIPAA.
While AWS offers a BAA and has many security services, it is up to your organization to architect HIPAA compliant applications and ensure that your AWS cloud environment is compliant with HIPAA standards detailed below.
Build HIPAA Compliant Applications with Amazon Web Services and Dash
AWS Provided Compliance Standards
AWS provides security certifications and attestations that can jumpstart an organization’s compliance efforts, and provides a Business Associates’ Agreement that outlines HIPAA security responsibilities for the cloud provider and the cloud customer. Under the AWS BAA, Amazon provides customers with specific physical and technical safeguards such as:
- Limiting employee access
- Locking server facilities
- Encryption around specific AWS services.
AWS provides organizations with the ability to freely provision and scale cloud infrastructure. These cloud services provide DevOps teams and security staff with a lot of flexibility around security configuration. Individual AWS services have settings available to address security standards including:
- Networking and Firewall
- Access Control
- Encryption
- Backup
AWS Customer Security Responsibilities
While AWS handles many of physical safeguards required by HIPAA, it is the cloud customers responsibilities to implement all remaining administrative and technical safeguards.
Administrative Policies
HIPAA requires that organizations implement specific administrative policies and procedures for security compliance. Organizations should build policies around meet their staff structure and technology stack. Policies should be written in a realistic manner and must be reviewed and updated on a periodic basis.
Administrative policies must address process and standards including:
- Risk Assessment
- Compliance Roles
- Backup and Disaster Recovery (DR)
- Incident Response
- Configuration Management
- Audit Logging
- System Access
- Employee Training
Technical Controls
In addition to adopting administrative policies, organizations must ensure that proper technical controls and security safeguards are in place for each individual cloud resource in order to achieve HIPAA compliance. For example:
- EC2 instances must use encrypted data volumes
- S3 buckets may not be open to the public
- RDS instances must have backup enabled
These security settings may be different depending on the cloud service. Teams must ensure that security controls are properly implemented and enforced across cloud services. Security standards need to be applied when new resources are created, and services are modified. Organizations can ensure the integrity of security controls by implementing a process for continuous compliance monitoring.
Teams can learn more about architecting HIPAA Compliant AWS services, in our AWS HIPAA Whitepaper.
When Is AWS Not HIPAA Compliant?
After an organization has signed a BAA with AWS, they are responsible for building a HIPAA security program that includes administrative policies and technical safeguards. An organization may not be compliant with HIPAA in AWS due to the following issues.
When Administrative Procedures Are Not Followed..
Organizations must adopt administrative policies and follow through on policy procedures such as performing annual risk assessments, reviewing system logs, reviewing user access to PHI, and performing employee training. Lack of documentation and administrative follow through could cause the organization into falling out of compliance.
When Cloud Services Are Misconfigured..
If an AWS cloud service is misconfigured or has incorrect security settings the organization could fall out of compliance. For example, DevOps and security staff must ensure that S3 buckets with PHI are not opened to the public. and be suspectable to a security breaches.
When PHI Is Used Outside Of “HIPAA-eligible” Services..
Organizations may only store and/or process PHI within AWS cloud services on the “HIPAA-eligible” service list. While this list is pretty comprehensive, teams must ensure they utilize PHI only in HIPAA-eligible services or risk not being compliant with HIPAA regulations.
Achieve HIPAA Compliance In AWS With Dash
Amazon Web Services (AWS) provides many scalable and price efficient cloud services to quickly build applications and services. For organizations operating in the healthcare industry there are specific security responsibilities teams must put in place to achieve and maintain HIPAA compliance in AWS.
Dash ComplyOps provides teams with a compliance management solution for building custom administrative policies, setting cloud security controls, and enforcing policies via continuous compliance monitoring. Dash can be easy deployed to your cloud environment via the AWS Marketplace and utilized to build a robust AWS HIPAA security program.
Dash is comprised of cloud and healthcare compliance experts an AWS Advanced Technology Partner and Healthcare Competency Partner. Learn how your team can leverage Dash ComplyOps can rapidly achieve HIPAA compliance in AWS.
Steps to HIPAA Compliance
Install Dash ComplyOps
Deploy Dash ComplyOps into your Amazon Web Services (AWS) account via the AWS Marketplace.
Configure Security Controls
Establish custom administrative policies, set technical controls across cloud services, and customize your security plan.
Monitor Compliance
ComplyOps scans and monitors your cloud services, detects HIPAA compliance issues, and helps resolve compliance concerns.
Build HIPAA Compliant Applications In AWS
Build Your AWS Cloud Security Program