Amazon S3 can be used in a HIPAA compliant manner alongside other AWS services. Read about necessary security configuration for S3.
Amazon S3 is listed as HIPAA-eligible service by Amazon Web Services (AWS), meaning that it can be configured and used in a HIPAA compliant manner. That said, your organization is responsible for managing specific administrative and technical requirements under the AWS Cloud Shared Responsibility Model. Just using a HIPAA-eligble service from Amazon does not make your organization compliant. It is possible to build on HIPAA-eligible services and still not be in compliance with HIPAA.
Under the shared responsibility model, AWS will manage HIPAA physical requirements such as locking facilities, limiting employee access.
Steps for HIPAA Compliance in S3
Your organization should consider the following steps, when building on Amazon S3, as well as other AWS cloud services.
Sign The AWS BAA
When configuring AWS cloud services in a HIPAA compliant manner, your organization must first sign a Business Associates Agreement (BAA) with AWS. This agreement will lay out the responsibilities your organization must manage and that AWS must manage.
Set Administrative Policies
Organizations must create and manage HIPAA administrative policies. Additionally, organization’s must conduct an annual risk assessment and perform periodic reviews on all policies, procedures, and technical implementation. Essential compliance policies include:
- Risk Management
- Staff Roles
- Disaster Recovery
- Vulnerability Scanning
- Employee Training, and more..
These policies define which individuals will be responsible for managing technical implementation and organization security plan. Dash platform can generate customized administrative policies.
Set Technical Controls
Alongside Administrative Policies, your organization must implement technical safeguards such as proper user authentication, audit logging, vulnerability scanning, and backup and recovery.
HIPAA compliance reaches far outside of just S3. For your AWS account as a whole, your team should determine the best architecture and solutions for logging, backup, and other technical controls. S3 technical implementation should include the following:
- S3 Versioning should be implemented
- S3 Buckets should be replicated or backed up
- S3 Buckets with PHI should not be “Public” or available to everyone
- S3 Read/Write Access should be limited to only those necessary
Further security best practices and compliance requirements can be read in Dash’s guide to Managing HIPAA in AWS.
Managing S3 Compliance
Organizations must set proper Amazon S3 security settings and configuration and maintain an active security plan to maintain HIPAA compliance. Many teams turn to consultants and numerous solutions to meet requirements. Dash custom administrative policies and continuous compliance monitoring make it easy for organizations to manage HIPAA compliance in AWS and S3.
Generally, no single solution makes an organization HIPAA compliant. Organizations must select appropriate technologies, build and follow administrative policies, and address technical concerns. Learn how Dash automates compliance management for AWS