AWS has undergone exhaustive processes to certify some of their most popular services, making them guaranteed HIPAA-eligible and authorized to transmit and store protected Patient Health Information (PHI).
The healthcare system in the United States is complex. Underlying it is sensitive patient data, governed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). Making HIPAA workloads compliant manually can be time consuming and labour intensive, but healthcare entities often remain wary about migrating their workloads to cloud-based services.
But what does this really mean for entities subject to HIPAA regulations?
Good News for the Healthcare Industry
Amazon is obsessed with making sure their services are on the leading-edge of cloud computing – guaranteeing security, scalability, and compliance. AWS has put its HIPAA-eligible services through rigorous audits, enabling HIPAA-regulated entities to securely migrate their workloads to the cloud and leverage the power AWS’ authorized services to transmit, store, and maintain sensitive PHI.
With the hyper-focus on protecting patient data, it’s important to make sure you’re taking the necessary steps to secure PHI under your control. It’s important to understand the division of responsibilities in the AWS cloud – learning what steps you must oversee versus what Amazon will handle.
Shared Responsibility in AWS
When it comes to HIPAA compliance in the cloud, AWS operates on a shared responsibility model. It’s important you understand this and can distinguish between:
- Security measures AWS is responsible for implementing and operating
- Security measures you are responsible for implementing and operating to safeguard sensitive PHI
AWS will manage “security of the cloud,” but “security in the cloud” remains the customer’s responsibility. This approach gives you control over the types of security protocols you will implement to safeguard PHI, sensitive data, applications, and networks as you would with an on-site data center.
Your responsibilities to ensure HIPAA compliance in the cloud include:
- Encrypting PHI in transit and at rest
- Using Amazon EC2 for dedicated instances for processing, storing, or transmitting PHI
- Recording and retaining all activity related to the use and access of PHI
- Requiring unique user identification and strong identification
Although customers can use any AWS service within a HIPAA account, they must use only HIPAA-eligible services to process, store, and transmit PHI. Eligible services include Amazon Elastic Compute (EC2), Amazon Elastic Book Store (Amazon EBS), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon Redshift, DynamoDB, MySQL, RDS Oracle, and EMR.
Amazon maintains this rule to protect you. Unauthorized services have not gone through FedRAMP and should therefore not be used to handle PHI – even in passing. All HIPAA-eligible services are guaranteed to have undergone rigorous security engineering processes and be ISO 27017, PCI, SOC 2, and FedRAMP certified, authorizing them to process PHI.
Compliance by Design
When it comes to compliance, you can rest assured that Amazon has already done the heavy lifting:
- AWS is FedRAMP authorized and has agency-level authorization to operate from the Department of Health and Human Services, the Department of Defence, and other key governing and regulating bodies
- AWS has already undergone a serious audit against the NIST 800-53 framework which, through NIST 800-66, is mapped to the HIPAA security rule
This means that the foundational elements of the AWS cloud and its services – including the physical infrastructure, underlying substrate of the network, hypervisor, and AWS’ internal structure and audit frameworks – are already authorized to process PHI and accredited to guarantee HIPAA compliance.
Built-in, automated compliance in the AWS cloud makes it easier for you. If you’re preparing for external or internal compliance audits, you can use AWS’ existing authorizations to demonstrate comprehensive control effectiveness.
Choosing the Right AWS Partner
Automating compliance in the AWS cloud is a complex, evolving process. Migrating and managing HIPPA-regulated workloads requires specialized skillsets to maintain efficient, secure infrastructures.
Automating HIPAA compliance on the AWS cloud will transform how you do business. AWS’ built-in authorizations help you manage sensitive PHI and be audit ready. Working with a cloud expert will simplify the process, letting you focus on your operations while your AWS partner manages your HIPAA-regulated workload and monitors compliance 24x7x365.
At iTMethods, our AWS experts will architect and manage your journey to the cloud – working with you to create and execute a roadmap tailored to your needs.
Read more from iTMethods
- Introducing AWS Database Migration Service
- iTMethods Achieves AWS Managed Service Provider (MSP) Partner Status