AWS has undergone exhaustive processes to certify some of their most popular services, making them guaranteed HIPAA-eligible and authorized to transmit and store protected Patient Health Information (PHI).
The healthcare system in the United States is complex. Underlying it is sensitive patient data, governed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). Making HIPAA workloads compliant manually can be time consuming and labour intensive, but healthcare entities often remain wary about migrating their workloads to cloud-based services.
But what does this really mean for entities subject to HIPAA regulations?
Amazon is obsessed with making sure their services are on the leading-edge of cloud computing – guaranteeing security, scalability, and compliance. AWS has put its HIPAA-eligible services through rigorous audits, enabling HIPAA-regulated entities to securely migrate their workloads to the cloud and leverage the power AWS’ authorized services to transmit, store, and maintain sensitive PHI.
With the hyper-focus on protecting patient data, it’s important to make sure you’re taking the necessary steps to secure PHI under your control. It’s important to understand the division of responsibilities in the AWS cloud – learning what steps you must oversee versus what Amazon will handle.
When it comes to HIPAA compliance in the cloud, AWS operates on a shared responsibility model. It’s important you understand this and can distinguish between:
AWS will manage “security of the cloud,” but “security in the cloud” remains the customer’s responsibility. This approach gives you control over the types of security protocols you will implement to safeguard PHI, sensitive data, applications, and networks as you would with an on-site data center.
Your responsibilities to ensure HIPAA compliance in the cloud include:
Although customers can use any AWS service within a HIPAA account, they must use only HIPAA-eligible services to process, store, and transmit PHI. Eligible services include Amazon Elastic Compute (EC2), Amazon Elastic Book Store (Amazon EBS), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon Redshift, DynamoDB, MySQL, RDS Oracle, and EMR.
Amazon maintains this rule to protect you. Unauthorized services have not gone through FedRAMP and should therefore not be used to handle PHI – even in passing. All HIPAA-eligible services are guaranteed to have undergone rigorous security engineering processes and be ISO 27017, PCI, SOC 2, and FedRAMP certified, authorizing them to process PHI.
When it comes to compliance, you can rest assured that Amazon has already done the heavy lifting:
This means that the foundational elements of the AWS cloud and its services – including the physical infrastructure, underlying substrate of the network, hypervisor, and AWS’ internal structure and audit frameworks – are already authorized to process PHI and accredited to guarantee HIPAA compliance.
Built-in, automated compliance in the AWS cloud makes it easier for you. If you’re preparing for external or internal compliance audits, you can use AWS’ existing authorizations to demonstrate comprehensive control effectiveness.
Automating compliance in the AWS cloud is a complex, evolving process. Migrating and managing HIPPA-regulated workloads requires specialized skillsets to maintain efficient, secure infrastructures.
Automating HIPAA compliance on the AWS cloud will transform how you do business. AWS’ built-in authorizations help you manage sensitive PHI and be audit ready. Working with a cloud expert will simplify the process, letting you focus on your operations while your AWS partner manages your HIPAA-regulated workload and monitors compliance 24x7x365.
At iTMethods, our AWS experts will architect and manage your journey to the cloud – working with you to create and execute a roadmap tailored to your needs.
Contact us to speak with a cloud expert today!
Read more from iTMethods