A HIPAA Experts Advice on How to Secure PHI in AWS

Is Amazon Web Services HIPAA Compliant?

If you provide software services for healthcare providers or are a healthcare provider that manages an internal software system to store and transmit PHI, you might be wondering whether Amazon AWS is a HIPAA compliant solution. Amazon has made it clear that AWS is an eligible candidate to consider when deciding how to build your HIPAA compliant system.

AWS and HIPAA

Amazon does a good job of describing its HIPAA eligible services but being HIPAA compliant requires a deeper understanding of how your organization processes PHI and what is required by The US Department of Health and Human Services (HHS). Amazon can help you understand how to implement technical security controls, but your organization also needs to meet requirements from HHS.gov regarding the HIPAA Privacy Rule and HIPAA Security Rule. These requirements are not directly associated with AWS and include conducting periodic HIPAA risk assessments, HIPAA training, system activity monitoring and much more. However, HIPAA’s technical requirements apply to all IT systems, including AWS. Technical controls that must be considered when configuring AWS in a HIPAA compliant environment include:

For more detailed information on implementing technical safeguards in your information systems, visit the HHS’s HIPAA Security Series on Technical Safeguards.

  • Access Control
  • Audit Controls
  • Encryption
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

Which AWS Services are HIPAA Compliant?

A HIPAA compliant AWS architecture can be designed using EC2 instances, S3 buckets, RDS, Elastic Load Balancing or any other AWS services, but the services must be utilized correctly. A basic understanding of web application security is a good start, but HIPAA introduces a long list of security controls your team may not be aware of. Every AWS environment and business that uses them are different, and the controls that you implement for HIPAA compliance will depend on your IT security strategy. Below are a list of potential security controls that can be configured in AWS to meet your organization’s compliance goals:

  • Ensure PHI stored at rest in RDS is encrypted using keys managed through AWS Key Management Service (AWS KMS)
  • Encrypt data at rest using file-level or full disk encryption
  • Configure Virtual Private Cloud Flow Logs to provide an audit trail of connections to instances processing, transmitting or storing PHI
  • Force connections over HTTPS when accessing PHI stored in S3 buckets

This is list is not exhaustive, by any means, and a more comprehensive take can be found in this AWS HIPAA Compliance White Paper.

AWS HIPAA QuickStart

The fastest way to find out if your plans for AWS are HIPAA compliant is to send Gazelle Consulting a message from our Contact page or call 1-503-389-5666. Our experienced HIPAA compliance consultants will act quickly to prioritize and address your most critical concerns. The next best thing to do is get familiar with resources provided by Amazon themselves like the AWS HIPAA Compliance White Paper, AWS HIPAA FAQs part 1 and part 2, and the AWS HIPAA Compliance Overview page.