If you provide software services for healthcare providers or are a healthcare provider that manages an internal software system to store and transmit PHI, you might be wondering whether Amazon AWS is a HIPAA compliant solution. Amazon has made it clear that AWS is an eligible candidate to consider when deciding how to build your HIPAA compliant system.
AWS and HIPAA
Amazon does a good job of describing its HIPAA eligible services but being HIPAA compliant requires a deeper understanding of how your organization processes PHI and what is required by The US Department of Health and Human Services (HHS). Amazon can help you understand how to implement technical security controls, but your organization also needs to meet requirements from HHS.gov regarding the HIPAA Privacy Rule and HIPAA Security Rule. These requirements are not directly associated with AWS and include conducting periodic HIPAA risk assessments, HIPAA training, system activity monitoring and much more. However, HIPAA’s technical requirements apply to all IT systems, including AWS. Technical controls that must be considered when configuring AWS in a HIPAA compliant environment include:
- Access Control
- Audit Controls
- Person or Entity Authentication
- Transmission Security
Which AWS Services are HIPAA Compliant?
A HIPAA compliant AWS architecture can be designed using EC2 instances, S3 buckets, RDS, Elastic Load Balancing or any other AWS services, but the services must be utilized correctly. A basic understanding of web application security is a good start, but HIPAA introduces a long list of security controls your team may not be aware of. Every AWS environment and business that uses them are different, and the controls that you implement for HIPAA compliance will depend on your IT security strategy. Below are a list of potential security controls that can be configured in AWS to meet your organization’s compliance goals:
- Ensure PHI stored at rest in RDS is encrypted using keys managed through AWS Key Management Service (AWS KMS)
- Encrypt data at rest using file-level or full disk encryption
- Configure Virtual Private Cloud Flow Logs to provide an audit trail of connections to instances processing, transmitting or storing PHI
- Force connections over HTTPS when accessing PHI stored in S3 buckets