By Stephen Johnston
Traditionally hospitals and other large healthcare institutions managed their own physical servers and IT infrastructure in-house. Today, most of these organizations have either already moved their entire infrastructure to the cloud, are running in a hybrid configuration, or have plans to move to the cloud very soon for a variety of reasons.
Most cloud platforms, including Amazon Web Services (AWS), recognize that their clients are diverse and require that their infrastructure enable a multitude of different compliance programs to be met and they have already gone through the processes of certification to enable this for their customers. Healthcare organizations require that their infrastructure be HIPAA compliant, and other organizations that process payments require that their infrastructure is PCI compliant. There are many different compliance programs and you can see the full list which AWS supports here.
The short answer to “May a HIPAA covered entity or business associate use a cloud service to store or process protected health information?” is "yes", but there are many details to this question that have to be considered. We will cover some of those considerations in this blog.
In order to run sensitive workloads in AWS regulated under HIPAA the service provider must first accept the AWS Business Associate Addendum (BAA). The AWS BAA covers the use of a set of HIPAA Eligible Services which can be used to store, process, and transmit PHI. In addition, AWS offers the "Creating HIPAA-Compliant Medical Data Applications with AWS" whitepaper which outlines how companies can leverage AWS services that facilitate HIPAA and HITECH compliance.
The HIPAA Security Rule includes specifications for the encryption of PHI in transmission (“in transit”) and in storage (“at rest”). AWS offers a comprehensive set of features and services to make key management and encryption of PHI easy to manage and simple to audit. Service providers with HIPAA compliance requirements have a great deal of flexibility in how they meet encryption requirements for PHI.
It is not enough that AWS itself is secure. The service providers building the SaaS applications on top of AWS also have a responsibility to configure and use those services in a way which is secure and compliant. This is called the “Shared Responsibility Model”.
AWS is responsible for the Security “of” the Cloud. The service providers have no physical access to the data centers so the security of the infrastructure falls on AWS. AWS operates, manages, and controls all the components from the host operating system and virtualization layer down the physical servers themselves. The infrastructure also is composed of all the hardware, networking, and facilities that run AWS Cloud services.
The service provider is responsible for Security “in” the Cloud. The service provider’s responsibility will be determined by the AWS Cloud services that a customer uses to build out their applications. This determines the amount of configuration work the customer must perform as part of their security responsibilities. The selected AWS services all have various different aspects which must be configured correctly by the service provider in order to ensure that their service is HIPAA compliant.
Security and compliance is an important, ongoing and evolving process, but AWS customers have the tools available to them to run secure HIPAA compliant workloads in the cloud. In some cases one would argue even more secure and cost efficient than running their own on premises data centers. There are very large reputable private organizations and government institutions who entrust their data to the AWS cloud and given the breadth and depth of the security accreditations they stand on they are second to none.