The healthcare industry is all set to face the new digital era with the wave of digital IT technologies. The COVID-19 pandemic has been a wake-up call for the healthcare industry to rethink its operations. Realizing the true potential of digital technologies, the healthcare industry is increasingly harnessing the power of advanced technologies to reduce costs and streamline its workloads. One such technology is cloud computing. Today, cloud computing in the healthcare industry is not just a storage solution, it has evolved to address significant privacy, security, and compliance challenges while improving the convenience and quality of patient care. Currently, Amazon Web Services (AWS) is one of the best Cloud Service Providers that provide a secure cloud platform on which healthcare organizations can innovate. 

However, lack of security and privacy are two major concerns that healthcare organizations face when choosing a cloud solution like AWS. There are several data protection regulations that are recognizing the value and importance of protecting user data and setting new information privacy standards for the protection of medical records and other personal health information. One such data privacy regulation that the healthcare industry must adhere to is HIPAA compliance that was designed to protect sensitive patient data.

So, is AWS HIPAA certified? What are the best practices for AWS HIPAA Compliance? Read on to know more about AWS and HIPAA compliance

AWS and Data Privacy

AWS delivers services to millions of active customers and it takes data privacy very seriously. AWS gives you ownership and control over your content in the cloud through simple and powerful tools that allow you to determine where your content will be stored, and manage your access to AWS services and resources for your users. AWS also continually monitors the changing privacy regulatory and legislative landscape to identify changes and acts accordingly to meet the compliance needs. 

However, one of the important things you need to know when discussing AWS HIPAA Compliance is Shared Responsibility. In the AWS cloud, security is shared between Amazon and customers. While the customers are responsible for the security, configuration, and other aspects of AWS services, Amazon is responsible for managing the infrastructure components and physical security of the AWS data centers. 

Is AWS HIPAA Certified?

According to Amazon.com, there is no HIPAA certification for a Cloud Service Provider (CSP) such as AWS. However, AWS aligns its HIPAA risk management program with FedRAMP and NIST 800-53 to meet the HIPAA requirements. FedRAMP and NIST 800-53 are higher security standards that map to the HIPAA Security Rule. So, yes, you can use AWS to run sensitive workloads regulated under HIPAA. However, if you plan to include Protected Health Information (as defined by HIPAA) on AWS services, you must first accept the AWS Business Associate Addendum (AWS BAA).

Business Partner Agreement with AWS

Under HIPAA, a covered entity is a health care provider, a health plan, or a healthcare clearinghouse. A business associate is an entity who performs or assists in performing an activity regulated by the associated HIPAA rules. In accordance with HIPAA regulations, any company that wants to do business that falls under HIPAA compliance has to sign a business associate contract with its customers. So, if a business associate engages AWS to store or process ePHI, AWS itself becomes a business associate under HIPAA. HIPAA requires a Business Associate Addendum between the covered entity and a business associate such as AWS. It defines and limits the permissible uses and disclosures of API. Another thing to note here is that AWS services can be used with health care applications, but only services covered by the AWS BAA can be used to store, process, or transmit ePHI.

AWS HIPAA Compliance: Best Practices

Know your AWS Tools/ Features in Terms of HIPAA compliance

AWS has published a whitepaper, Architecting for HIPAA Security and Compliance on Amazon Web Services. It details how to design a system that could help you achieve and maintain HIPAA compliance with respect to its applications. You can use this document to know how to properly use different AWS services such as Amazon EC2, Amazon Systems Manager, Amazon Virtual Private Cloud, Amazon Elastic Block Store, Amazon Redshift, Elastic Load, and others. 

Establish HIPAA Compliant Controls

This goes without saying. To be HIPAA compliant in AWS, you need effective control across your organization’s security infrastructure. Creating a well-architecture end-to-end security posture that withstands potential cyber-attacks is crucial for maintaining compliance. Also, controls should align with safeguards documented within the HIPAA security rule. 

Identify and Access Cybersecurity Risk

A critical step to identify and access your organization’s cybersecurity risk is to understand your responsibilities within HIPAA. Getting a clear view of how you intend to use the cloud, what applications and data will be migrated, who will have access to it in your organization will help you identify the potential cybersecurity risks. 

Integrity controls and encryption

The HIPAA Security Rule includes addressable implementation specifications for the encryption of ePHI in transit, in use, and at rest. There are several features and services in AWS such as AWS Key Management Service (AWS KMS) that makes encryption of ePHI manageable and easier to audit. Organizations can also make use of the encryption features native to HIPAA-eligible services to secure transmission and storage ePHI. 

Use IAM Roles

IAM is a critical component of HIPAA security. Within an AWS environment, access management strategies are crucial for securing your ePHI. AWS customers can manage passwords for account root users and for IAM users in their accounts. Implementing IAM policies restricts unnecessary user access and thus improves the overall security. 

Prepare a Contingency Plan

To meet the Emergency Access Procedure requirement under HIPAA, organizations must enable administrative controls, such as backup and disaster recovery plans. The contingency plan for protecting data in the event of a disaster should focus on the creation and maintenance of retrievable exact copies of ePHI. 

Audit and Keep a Log of Everything

According to HIPAA, you need to know who accessed ePHI and who modified it. You also must be able to verify that the changes were correct and the record id still valid. So, keeping of log of all these transactions helps you produce reports whenever necessary. AWS provides a wide range of services such as AWS Config, AWS CloudTrial, AWS Security Hub, and Amazon CloudWatch that creates a cost-effective solution for auditing and monitoring resources in the AWS environment. Organizations must also enable procedures to monitor log-in attempts and report discrepancies.  

Thus, you can use AWS to build applications that store, process, and transmit Protected Health Information (PHI), consistent with the privacy and security obligations under HIPAA. However, you still need to make sure that you are following the standards. No software or platform can ensure total compliance. Only you can ensure it, so, follow these best practices for AWS HIPAA compliance and strengthen your compliance. 

Intone help you use AWS to its fullest potential and be HIPAA compliant with our advanced solutions. Our AWS competencies include migration competency, MSP partner, financial services competency, life sciences competency, data and analytics competency, and public services competency. From analytics and predictive modeling to CRM, cloud, and infrastructure management to financial transformation and compliance, we provide holistic solutions to the health industry and pharmaceutical industry. 

Picture Credit