The Health Insurance Portability and Accountability Act, or HIPAA, is a United States law that seeks to protect the privacy of patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. It seeks to make health insurance coverage available to everyone — even those who lose their jobs. It also aims to lower the cost of healthcare by setting up standards in the electronic transmission of financial and administrative transactions. As well, HIPAA is designed to help fight abuse, waste, and fraud in insurance and healthcare delivery. The act also gave rise to the HIPAA Privacy Rule, which is the first set of American standards that protect the health information of patients. All health-related clearinghouses, providers, and insurance plans are covered by the act, as well as all companies in the country that are handling or storing healthcare data.
The good news is that you can use AWS and be HIPAA compliant. One way to strengthen HIPAA compliance is by leveraging Threat Stack’s Cloud Security Platform®, which provides healthcare companies — as well as business associates — with the most advanced solutions they need to meet a broad range of HIPAA compliance requirements. This post outlines nine essential best practices you should know about AWS HIPAA compliance.
1. HIPAA is your responsibility, not Amazon’s.
AWS operates under a shared responsibility model, meaning they are responsible for certain aspects of security and compliance, while the user is responsible for others. While AWS has several tools, features, and services that make it easier to be HIPAA compliant, you should always remember that using AWS alone is not proof of compliance. You’ll still need to make sure that you are following the standards. No software, platform, or healthcare technology can ensure total compliance. Only you can. Compliance is not a feature of AWS: It is the result of using it.
2. Go beyond HIPAA compliance.
While being compliant is important, you should remember that HIPAA was established in 1996, and the final rules were published in 2003. In more than 15 years, threats and processes have changed, and HIPAA has not been updated. Relying on HIPAA standards alone will make you vulnerable to more threats and attacks.
3. Get Amazon to sign a Business Associate Agreement (BAA).
Amazon Web Services has been trying hard to attract healthcare-related companies into their fold. For this reason, AWS has certified that using a set of their services is a good way to ensure HIPAA compliance. For this reason, they will most likely sign a Business Associate Agreement wherein they share some of the legal responsibility that you have – where personal records are concerned. The BAA will also ensure that you will know when a data breach occurs.
In general, you will still be responsible for making sure that your applications, operating systems, and other components of your systems are secure and safe, but AWS will be responsible for the physical security of their own networks and facilities.
4. Do an inventory of your system to discover personal health information.
What parts of your system have personal health information, and how are you keeping it secure? These parts are going to be covered by HIPAA compliance. Once something goes wrong — for example, if a data breach occurred involving any one of these components — then you need to notify the patient as soon as possible.
5. Secure your data at rest and while in transit.
Using SSL certificates with very strong SSL termination policies can help you protect your stored data. You should also consider using encryption at the application level to augment SSL. The good news is that AWS allows you to easily encrypt data using AES-256 encryption.
6. Audit and log. Keep a log of everything.
HIPAA rules dictate that you need to know who accessed a patient’s data and who changed it. After which, you must be able to verify that the changes were correct and the record is still valid. You must log all of these transactions and guarantee that you can easily produce reports when necessary, such as when audit time comes, or if you experience a breach.
You should have bulletproof policies that will determine an application’s users and what they can do with it. Use an existing and proven authentication system, such as SAML or OAuth. You can also use the Identity and Access Management system on AWS to help you manage the credentials of your users.
8. Know which AWS tools/features can be used toward HIPAA compliance.
Amazon has published a white paper detailing how to design a system that could help you achieve and maintain HIPAA compliance when it comes to applications: Architecting for HIPAA Security and Compliance on Amazon Web Services. This document describes how to properly use different services, such as Amazon EC2, Amazon Systems Manager, Amazon Virtual Private Cloud, Amazon Elastic Block Store, Amazon Redshift, Amazon Glacier, Amazon Aurora, Amazon CloudFront, Elastic Load Balancing, and others. In short, it introduces you to the different services that help ensure HIPAA compliance. These services support the technical, physical, and administrative safeguards that HIPAA asks for.
9. Don’t assume that Amazon has made sure that their services are instantly compliant to HIPAA rules.
The Amazon Simple Storage Service (S3) is a great option for data sharing, storage, and other goals. You can make personal data accessible from anywhere as long as there is an internet connection. This means data is available on both mobile apps and websites. When using Amazon S3, you need to ensure that your configurations are correct so users and their permissions are managed correctly, and data breaches can be avoided. This is a good example of how AWS is not a magic pill for HIPAA compliance. Amazon S3 can make it easy to access patient records, but if you leave it unprotected and data is publicly accessible, then you’ll find yourself in hot water with HIPAA.
Always know when AWS is not compliant. The above example highlights the importance of knowing what you need to do to stay HIPAA compliant. You should know how to use each AWS tool/feature correctly, even if Amazon says that these services are above board. You should be aware that misconfigurations are very common in any cloud-based system, and this does not only happen to health care companies. Patient Home Monitoring reported in 2017 that a misconfiguration of their Amazon S3 left around 47 gigabytes worth of medical records exposed.
Next Steps . . .
Feel free to contact us if you’d like to find out more about continuous cloud compliance or want to learn more about Threat Stack’s Cloud Security Platform® and Cloud SecOps Program℠. Our experts look forward to discussing your cloud security and compliance requirements.