Is AWS HIPAA compliant?

Amazon Web Services (AWS) is the leading public cloud service provider (CSP) based on market share. As of Q4 2023, AWS commanded 31% of the market with an extensive portfolio of PaaS, IaaS, and SaaS offerings to meet the needs of virtually any kind of business. This includes companies operating in the U.S. healthcare sector.

Serving the healthcare community requires a CSP to offer HIPAA-compliant products and services. But is AWS HIPAA compliant?

The short answer is yes, AWS provides the elements necessary to use the platform in a HIPAA-compliant manner. However, companies must ensure that they’re using the platform appropriately in order to ensure compliance. 

This post will investigate what makes a platform HIPAA compliant and how AWS addresses the HIPAA compliance its healthcare customers need.

In this article: 

• What makes a platform HIPAA compliant?
• How AWS supports HIPAA compliance
• Common AWS misconfigurations to avoid for HIPAA compliance
• Utilizing AWS resources for achieving HIPAA compliance
• Data loss prevention (DLP) software promotes HIPAA compliance
• Frequently asked questions

Wh‎at makes a platform HIPAA compliant?

‎Healthcare organizations and providers need to comply with the data security and privacy regulations defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, IT environments need to be concerned with the standards outlined in the HIPAA Security Rule. This rule focuses on securing electronic protected health information (ePHI) as it is collected, stored, and processed in IT systems.

A CSP must ensure that its HIPAA-compliant platform addresses the administrative, physical, and technical safeguards defined in the Security Rule. The following are some of the components and practices that must be in place to maintain HIPAA compliance.

• Access controls - Strict access controls must be available to ensure that only authorized personnel can access ePHI. The platform must support role-based access controls (RBAC), strong passwords, and multi-factor authentication to effectively protect sensitive patient data.
• Data encryption - All ePHI must be encrypted while at rest and in transit as it is transmitted over a network. Strong encryption protocols such as 256-bit AES are required to guarantee the security and privacy of sensitive data.
• Physical security - The facilities processing and storing ePHI need to have physical security measures that restrict access by unauthorized personnel. This may include human security guards, keycard entry badges, and automated surveillance systems.
• Secure data transmission - Data transmission over internal or external networks must be protected using secure protocols such as TLS and HTTPS.
• Audit trails - Audit trails must be maintained to track access and modifications to ePHI. This information is crucial in providing evidence in a compliance audit to demonstrate proper access controls regarding ePHI resources.
• Data backup and recovery - Businesses need effective backup and recovery methods to protect ePHI from data loss or corruption. Long-term archiving of specific documents may also be necessary and should be offered by the chosen CSP.
• Disaster recovery - HIPAA requires a disaster recovery plan to quickly recover from an unexpected outage and regain access to ePHI.
• Business Associate Agreements (BAAs) - A CSP must be willing to enter into a BAA with the healthcare organization making use of their services. This is a HIPAA requirement for all third-party providers that handle an organization’s sensitive health information.
• Risk assessments - Companies need the capability to perform periodic risk assessments to determine if there are vulnerabilities related to ePHI that need to be addressed. Documentation from the risk assessment including mitigation strategies need to be retained for HIPAA compliance.

Ho‎w AWS supports HIPAA compliance

‎AWS offers healthcare customers the necessary components and practices to support HIPAA compliance. However, just because the potential for HIPAA compliance exists does not ensure a company will use the services effectively to protect ePHI. Customers need to configure and manage the services in line with HIPAA guidelines to ensure compliance and avoid violations.

AWS operates under a shared security responsibility model. AWS is responsible for the infrastructure healthcare companies use to process and store ePHI.

AWS provides access to more than 130 HIPAA eligible services and certifications for industry-relevant global IT and compliance standards. This includes support for GDPR, HITRUST, ENS High, HDS, and C5.

AWS takes data privacy seriously and maintains customer trust by allowing customers to manage access to their services and content. AWS does not access or use customer content without consent. Customers also have control over the region in which their customer content is stored, and AWS will not move or replicate customer content without consent.

However, customers have the responsibility of securing their data. This includes configuring and managing access to sensitive data. Care must be taken to configure services correctly or risk exposing ePHI to unauthorized entities.

Co‎mmon AWS misconfigurations to avoid for HIPAA compliance

‎There are several common misconfigurations to avoid for HIPAA compliance on AWS. One area is data encryption issues, where organizations fail to properly encrypt sensitive data. This can leave the data vulnerable to unauthorized access and potential breaches.

Another area is inadequate access controls, where organizations do not properly restrict access to sensitive data and systems. This can lead to unauthorized individuals gaining access to protected health information.

Improper logging and monitoring is another common misconfiguration, where organizations fail to implement robust logging and monitoring practices. This can make it difficult to detect and respond to security incidents in a timely manner.

Ut‎ilizing AWS resources for achieving HIPAA compliance

‎AWS offers a range of compliance resources to help organizations achieve HIPAA compliance. These resources include CloudFormation templates, which allow users to define their infrastructure as code and ensure that it meets HIPAA requirements.

Compliance as Code with CloudWatch enables organizations to automate security and compliance checks, ensuring that their systems remain in compliance with HIPAA regulations. Additionally, AWS provides monitoring and auditing capabilities through CloudWatch and CloudTrail, allowing organizations to track and analyze their system activity for security and compliance purposes.

By leveraging these resources, organizations can automate security and compliance processes, reducing the risk of human error and ensuring that their systems meet HIPAA requirements. This can help organizations streamline their compliance efforts and focus on delivering high-quality healthcare services.

Customers also must sign an Amazon Business Associates Addendum, otherwise known as a Business Associates Agreement (BAA). This document defines the HIPAA safeguards managed by AWS and breaks down how compliance responsibilities are divided between the cloud platform and the clients.

Amazon provides a white paper that discusses the specific actions customers need to take to architect AWS solutions that comply with HIPAA guidelines. Customers should ensure they understand the limitations of every AWS product or service they are using.

Da‎ta loss prevention (DLP) software promotes HIPAA compliance

‎Data loss prevention software helps organizations control the way data resources are accessed and used throughout an IT environment. A DLP solution can be instrumental in keeping HIPAA-regulated data secure in an AWS cloud environment. DLP addresses the need for customers to secure the data they store and process in the cloud.

‎The Reveal Platform by Next is an advanced DLP platform that automatically enforces the organization’s data handling policy. This enforcement restricts any deliberate or accidental misuse of sensitive data.

Users who violate the policy are prohibited from performing the activity and are presented with an informative message related to the violation. This functionality helps build a security-conscious workforce.

Customers can see Reveal in action with a free demo. Get in touch with us today and start taking the steps to fully protect your HIPAA-regulated and other sensitive data resources.

Fr‎equently asked questions

Does AWS meet the HIPAA requirements for disaster recovery services?

Yes, AWS meets the HIPAA requirements for disaster recovery services to ensure organizations can quickly restore access to ePHI after an unexpected outage. Customers can choose from a variety of disaster recovery options, including recovering in alternate geographical regions for enhanced resiliency.

AWS Elastic Disaster Recovery allows applications to be recovered to the most up-to-date state, or from an earlier point in time.

How does AWS provide physical security for the data center required by HIPAA?

AWS provides multiple layers to ensure the physical security of their data centers to comply with HIPAA regulations. Datacenter perimeters are secured with guards, fences, and intrusion detection technology.

The data layer, where customer data is stored, is protected by restricting access to authorized individuals. Threat detection devices are also deployed to secure the environment.

How does data loss prevention support HIPAA compliance?

Data loss prevention supports HIPAA compliance by ensuring sensitive data is not misused by unauthorized individuals or applications. Customers deploying a DLP solution can define a strict data handling policy that restricts access to ePHI and ensures data elements are used appropriately. This functionality supports the customer’s responsibility for protecting their data in an AWS environment.