Amazon Web Services (AWS) is a cloud-based service used by healthcare providers and their vendors to store, process, and transmit protected health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPAA), AWS is considered a business associate (BA). As a business associate, before a healthcare entity can use AWS they must first secure a business associate agreement (BAA). Additionally, whenever considering a vendor, healthcare entities must ensure that the vendor has the proper measures in place to secure PHI. When configured properly, AWS satisfies this requirement. Is AWS HIPAA compliant? Yes, with proper use.
AWS HIPAA Business Associate Agreement
Amazon has made adjustments to its offerings to add to its ease of use for healthcare clients. As such, Amazon will sign a business associate agreement. Within the agreement, Amazon supports HIPAA compliant administrative processes, security, and controls.
However, covered entities (CEs) and business associates are responsible for implementing proper access controls for AWS HIPAA compliance.
To Learn How to Configure Access Controls Properly, Amazon Has Provided This Guide
AWS HIPAA Compliant Access Controls
HIPAA compliance, when it comes to software or cloud services, is dependent on how it is used. To be considered HIPAA compliant, AWS must be used properly by all users within an organization. Administrators have the ability to grant access to data to other users. It is important that administrators pay close attention when granting access to users to ensure that they don’t give access to data to users that should not have access.
By design Amazon’s S3 bucket, for data sharing, storage, and analysis, allows for data to be accessed easily from anywhere with an internet connection. However, if an organization misconfigures user settings, they pose the risk of granting access to PHI to users that should not have access. In some cases, AWS can be misconfigured to allow public access to data. This would be considered a HIPAA violation, causing the healthcare entity to be subject to HIPAA fines.
AWS Misconfigurations are Common
The most common mistake administrators make is setting AWS access controls to grant access to ‘authenticated users.’ This poses a huge problem as enabling this setting will grant access to data to anyone that has an AWS account. As such, any organizations handling sensitive information should never enable access to ‘authenticated users.’
Since misconfiguration has become so common and has led to several data breaches of late, Amazon recently emailed users that had allowed public access to data, stating, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.” With widespread misconfiguration, companies such as Kromtech have released free tools to check for unsecured AWS S3 data.
So is AWS HIPAA compliant? Yes, with a signed business associate agreement and proper configuration AWS is HIPAA compliant.
