Amazon Web Services has all the security requirement to adhere with the HIPAA Security Rule and the company is willing to complete a business associate agreement with healthcare groups. So, is AWS HIPAA compliant? The answer is both Yes and No. AWS can be deemed as HIPAA compliant, but it is also simple to commit configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, breaching HIPAA Rules.
Amazon Will complete a Business Associate Agreement for AWS
Amazon is keen for healthcare groups to use AWS, and as such, a business associate agreement will be completed. Under that agreement, Amazon will ensure the security, control, and administrative processes required by HIPAA.
Previously, due to the the terms of the AWS BAA, the AWS HIPAA compliance program required covered bodies and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer relevant.
Amazon has now released a 26-page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered bodies and business associates accomplish securing their AWS instances, and configuring access controls.
Amazon is fully behind HIPAA compliance and AWS can be used in a HIPAA manner way, but no software or cloud service can ever be completely HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the service, but rather how it is being implemented by its users.
The Amazon Simple Storage Service (S3) that is supplied through AWS can be implemented for data storage, data analysis, data sharing, and many other tasks. Data can be accessed from anywhere with an Internet connection, including on websites, and mobile apps. AWS has been created to be secure, otherwise no one would use the service. However, it has also been programmed to make data easy to access, by anyone with the correct permissions. If it is not configured correctly users or setting permissions and data will be left at risk.
Just because AWS can be deemed HIPAA compliant, it does not mean that using AWS is free from danger, and neither that a HIPAA breach violation will not take place occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear breach of HIPAA Rules. It may seem obvious to safeguard AWS S3 buckets containing PHI, but this year there have been multiple healthcare groups that have left their PHI open and accessible by any individual.
Amazon S3 buckets are safeguarded by default. The only way they can be logged onto is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes wrong.
When is AWS in breach of HIPAA?
When a BAA has been completed, users have been told the correct way to use the service, and when access controls and permissions have been set up properly. Misconfigure an Amazon S3 bucket and your data will be accessible by everyone who knows where to find it.
Documentation has been released on the correct way to set up Amazon S3 services and manage access and permissions. Sadly, since there are many ways to grant permissions, there are also several points that mistakes can happen, and simple errors can have grave consequences.
On many occasions, security experts have discovered unprotected AWS S3 buckets and have alerted healthcare groups that PHI has been left unsecured. However, security experts are not the only ones checking for unsecured data. Cyber Criminals are always on the prowl. It is far simpler for a hacker to obtain data from cloud storage services that have had all protections removed than it is to attack groups in other ways.
One of the errors that has been made time and again is setting access controls to permit access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your files or server. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone who holds an AWS account, and anyone can register for an AWS account free of charge.
Are AWS Misconfigurations Common?
AWS misconfigurations happen a lot. So much so, that Amazon has contacted users who may have misconfigured their S3 buckets to alert them that data could be freely accessed.
Amazon stated: “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”
Some of those public disclosures have been by healthcare groups, but the list is long and varied, incorporating military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV suppliers. One data analytics firm left data unprotected, exposing the records of 200 million on the official voting register. Verizon exposed the data of between 6 and 14 million clients, and World Wide Entertainment exposed the data of 3 million people. Patient Home Monitoring, a HIPAA covered body, left 47GB of data exposed.
There is no acceptable excuse for these shortcomings. Reviewing for unprotected AWS buckets is not only a swift and simple process, software can be used free of charge for this task. A tool has been created Kromtech called S3 Inspector that can be used to check for unprotected S3 buckets.