Amazon Web Services (AWS) is a cloud computing platform with millions of customers, and includes more than 200 products from cloud storage to high-performance computing services, but can AWS be used by healthcare organizations? Is AWS HIPAA compliant?
One of AWS’s main products is the Simple Storage Service (S3) which can be used for transferring data, analyzing data, and of course, data storage. It is a flexible cloud computing solution that allows users to access data from a range of platforms while still maintaining the security of the data. Data objects are stored in “buckets”, which can be accessed by users with the correct permissions. Yet S3 buckets are vulnerable to misconfiguration which can leave all data in those buckets unprotected and able to be accessed by anyone.
Covered entities must ensure they use S3 in a HIPAA-compliant manner, protecting data from unauthorized access. This may seem like an obvious assertion but breaches do happen, jeopardizing patient privacy and risking hefty regulatory fines for CEs. In 2017, following several high-profile data leaks, Amazon issued a warning to customers advising them to check whether their S3 buckets had been correctly configured. Such misconfigurations have led to HIPAA breaches in the past: in 2017, the Patient Home Monitoring Corporation misconfigured an S3 bucket, leaving the data of 150,000 patients exposed.
AWS has published a guide to help CEs navigate the necessary procedures to ensure its products are correctly configured so they can be used in a HIPAA-compliant way. CEs should make sure they fully understand AWS terminology. For example, CEs may grant all “authenticated users” access to their data, but an “authenticated user” is any individual with an AWS account. Such an error would expose ePHI to millions of unauthorized individuals.
To ensure HIPAA compliance, a business associate agreement (BAA) is required. Historically, this agreement required covered entities to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process electronic protected health information (ePHI). AWS has since removed this requirement. The AWS BAA states that Amazon will support the CE in all the security and administrative processes required to safeguard PHI, but AWS makes it clear that CEs understand how to use AWS safely, stating that it is the responsibility of their customers to ensure AWS is used in a HIPAA-compliant way.
Is AWS HIPAA Compliant?
AWS has the potential to be fully HIPAA compliant, but human error and misuse of the platform could result in HIPAA violations. Amazon supports HIPAA compliance, but the responsibility for HIPAA compliance rests with the CEs that use AWS.