Is Amazon’s AWS HIPAA-compliant?
That’s a good question with an evolving answer, and a pertinent question, too, since, according to Amazon, “A large and growing number of healthcare providers, payers and IT professionals are using AWS’s utility-based cloud services to process, store, and transmit PHI.”
With the Department of Health and Human Services (HHS) moving ahead on new HIPAA compliance programs, compliance mangers, HIPAA officers, CIOs, medical office managers, privacy officers and information security officers should know that this is the time to get ahead of compliance efforts and beef up internal compliance plans.
Amazon Bolsters Its Web Service
AWS is the Amazon Web Service, a cloud services platform which Amazon says is secure and offers advanced computing power, data storage, content delivery and more. While Amazon and Google may be the most popular, other options include Dropbox, Box, Carbonite and Microsoft OneDrive. Each has benefits, notes Skyhigh.
While there is no official certification procession for HIPAA cloud providers, Amazon says AWS is aligned with the Federal Risk and Authorization Management Program and NIST 800-53, which are higher security standards than what HIPAA stipulates.
Cloud servers are becoming more common for health care institutions, and as cloud use increases a spotlight is being put on security breaches.
“In June, a cyber-risk analyst at UpGuard found roughly 14 million Verizon customers’ records on an unprotected S3 server,” noted Becker’s Hospital Review. “Within the healthcare sector, a team of researchers at Kromtech Security Center discovered the protected health information of an estimated 150,000 Americans using services from Patient Home Monitoring, a HIPAA-covered entity, on a publicly-accessible S3 bucket Sept. 29.”
Earlier this month, Amazon announced that it was ramping up its AWS security. In a blog, AWC Chief Evangelist Jeff Barr said the company was adding five new encryption and security features to S3:
- Default encryption
- Permission checks
- Cross-region replication ACL overwrite
- Cross-region replication with KMS
- Detailed inventory report
The features are free, Barr said, although there are normal rates for calls to KMS, S3 storage, S3 requests and inter-region data transfer.
Other Cloud Storage Providers Angle For Business
Google Drive is at the top of many lists for cloud storage and it too has moved forward with meeting HIPAA rules. Of course, the free version will not suffice—HIPAA-concerned users will need to purchase Google’s enterprise-level product.
“Google has security certifications such as ISO 27001 and SOC 2 and SOC 3 Type II Audits, and it offers Google Apps,” noted eFileCabinet. “Under HIPAA, particular information about a patient’s health and/or healthcare service is confidential and is Protected Health Information (PHI). Google users who must follow HIPAA requirements and want to use Google Apps with PHI are required to sign a Business Associate Agreement with Google.”
Both Google and AWS should be used with caution: Since many users employ one or both of the services in their everyday lives, they may ignore the critical steps to protect healthcare information. “It’s up to the IT folks to make sure the tools are configured in that environment,” one industry watcher told Healthcare IT News.
HHS Is Not Joking About HIPAA Rules
HHS’s trial HIPAA compliance program and audits are now permanent, and while the final program is being designed, those in the industry should focus on lessons learned and get ready for the possibility of future HIPAA compliance audits.
This spring, the agency fined a small for-profit health care provider in Illinois $31,000 for not having a business associate agreement. One week later, the agency announced that it had fined CardioNet $2.5 million for “impermissible exposure of unsecured electronic protected health information.” What happened? An employee’s laptop was stolen from a parked car and the company had not implemented the standards of HIPAA’s Security Rule yet.
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, director of HHS’s Office for Civil Rights. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”