Amazon Web Services & HIPAA Compliance
Amazon wished to have healthcare groups to use AWS, and as such, a business associate agreement will be completed. Under that agreement, Amazon will enhance the security, control, and administrative processes required under HIPAA.
Earlier, under the terms and references of the AWS BAA, the AWS HIPAA compliance program required covered bodies and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer so.
As part of its attempts to help healthcare organizations use AWS safely and securely without breaching HIPAA Rules, Amazon has released a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates to secure their AWS instances, and setting access controls.
Amazon supports HIPAA compliance, and AWS can be implemented in a HIPAA compliant way, but no software or cloud service can ever be entirely HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not concerned with the platform, but rather the users.
The Amazon Simple Storage Service (S3) that is in place using AWS can be utilized for data storage, data analysis, data sharing, and many other duties. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be safe, otherwise no one would use the service. But it has also been developed to make data simple to access, by anyone with the correct permissions. Make an error setting up users or setting permissions and data will be left exposed.
Just because AWS is HIPAA compliant, it does not mean that implementing AWS is free from danger, and neither that a HIPAA violation will not take place. Leaving AWS S3 buckets unprotected and accessible by the public is a clear breach of HIPAA Rules. It may seem obvious to secure AWS S3 buckets including PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible to everyone.
Amazon S3 buckets are secure by default. The only way they can be seen is by using the administrator credentials of the resource owner. It is the process of setting up permissions and providing other users with access to the resource that often goes wrong.
How Often is AWS Misconfigured?
AWS misconfigurations are very common. So much so, that Amazon recently contacted users who had potentially misconfigured their S3 buckets to warn them that data could be seen by anyone.
Amazon stated: “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”
Some of those public disclosures have been by healthcare groups, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV stations. One data analytics company left data unprotected, exposing the records of 200 million voters. Verizon breached the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million accounts holders. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.
There is no excuse for this carelessness. Checking for unsecured AWS buckets is not only a quick and simple process, software can be used free of charge for this purpose. A tool has been created Kromtech called S3 Inspector that can be used to review for unsecured S3 buckets.
AWS as a HIPAA Compliant Tool?
So, in short, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare groups huge advantages.
Can the use of AWS violate HIPAA Rules and leave PHI unsecured? Very easily.
Misconfiguration of AWS could lead to a HIPAA violation penalty. AWS is secure by default. Only if settings are amended will saved data be accessible. It would be hard to claim OCR auditors that manually changing permissions to permit anyone to access a S3 bucket holding PHI is anything other than a serious breach of HIPAA Rules.