This blog is a revised version of an article first published in January 2020.
Increasingly the healthcare industry is turning to cloud-based services to manage their IT infrastructure. The use of cloud storage not only improves operational efficiency, but equally in the case of providers like Amazon Web Services, offers a highly secure environment for the maintenance and retention of sensitive health information. This is crucial. Healthcare providers are legally obligated to store, process, and send protected health information (PHI) in accordance with regulations set out by the Health Insurance Portability and Accountability Act 1996 (HIPAA). AWS HIPAA-compliant cloud storage comes with an assortment of HIPAA Eligible services to support healthcare companies to develop scalable and secure HIPAA compliant solutions that serve an unlimited number of healthcare use cases. Furthermore, AWS will sign a Business Associate Agreement (BAA) with their customers acknowledging their liability should they fail to follow the administrative processes and technical requirements covered in HIPAA. However, it is important to note, AWS, like any cloud platform provider, can only provide the opportunity for HIPAA compliance. It is up to the organization building a healthcare application to configure their instance in a HIPAA compliant manner.
Is AWS cloud HIPAA-compliant?
Amazon Web Services provides a hosting infrastructure that can operate as a HIPAA compliant cloud as long as it is used appropriately. AWS helps to build high-load systems that process vast amounts of ePHI under HIPAA. It offers many layers of operational and physical security to protect the integrity and safety of customer PHI data, including physical hardware security controls. But simple usage of the AWS cloud infrastructure and their covered services does not ensure HIPAA compliance. Any AWS-based system dealing with ePHI must follow HIPAA technical safeguards and regulations to ensure a fully compliant cloud environment.
Shared responsibility
The AWS shared responsibility model is designed to increase the security level of Amazon’s cloud infrastructure. According to this model, Amazon is responsible for managing the security of their infrastructure running their services including the hardware, software, networking and physical facilities. In relation, customers are expected to do their bit, configuring their use of AWS cloud services in accordance with HIPAA-compliant security standards. Which cloud service they use will determine the level of configuration involved. For example, use of Amazon’s EC2 instance, obligates the customer to take responsibility for all required security configuration and management tasks.
Practical guide on implementing HIPAA-compliant software on AWS
AWS provides many tools and features to help healthcare organizations using its services achieve HIPAA compliance. The HIPAA security rule provides a detailed description of the technical safeguards required to ensure the protection of patient PHI. To set up a secure environment on AWS, you can perform the following actions:
1. Access Control requirements
Security access control (SAC) is an essential part of any system. According to HIPAA, the application should ensure that an authenticated user accesses only what they are authorized to and no more. AWS Identity and Access Management (IAM) is a key player in providing and controlling access to AWS. It involves the strategies and methods used to authenticate and allow actions that specific users can perform. IAM enables you to manage access to AWS services and resources securely. With its help, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
2. Person or Entity Authentication requirements
The goal of authentication is to verify if the user is authorized to interact with your system. Secondly, authentication means collecting information on how the user is accessing the infrastructure. This means that a system must provide ways of identity verification to confirm the identity of the user attempting to access protected data.
Person or Entity Authentication in AWS-based HIPAA-compliance software is achieved by permissions. Each user needs to set their own unique password (the least requirements of which every AWS account owner can set). You can also make virtual or physical multi-factor authentication.
The U.S. Department of Health and Human Services offers four verification approaches to implement this rule:
- A biometric identification system;
- A password system;
- A personal identification number (PIN);
- A telephone callback or a “token” system that uses a physical device for user authentication.
A good practice is to implement the AWS Security Token Service (STS). It helps you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
3. Disposal as a Requirement
Each account owner on AWS cloud has the ability to install and configure retention for all services used to prevent unnecessary data from being stored and to delete data from the service upon request. Any company that collects health information must ensure it is properly destroyed. HIPAA requires that media be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, so that PHI cannot be retrieved.
4. Data Backup and Storage Implementation
Backup is the process of creating a copy of the data on your system that you use for recovery in case your original data is lost or corrupted. This is a mandatory HIPAA requirement that will help hospitals and patients retrieve PHI in case of any issues. AWS offers reliable HIPAA-compliant cloud backup services.
AWS Backup is a managed, policy-based solution for automatic backup application data for all AWS services running both in the cloud and on-premises. It is a faster and easier backup solution for customers that can be set up on a regular basis or carried out on request. AWS Backup automates and centrally manages backups. It also monitors the status of current backups, searches/restores backups to ensure compliance with corporate and regulatory requirements. Most AWS services like RDS, Elasticache, and S3 have customizable native backup functionality.
5. Integrity as a Feature
To ensure the integrity of your personal information, AWS cloud provides you with robust data encryption options. Amazon S3 offers Server Side Encryption. Each object is encrypted with a unique key which is encrypted as well with a regularly rotated master key. Amazon S3 uses the strongest block cipher available – 256-bit Advanced Encryption Standard (AES-256).
6. Encryption and Decryption
Encryption is one of the most efficient security tools protecting data from unauthorized access. To encrypt PHI data, Amazon offers AWS KMS for applications and services running in the cloud. It is an ideal HIPAA compliant solution for managing encryption keys together with other AWS services. Master keys in AWS KMS can be used to encrypt/decrypt keys used for encrypting PHI in your applications or in AWS services. You can access AWS KMS within AWS Identity and Access Management or using the software. It offers centralized control over encryption keys to define user data. AWS KMS includes both management functions and Cryptographic functions.
7. Audit Controls
Auditing and monitoring controls are essential for software to meet HIPAA compliance requirements. For that purpose, Amazon introduced AWS Config. It is a fully managed service that provides you with AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. The solution simplifies auditing, security analysis, change management, and operational troubleshooting.
The HIPAA cloud Security Rule requires covered entities to track login attempts and report errors. CloudTrail provides an event history of AWS account activity. It helps to identify log entries related to sign-ins, including the IP address and Multi-Factor authentication. CloudTrail also determines successful sign-ins by users in IAM and root. These features simplify operational analysis and troubleshooting.
8. Automatic Logout
The AWS console allows setting the preferred AWS user session length in minutes. If you use one of the AssumeRole* API operations in your URL, you can include the SessionDuration HTTP parameter. This parameter specifies the duration of the console session, from 900 seconds (15 minutes) to 43200 seconds (12 hours).
If you use the GetFederationToken API operation in your URL, you can include the DurationSeconds parameter. This parameter specifies the duration of the federated console session. The value can range from 900 seconds (15 minutes) to 129,600 seconds (36 hours).
AWS Hosting with QuickBlox
AWS provides everything you need to set up a HIPAA-compliant telehealth platform. But, ultimately you are still responsible for ensuring that your instance is configured in the most optimal way to follow HIPAA software security rules. QuickBlox HIPAA-compliance services can help you achieve these ends because it has a deep experience supporting communication solutions for healthcare. QuickBlox is a communication back-end provider with instant messaging and group chat, peer-to-peer and multiparty video calling, file sharing and other functions accessible through SDKs and APIs. QuickBlox can work with any cloud service provider, including Amazon Web Services, to help you set up your instance that follows best practices and data protection requirements. Contact us now to find out more.
