Setting up a HIPAA-compliant environment on AWS cloud

Anton Dyachenko
Anton Dyachenko
23 Jan 2020

To increase operational efficiency, the businesses use cloud service providers like Amazon Web Services to manage their IT cloud infrastructure. A growing number of healthcare providers are using AWS to store, process, and send protected health information (PHI) under HIPAA regulations.

Amazon gives them the opportunity to use AWS’s secure environment for maintenance, and retention of sensitive health information under the Health Insurance Portability and Accountability Act (HIPAA). To start using AWS HIPAA-compliant cloud storage, a healthcare company must sign a Business Associate Agreement (BAA) with AWS. It covers the security, control and administrative processes mentioned in HIPAA.

AWS offers an extensive AWS HIPAA services list to develop a scalable, secure, and fault-tolerant HIPAA solutions that can serve an unlimited number of healthcare use cases.

Is AWS cloud HIPAA-compliant?

Yes, in general, AWS is a HIPAA-compliant platform. It has many layers of operational and physical security to provide the integrity and safety of customer data. But simple usage of AWS services doesn’t ensure HIPAA compliance of your solution being HIPAA compliant. When your AWS-based system deals with ePHI, you must follow the AWS HIPAA technical requirements and regulations.

The AWS HIPAA compliance is dependent on how it is used. AWS helps to build high-load systems that process vast amounts of ePHI under HIPAA. But, AWS only assumes responsibility for physical hardware security controls of a limited number of covered services.

Shared responsibility

The AWS shared responsibility model means to increase the total security level of Amazon’s cloud infrastructure.

Amazon handles managing the infrastructure components and physical security of the AWS data centers. The customers are responsible for security and HIPAA-compliant configuration of cloud services. Let’s consider the shared responsibility model in more detail.

Amazon’s responsibility

Amazon is in charge of physical security of AWS cloud infrastructure. They manage the following areas:

  • Computing
  • Storage
  • Databases
  • Networking
  • Region
  • Availability Zone
  • Edge location

Customer’s responsibility

Customers are responsible for the security of their chosen AWS services and configuring HIPAA-compliance solutions. Customers manage security in the following areas:

  • Platforms
  • Applications
  • Identity and access management tools and processes (IAM)
  • Operating systems
  • Networking traffic protection
  • Firewall configurations
  • Client and Server-side encryption

Practical guide on implementing HIPAA-compliant software on AWS

Effective monitoring of the infrastructure is crucial for creating a well-architected HIPAA-compliant app. The main goal is to create an infrastructure that can endure potential cyber-attacks. This monitoring can be arranged according to the safeguards documented within the HIPAA Security Rule. To set up a secure environment on AWS, you can perform the following actions:

1. Implement “Access Control” requirements

Security access control (SAC) is an essential part of any system. According to HIPAA, the application should ensure that an authenticated user accesses only what they are authorized to and no more. AWS Identity and Access Management (IAM) is a key player in providing and controlling access to AWS. It involves the strategies and methods used to authenticate and allow actions that specific users can perform. IAM enables you to manage access to AWS services and resources securely. With its help, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

2. Implement “Person or Entity Authentication” requirements

The goal of authentication is to verify if the user is authorized to interact with your system. Secondly, authentication means collecting information on how the user is accessing the infrastructure. This means that a system must provide ways of identity verification and confirm the identity of the user attempting to access protected data.

Person or Entity Authentication in AWS-based HIPAA-compliance software is achieved by permissions. Each user needs to set their own unique password (the least requirements of which every AWS account owner can set). You can also make virtual or physical multi-factor authentication.

The U.S. Department of Health and Human Services offers four verification approaches to implement this rule:

  • A biometric identification system;
  • A password system;
  • A personal identification number (PIN);
  • A telephone callback or a “token” system that uses a physical device for user authentication.

A good practice is to implement the AWS Security Token Service (STS). It helps you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

3. Disposal as a Requirement

Each account owner on AWS cloud has the ability to install and configure retention for all services he uses. To prevent unnecessary data from being stored and also delete data from the service upon request. Any company that collects health information must ensure it’s properly destroyed.

HIPAA requires that media has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

4. The Data Backup and Storage Implementation

Backup is the process of creating a copy of the data on your system that you use for recovery in case your original data is lost or corrupted. This is a mandatory HIPAA requirement that will help the hospitals and patients to retrieve PHI in case of any issues. AWS offers reliable HIPAA-compliant cloud backup services.

AWS Backup is a managed, policy-based solution for automatic backup application data for all AWS services running both in the cloud and on-premises. It is a faster and easier backup solution for customers. It can be set up on a regular basis or carried out on request. AWS Backup automates and centrally manages backups. It also monitors the status of current backups, searches/restores backups to ensure compliance with corporate and regulatory requirements. Most AWS services like RDS, Elasticache, S3 have customizable native backup functionality.

5. Integrity as a Feature

To ensure the integrity of your personal information, AWS cloud provides you with robust data encryption options. Amazon S3 offers Server Side Encryption. Each object is encrypted with a unique key which is encrypted as well with a regularly rotated master key. Amazon S3 uses the strongest block cipher available – 256-bit Advanced Encryption Standard (AES-256).

6. Encryption and Decryption

Encryption is one of the most efficient security tools protecting the data from unauthorized access. To encrypt PHI data, Amazon offers AWS KMS for applications and services running in the cloud as well as on-premise. It is an ideal HIPAA compliant solution for managing encryption keys together with other AWS services. Master keys in AWS KMS can be used to encrypt/decrypt the keys using for encrypting PHI in your applications or in AWS services.

You can access AWS KMS within AWS Identity and Access Management (IAM) or using the software. It offers centralized control over encryption keys to define the user data. AWS KMS includes both management functions and Cryptographic functions.

7. Audit Controls

Auditing and monitoring controls are essential for the software to meet HIPAA compliance requirements. For that purpose, Amazon introduced AWS Config. It is a fully managed service that provides you with AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

AWS Config allows discovering existing and deleted AWS resources, compliance against rules, and immerse into resource configuration details. The solution simplifies auditing, security analysis, change management, and operational troubleshooting.

HIPAA cloud Security Rule requires covered entities to track login attempts and report errors. CloudTrail provides event history of your AWS account activity. It helps to identify log entries related to sign-ins, including the IP address and Multi-Factor authentication. CloudTrail also determines successful sign-ins by users in IAM and root. These features allow us to simplify operational analysis and troubleshooting.

8. Automatic Logout

AWS Console allows setting the preferred AWS user session length in minutes.
If you use one of the AssumeRole* API operations in your URL, you can include the SessionDuration HTTP parameter. This parameter specifies the duration of the console session, from 900 seconds (15 minutes) to 43200 seconds (12 hours).

If you use the GetFederationToken API operation in your URL, you can include the DurationSeconds parameter. This parameter specifies the duration of the federated console session. The value can range from 900 seconds (15 minutes) to 129,600 seconds (36 hours).


AWS provides everything you need to set up a HIPAA-compliant telehealth platform. But, you still need to follow HIPAA software security rules, maintain data confidentiality and follow industry best practices for data protection. Also, you need data mobility in all the clouds that you use. That is what could become a vulnerability when using encryption solutions from a cloud service provider.

QuickBlox HIPAA-compliance services can help you meet these needs. It simplifies Amazon Web Services workload protection and ensures following the best practices and data protection requirements.

Share article

Subscribe for news

    Thanks for subscribing!

    You will receive an email shortly to verify your subscription.

    Check out your inbox!

    Ready to get started?


    Subscribe for news

    Get the latest posts and read anywhere.

      Don’t forget to visit our social networks:

      • twitter
      • fb
      • linkedin
      • medium
      • git
      • instagram