Is AWS HIPAA Compliant?

Are Amazon Web Services (AWS) HIPAA Compliant? AWS includes the necessary features to be used in compliance with HIPAA’s Security Rule and Amazon will enter into Business Associate Agreements (BAA) with covered entities. Does this mean AWS is HIPAA compliant? As we often state, even when tools include all the required settings they must be correctly configured and the platform used in a HIPAA compliant way. Compliance is dependent on users.

Amazon Will Enter into a BAA for AWS

As Amazon are eager to work with the healthcare industry, they are willing to enter into BAAs with covered entities. In line with the agreement, Amazon support aspects of security, control, and other administrative requirements.

Previous AWS BAAs stipulated a need to secure protected health information (PHI) with Amazon EC2 Dedicated Instances or Dedicated Hosts but this requirement has since been removed.

Amazon has also published a 31 page guide to aid covered entities in their HIPAA compliant use of AWS.

AWS Can be HIPAA Compliant, But Can Also be Misused

As mentioned above, even though AWS has all the required features, HIPAA compliance for software are platforms is dependent on users.

As AWS has been developed to simplify how data is accessed, shared, stored, and analyzed by authorized users, access control is a very important feature to manage.

Using AWS that has seemingly been correctly configured reduces risks of HIPAA violations, but does not eliminate the risk entirely. Simple things like securing the data have been overlooked by companies in the past leading to data breaches. While storage is secured by default, determining user permissions can lead to errors.

When is AWS Not HIPAA Compliant?

AWS security is often betrayed by user error. Poor configuration of access controls is a common cause of breaches. Sometimes the breach is caught by security researchers, but in other cases hackers may find the unsecured data first. Data stored in the cloud without the correct security settings is an easier target for hackers than organizations’ servers.

A mistake that is often repeated is to allow access to “authenticated users”. Unfortunately, Amazon defines anyone with an AWS account, which is free to set up, as an “authenticated user” – meaning anyone with an internet connection could access the data.

How Common are AWS Misconfigurations?

AWS misconfigurations are a very common problem. Amazon even went so far as to email users with potentially misconfigured storage systems, called S3 buckets.

Amazon wrote “we’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet”.

They continued that “while there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

A number of those disclosures involved healthcare organizations, but also military, financial and other industries. Of note was a HIPAA covered entity called Patient Home Monitoring that had left almost 50GB of data unsecured.

Free software is available to check for unsecured S3 buckets to avoid similar errors taking place in future. One such tool is S3 Inspector from Kromtech.

AWS Compliance Summary

AWS can be used in a HIPAA compliant manner and can provide advantages to healthcare organizations. It can, however, also be used in violation of HIPAA rules through misconfiguration. As the storage is secure by default, it is quite possible that changing the settings and unwittingly leaving the data unprotected would be seen as a serious HIPAA violation by auditors from the Office for Civil Rights.