If you’re considering storing your HIPAA log archives in AWS, it’s important you know the details about how Amazon treats HIPAA compliant data.
Healthcare companies are used to having control over physical storage systems, but many are now struggling when it comes to utilizing a cloud environment. There are many misconceptions about ownership, compliance and how the entire log-to-storage process intersects and works.
HIPAA is a set of federal regulations, meaning there is no explicit certification for remaining compliant. Rather, there are guidelines and laws that needs to be followed. Tools like LogDNA and AWS will ensure that compliance is maintained.
A Primer for AWS Customers
All healthcare users of AWS retain ownership over their data and maintain control in regards to what they can do with it. You can move your own data on and off AWS storage anytime you’d like without restriction. End users are in control of how third party applications (like LogDNA) can access AWS data. This access is controlled through AWS Identity and Access Management.
The most popular services for creating backups come from Amazon S3 and Glacier. AWS is responsible for managing the integrity and security of the cloud, while customers are responsible for managing security in the cloud. It’s a minor difference, but an important one at that. This leads us to the core question many healthcare providers ask about AWS.
Is AWS HIPAA compliant?
There is no way to answer this with a simple yes or no. The question also leads down a faulty path about understanding how these cloud services work. The question should be reframed as:
How does using AWS lead to HIPAA compliance?
The United States’ Health Insurance Portability and Accountability Act (HIPAA) does not issue certifications. A company and its business associates will instead be audited by the Health & Human Services Office. What AWS does is set companies on the path to compliance. Like LogDNA, Amazon signs a Business Associate Agreement (BAA) with the health company. Amazon ensures that they’ll be responsible for maintaining secure hardware servers and provide their secure data services in the cloud.
How does Amazon do this?
While there may not be a HIPAA certification per say, there are a few certifications and audit systems Amazon holds that establishes their credibility and trust.
The International Organization for Standardization specifies the smartest practices for implementing comprehensive security controls. In other words, they’ve developed a meticulous and rigorous security program for Information Security Management Systems (ISMS). In summary, the ISO guarantees the following:
- Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities.
- Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks.
- Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis.
Amazon’s ISO 27001 certification displays the company’s commitment to security and its willingness to comply with an internationally renown standard. Third party audits continually validate AWS and assure customers that they’re a compliant business partner.
The company’s Service Organization Control (SOC) audits through third party examiners, and determines how AWS is demonstrating key compliance controls. The entire audit process is prepared through Attestation Standard Section 801 (AT 801) and completed by Amazon’s independent auditors, Ernst & Young, LLP.
The report reviews how AWS controls internal financial reporting. AT 801 is issued by the American Institute of Certified Public Accountants (AICPA).
Secured ePHI Logging Storage
Healthcare companies that use any AWS service and have a BAA will be given a designated HIPAA account. The following is a comprehensive list sourced from Amazon cataloging HIPAA eligible services. This list was last updated on July 31, 2017. These services cannot be used for ePHI purposes until a formal AWS business associate agreement has been signed.
- Amazon API Gateway excluding the use of Amazon API Gateway caching
- Amazon Aurora [MySQL-compatible edition only]
- Amazon CloudFront [excluding Lambda@Edge]
- Amazon Cognito
- AWS Database Migration Service
- AWS Direct Connect
- AWS Directory Services excluding Simple AD and AD Connector
- Amazon DynamoDB
- Amazon EC2 Container Service (ECS)
- Amazon EC2 Systems Manager
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic Compute Cloud (Amazon EC2)
- Elastic Load Balancing
- Amazon Elastic MapReduce (Amazon EMR)
- Amazon Glacier
- Amazon Inspector
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS) [MySQL, Oracle, and PostgreSQL engines only]
- AWS Shield [Standard and Advanced]
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (Amazon S3) [including S3 Transfer Acceleration]
- AWS Snowball
- Amazon Virtual Private Cloud (VPC)
- AWS Web Application Firewall (WAF)
- Amazon WorkDocs
- Amazon WorkSpaces
Amazon ECS & Gateway in Focus
Amazon EC2 Container Service (ECS) is a major container management service, which supports Docker container logs and can be used to run apps on a managed cluster of EC2 instances. ECS provides simple API calls that you can use to easily deploy and stop Docker-enabled apps.
ECS workloads required to process ePHI do not require any additional configurations. ECS data flow is consistent with HIPAA regulations. All ePHI is encrypted while at rest and in transit when being accessed and moved by containers through ECS.
The process of complete encryption is upheld when logging through CloudTrail or logging container instance logs through CloudWatch into LogDNA.
Users can also use Amazon API Gateway to transmit and store ePHI. Gateway will automatically use HTTPS encryption endpoints, but as an extra fail-safe, it’s always a good idea to encrypt client-side as well. AWS users are able to integrate additional services into API Gateway that maintain ePHI compliance and are consistent with Amazon’s BAA. LogDNA helps ensure that any PHI sent through Gateway only parses through HIPAA-eligible services.
Compliance Resources – A Continued Approach
Amazon is serious about staying compliant in a number of industries. They’re constantly innovating and are continually creating new security services. LogDNA shares this same tenacity for security and continued innovation.
- CloudWatch Logging: https://docs.logdna.com/v1.0/docs/cloudwatch
- Legal: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- AWS Hub: https://aws.amazon.com/compliance/
- Technical DevOps Guide: https://aws.amazon.com/blogs/security/how-to-automate-hipaa-compliance-part-1-use-the-cloud-to-protect-the-cloud/