Is AWS HIPAA Compliant?

Can Amazon Web Services Be deemed as HIPAA compliant? Amazon Web Services has all the protections to meet the HIPAA Security Rule and Amazon will complete a business associate agreement with healthcare outfits. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make set up errors that will leave protected health information (PHI) unprotected and accessible by unauthorized people, breaching HIPAA Rules.

Amazon Will Complete a Business Associate Agreement for AWS

Amazon is keen for healthcare outfits to implement AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required as per HIPAA.

Previous, under the terms and conditions of the AWS BAA, the AWS HIPAA compliance program required covered outfits and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the situation.

As part of its attempts to help healthcare outfits use AWS safely and securely without breaking HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered outfits and business associates get to grips with securing their AWS instances, and setting access measures.

AWS HIPAA Compliance Could be Deemed a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant manner, but no software or cloud service can ever be completely HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used by people.

The Amazon Simple Storage Service (S3) that is made available through AWS can be used for data storage, data analysis, data sharing, and many other tasks. Data can be accessed from anywhere with an Internet connection, including though websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been created to make data easy to access, by anyone with the correct authorization. Make an error configuring users or setting permissions and data will be left accessible.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from danger, and neither that a HIPAA violation will not happen. Leaving AWS S3 buckets unprotected and accessible by the public is a clear breach of HIPAA Rules. It may seem obvious to secure AWS S3 buckets including PHI, but this year there have been multiple healthcare outfits that have left their PHI open and accessible by everyone.

Amazon S3 buckets are safe by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of setting up permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS deemed HIPAA compliant? When a BAA has been completed, users have been shown the correct way to use the service, and when access controls and permissions have been set properly. Misconfigure an Amazon S3 bucket and your data will be open to anyone who knows where to look.

Documentation is available on the proper way to set up Amazon S3 services and manage access and authorizations. Sadly, since there are many ways to grant permissions, there are also several ways that errors can occur, and simple errors can have grave consequences.

On numerous occasions, security experts have discovered unprotected AWS S3 buckets and have alerted healthcare groups that PHI has been left unsecured. However, security experts are not the only ones checking for unsecured data. Hackers are always around. It is far simpler for a hacker to steal data from cloud storage services that have had all protections disabled than it is to attack outfits in other ways.

One of the errors that has been made time and again is setting access controls to permit access by ‘authenticated users.’ That could be taken to mean anyone who you have allowed to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account for free.

How Common are AWS Misconfigurations?

AWS misconfigurations happen a lot. So much so, that Amazon recently emailed users who had possibly misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon stated in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare outfits, but the list is long and varied, including military contractors, financial bodies, mobile carriers, entertainment companies, and cable TV suppliers.

There is no excuse for oversights. Reviewing for unprotected AWS buckets is not only a quick and simple process, software can be used free of charge for this reason. A tool has been created Kromtech called S3 Inspector that can be used to search for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in short, is AWS HIPAA compliant? Yes, it can be, and AWS provides healthcare outfits huge advantages.

Can the use of AWS break HIPAA Rules and leave PHI unprotected? Very simply.

Would misconfiguration of AWS lead to a HIPAA violation punishment being sanctioned? That is a distinct possibility. AWS is secure by default. Only if settings are altered will stored data be accessible. It would be hard to debate with OCR auditors that manually changing permissions to give anyone to access a S3 bucket holding PHI is anything other than a serious breach of HIPAA Rules.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter