Amazon Web Services possesses all the security requirements to meet the HIPAA Security Rule and Amazon is willing to sign a business associate agreement (BAA) with healthcare providers. Does that mean AWS is HIPAA-compliant? The answer is yes and no. AWS could be HIPAA compliant, however it is also possible to make configuration errors so that protected health information (PHI) can be potentially viewed or accessed by unauthorized persons, thus breaking the HIPAA Rules.
Amazon is delighted that healthcare providers want to use AWS, and thus, will willingly sign a BAA. Under that contract, Amazon is going to make sure that the security, technical, and administrative controls of AWS satisfy HIPAA requirements. Under the previous terms and conditions of the AWS BAA, covered entities and business associates must use Amazon EC2 Dedicated Instances or Dedicated Hosts for PHI processing for AWS to comply with HIPAA. That is not the case now.
In an effort to assist healthcare companies to utilize AWS safely and securely and without breaking the HIPAA Rules, Amazon has publicized a 26 page guide called Architecting for HIPAA Security and Compliance on Amazon Web Services. It will be helpful for covered entities and business associates to read it and use it to secure their AWS instances, and establishing access controls.
AWS HIPAA Compliance of Non-Compliance
Amazon supports HIPAA compliance, and AWS can be utilized in a way that is HIPAA compliant. However no software program or cloud service could ever become really HIPAA compliant. Like most cloud services, AWS HIPAA compliance isn’t just about the program, but instead how it is utilized.
The Amazon Simple Storage Service (S3) which is made available via AWS may be used for data sharing, data storage, data analysis and many more applications. Information could be accessed from just about anywhere using a web connection, such as through websites, and mobile applications. AWS was created secure, if not nobody would utilize the service. However it was also created to make information accessible, by a person with the right permissions. Make an error configuring end users or setting up permissions and information will be left unprotected.
Even if AWS is HIPAA compliant, it doesn’t mean that utilizing AWS is without any risk. It doesn’t mean that a HIPAA breach will not take place. Leaving AWS S3 buckets defenseless and viewable by the general public is an obvious breach of HIPAA Laws. It might appear that AWS S3 buckets is secure to store PHI, however this year there were many healthcare companies that have made their PHI available and viewable by any person.
Amazon S3 buckets are secure and protected automatically. The only way they could be entered is to use the administrator’s credentials. It’s the way permissions are configured that allows other people to access the resource that usually goes wrong.
AWS is deemed HIPAA compliant each time a BAA is signed, people have been told how to use the service correctly, when access controls and permissions have correct configurations. If an Amazon S3 bucket is misconfigured, your data files will become accessible to any person who knows where to go and find the data.
Documentation can be obtained on the proper way to set up Amazon S3 services and control access and permissions. Sadly, because there are a few ways to give permissions, a number of points can have errors, and very simple errors can have serious effects. On many instances, security researchers have found unsecure AWS S3 buckets and notified healthcare providers about the unprotected PHI. But, security researchers aren’t the only people looking for unsecured data files. Hackers are constantly on the lookout. It is much easier for a hacker to steal information from cloud storage services which have no protection than to attack businesses using other methods.
One of the blunders that has been committed over and over again is configuring access controls allowing access by ‘authenticated users.’ That may mean any person whom you have authorized to get access to your information. But, Amazon’s definition of authenticated users is not the same. Amazon’s authenticated user refers to a person with an AWS account, and any person can get an AWS account for free.
How Typical are AWS Misconfigurations?
AWS misconfigurations are extremely common to the point that Amazon just lately emailed users who possibly misconfigured their S3 buckets to tell them that information is accessible to anyone. A few of those open disclosures were from healthcare companies, but the list is lengthy and diverse, which included military contractors, mobile carriers, financial establishments, entertainment firms, and cable television vendors. Here are a few incidents:
- One data analytics company left data open and exposed the data of 200 million voters
- World Wide Entertainment disclosed the information of 3 million people
- Verizon disclosed the information of 6 to 14 million customers
- Patient Home Monitoring had 47GB of data accessible to anyone
These oversights are not reasonable because reviewing for unprotected AWS buckets isn’t just a fast and easy procedure, free software program can also be utilized for the task. Kromtech developed a tool called S3 Inspector which enables you to search for unsecured S3 buckets.
To sum up, yes, AWS can be HIPAA compliant and AWS delivers great benefits to healthcare providers. But using AWS can very easily violate HIPAA Rules when PHI is left unprotected. Misconfiguration of AWS could result in a HIPAA violation penalty. By default, AWS is secure but if configurations are altered, stored data can be accessible. Manually modifying permissions allowing any individual access to a S3 bucket with PHI is a serious breach of HIPAA Rules.