Amazon S3 HIPAA Compliance

Amazon S3 is the most popular cloud object storage service available. It is an affordable way for Amazon S3 users to store and retrieve any amount of data at any time or place. As with most AWS services, Amazon S3 is inexpensive, fast, and reliable. It is a great choice for file storage from mobile and web applications.

Is Amazon S3 HIPAA Compliant?

Err… sort of. As it turns out, Amazon S3 is also one of Amazon’s HIPAA Eligible Services. Notice the wording of the terminology “HIPAA Eligible Service.” Amazon S3 is not always HIPAA compliant. In order for it to be HIPAA compliant, you must configure and use it in a HIPAA-compliant manner. This is the shared responsibility model that applies under a HIPAA Business Associate Agreement. Here are some steps you can take to use Amazon S3 securely to try to maintain HIPAA compliance.

Sign a Business Associate Agreement (BAA) with Amazon

As with any time that you are potentially storing protected health information (PHI) with a third-party company, you need to sign a BAA with Amazon. We recommend getting this process started so that you can have a HIPAA-compliant AWS account in a timely manner.

Set Appropriate Access Controls

Within a HIPAA-compliant infrastructure, only the people or applications that need access to certain data should have it. When it comes to Amazon S3, you should configure AWS Identity and Access Management (IAM) to control access levels to your Amazon S3 buckets. This will let you set granular permissions for what all of the people in your organization can do with your S3 buckets. By default, your S3 buckets should not be public, and people should not have access to them. Only grant access to the resources that people need.

Use S3 Presigned URLs

AWS Presigned URLs allow you to generate time-limited URLs for objects in your S3 buckets. We recommend always using pre-signed URLs when you can. When you are able to set an expiration date on the links for resources in your bucket, it adds one more layer of security in case a link to a resource containing PHI is leaked somehow.

S3 Backups and Restoration

It is best to have your HIPAA-compliant Amazon S3 buckets use Amazon S3 Glacier. With Amazon S3 Glacier, you can archive data and restore it when necessary. Maintaining records will prevent a loss of data.

Get Help with HIPAA Services

If you need help setting up Amazon S3 to be HIPAA compliant, Flatirons can help. We have experience setting up all sorts of HIPAA-compliant cloud services. We are also a HIPAA-compliant software vendor, and we can sign a Business Associate Agreement with your organization. Contact us for more information.