The HIPAA and AWS Shared Responsibility Model

Overview

Signing a Business Associate Agreement is one step for IT vendors to ensure compliance with HIPAA regulations. However, the Cloud Service Provider (CSP) has a role in fulfilling compliance requirements as well as the end users (Covered Entities and Business Associates) in enhancing security. Many organizations dealing with Protected Health Information (PHI) may assume that the CSPs are fully responsible for ensuring HIPAA compliance. This assumption may lead to running PHI in public clouds, which are not fully protected by the cloud provider, leading to the risk of attacks. It is important to understand that both the cloud provider and the client share responsibilities, which takes us to a shared responsibility model.

What is the Shared Responsibility Model?

The Shared Responsibility Model refers to the security and compliance framework describing the roles of the clients and the cloud service provider. Amazon Web Services (AWS) is the pioneer of the Shared Responsibility Model in the cloud environment but is not the only vendor that leverages it.

Cloud Service Providers

• Amazon Web Service
• Microsoft Azure
• Google Cloud Platform

End-Users (Customers)

• Individuals
• Companies

Each of the parties should enhance the security of the entire cloud environment, which includes:

• The Operating System
• Hardware
• Endpoints
• Data
• Infrastructure
• Configurations
• Network controls
• Settings
• Access rights

The Shared Responsibility Model requires Cloud Service Providers to monitor and respond to all security threats related to cloud-based services. The CSP should also protect the cloud’s underlying network infrastructure. On the other hand, customers (by which we mean covered entities and business associates), are responsible for the protection of the actual data and other assets they store in the cloud. Regarding protected health information, the cloud provider’s responsibility is to provide a secure cloud infrastructure as HIPAA requires. Organizations using cloud services are responsible for guaranteeing the use and disclosure of PHI, applications, platforms, and operating systems within the cloud environment comply with HIPAA.

Business Associate Agreements and the Shared Responsibility Model

Cloud Service Providers and covered entities such as physicians and hospitals have to sign a business associate agreement before sharing, storing, or transmitting any PHI. Each party has a role to play in the agreement to ensure effective compliance with HIPAA regulations.

Amazon Web Services guarantees a standards-based risk management system that ensures its HIPAA-eligible services are only supported with specific administrative, technical, and physical safeguards. The standard BAA offered by AWS requires customers to encrypt all PHI shared with the cloud provider using the HIPAA-eligible service. It is important to note that not all HIPAA-eligible services guarantee HIPAA safeguards. Some parameters require configuration by the customers to meet the compliance requirements.

Amazon Web Services Shared Responsibility Model

According to AWS, cloud service providers should enhance the security of the cloud, while organizations should enhance security in the cloud. Using the AWS cloud services to share, process, and transmit PHI helps AWS customers and AWS address HIPAA requirements.

Both customers and cloud service providers have a role in enhancing AWS HIPAA compliance. The roles include AWS responsibility and Customer responsibility, as described below:

AWS Responsibility

Amazon Web Services cloud provider is responsible for the Security of the Cloud and protects the infrastructure designed to run all the services within the AWS environment.

AWS Infrastructure Includes:

• Networking
• Hardware
• Software
• Computing
• Databases
• Storage
• Facilities running the AWS cloud services

In order to prove due diligence, AWS has to fulfill several HIPAA physical safeguards and provide administrative reporting aligned to cloud services.

Physical Safeguards Managed by AWS Include:

• Signing Business Associate Agreements with HIPAA-compliant companies/organizations
• Enhancing physical server security
• Securing facility access and locks
• Securing employee access to systems
• Ensuring the availability of encryption standards
• Providing breach notification

AWS has a duty to ensure compliance with its global infrastructure comprising servers and hardware located in every region, availability zones, and edge locations across the globe. Managing this for multiple customers requires a rigid set of standards, and clear documentation not only of the cloud infrastructure configuration but also the responsibilities of the client.

Customer Responsibility

AWS customers must enhance security in the Cloud and are responsible for maintaining a secure environment leveraging the cloud service settings, applications, and operating systems used within the cloud environment. While the AWS cloud provider maintains physical security, the customers should implement administrative and technical safeguards to enhance HIPAA compliance, including measures to ensure the availability, integrity, and security of the data.

Administrative Safeguards Managed by AWS Cloud Customers Include:

• Outlining procedures necessary for system access
• Establishing policies that define a Security and Privacy Officer
• Clear backup and disaster recovery strategies
• Defining processes required for incident investigation and response
• Establishing the appropriate processes required for detecting intrusion
• Outlining the processes needed for audit logging

Technical Safeguards of AWS Cloud Customers Include:

• Conducting vulnerability scanning
• Intrusion Detection Systems
• Backup and Disaster Recovery
• Implementing audit logging
• Anti-virus and Anti-malware

According to AWS, customer responsibility differs depending on the client’s services. The selection determines the configuration the clients have to perform as part of their share of responsibilities. AWS cloud customers may use different AWS services to address technical safeguards. However, the customers should manage and configure the AWS services and controls independently.

AWS Cloud Customer Responsibility on Amazon S3 and Amazon DynamoDB

Customer responsibility falls on configurable controls such as encryption settings, log settings, and access controls in abstracted services like Amazon DynamoDB and Amazon S3.

You can also check for Amazon S3 HIPAA Compliance.

AWS Cloud Customer Responsibility on AWS Fargate

The customer is abstracted from the host and has no obligation to update or patch the host systems.

AWS Cloud Customer Responsibility on Amazon EKS

Amazon EKS allows customers to select a server-free deployment of containers with Amazon Fargate.  It also makes it possible to run containers via Amazon EC2 infrastructure that are accessible by the end user.

AWS Cloud Customer Responsibility on Amazon EKS deployment on Amazon EC2

The cloud provider supplies the necessary patches and updates, but the customer must be responsible for controlling access and implementing security patches.

AWS Cloud Customer Responsibility on AWS Config

Customers may use AWS configure to access the configuration data on container-based resources in the AWS account. The customer should monitor the configuration changes aligned to Amazon EKS cluster settings.

The customer should also track the compliance of the cluster configurations. The AWS Config offers a detailed review of resource configuration and how configurations change over time.

Encryption Protection of Protected Health Information (PHI) and AWS

As required by the Secretary of Health and Human Services (HHS), PHI in transmission and storage should be well encrypted.

The majority of the AWS services integrate with HIPAA-eligible encryption services such as the AWS Key Management Service (AWS KMS).

Uses of AWS Key Management Service (AWS KMS)

• KMS provides users with centralized control over the cryptographic keys required for data protection.
• Integrating AWS KMS with other AWS makes it easy to encrypt data in storage within AWS. Users can also control access to keys used in decrypting the data.
• Integrating AWS KMS with AWS CloudTrail helps customers in auditing who had access to keys, the resources used, and the precise time.
• Using AWS SDK, developers may add encryption and digital signature to application code.
• AWS KMS enables AWS customers to encrypt data across their workloads, sign data on digital platforms, encrypt using AWS Encryption SDK, and make verification of message authentication codes (MACs).

Advantages of the Shared Responsibility Model

Integrating the efforts of the cloud provider and the customer (covered entities and business associates), thereby ensuring security and compliance in the cloud environment has numerous benefits. These benefits include:

Increased Efficiency

Shared responsibility reduces the security burden which would otherwise fall on the IT staff. Sharing the security concerns between the user and the CSP allows the IT staff time to focus on other tasks.

Enhanced Protection

CSPs put their best foot forward to guarantee their customers 100% protection through timely monitoring, patching, and updates.

Better Cloud Services Expertise

CSPs have high levels of expertise in terms of cloud security. Customers learn more from the CSP on enhancing security in the cloud.

Executing the Shared Responsibility Model Using AWS to Ensure HIPAA Compliance

Organizations using AWS should follow the following steps to fulfill their tasks in the SRM:

• Customers must sign the AWS BAA
• The customer must come up with appropriate administrative procedures and policies
• Customers have a duty to build on the baseline configurations of HIPAA-eligible AWS
• Configuring AWS for HIPAA Compliance
• Customers must set up technical safeguards for every AWS cloud service that is used to retain compliance with HIPAA.
• Organizations will have to implement audit logging, system access, and data recovery on each AWS service.

It is important and necessary to properly set AWS cloud services configurations correctly, since any error could lead to security breaches or misuse, resulting in fines or potential criminal charges due to HIPAA violations.

For example:

• Having all ports to EC2 Instances could lead to potential customer security breaches on customer data, leading to HIPAA violations.
• Having an AWS S3 with PHI open to the public could lead to security attacks, violating HIPAA rules.

Getting Help with HIPAA Shared Responsibility Model Provisions with Flatirons

Healthcare organizations include some of the biggest AWS customers and rely on cloud solutions to build and manage HIPAA compliance. If you need help with HIPAA compliance on AWS, Flatirons is your go-to HIPAA-compliant software vendor. With our top-tier development resources and experience with HIPAA-related projects, we can deliver a winning solution on HIPAA-compliant architecture on AWS or your other preferred cloud computing services.

Flatirons is more than happy to sign a business associate agreement with your organization and have the experience to not only follow the basic security and compliance standards outlined in the Shared Responsibility model of your chosen CSP, but to improve upon these measures and deliver the above and beyond.