In this post, we will cover the recommended best practices, business and technical, for healthcare and life sciences (HCLS) companies using AWS for their workflows.
Understanding HIPAA, HITECH and PHI
First, it’s important to understand the HCLS regulatory and industry environment.
In HCLS, we work with very confidential individual healthcare information, also known as Protected Health Information (PHI), that must be kept safe and access-restricted at all times. PHI includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information.
The Health Insurance Portability and Accountability (HIPAA) Act of 1996 outlines protection and security standards for PHI. If you handle PHI as a business, you must be HIPAA-compliant. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 expands upon HIPAA to broaden the types of businesses covered by HIPAA so that any subcontractors or companies that handle the transmission of PHI also need to be compliant with HIPAA regulations. HITECH also vastly increased HIPAA non-compliance fines, from a few hundred dollars to up to $1.5 million dollars in some instances .
HITECH prompted the big players in HCLS to get very diligent about their HIPAA-compliance and led them to create HITRUST. HITRUST is an industry consortium that establishes a Common Security Framework (CSI) certification for PHI and other healthcare information. The framework can be used by all sorts of organizations that create, access, store or exchange sensitive or regulated data. It’s a framework for addressing all sorts of threats across an organization, far beyond just PHI-specific threats.
Many big-name healthcare providers and insurance companies, like Anthem, Express Scripts, Humana, Kaiser Permanente, and United Healthcare Group, have made HITRUST a requirement to doing business with them, and will not allow any of their customers’ or patients’ PHI to be shared with organizations that are not HITRUST-certified.
AWS Shared Responsibility Model for Security Measures
AWS is the infrastructure of choice for a vast majority of companies in the HCLS space because it offloads a tremendous amount of operational burden and overhead management. Given the topmost priority for security in HCLS, it’s important to understand how AWS defines the shared responsibility model between AWS and the customer.
- Customer is responsible for “Security in the Cloud” – this includes protecting all data including PHI, access control, permissions, applications, operating systems and patches etc. These are the areas in AWS customers’ control to be HIPAA-compliant.
- AWS is responsible for “Security of the Cloud” – this includes protecting the infrastructure (hardware, software, networking, and facilities) that runs all of the services offered in the AWS Cloud. These are the areas AWS strives to provide HIPAA-eligible services.
AWS Business Associate Agreements for HIPAA-eligible Services
HIPAA requires that a Business Associate Agreement (BAA) contract exist in order to: clearly establish who is liable and whether the liability is related to HIPAA and specifically PHI, to clarify and limit the permissible uses and disclosures of PHI, and provide requirements for any third-party handling PHI on behalf of another covered entity. Under HIPAA regulations, cloud service providers such as AWS are considered Business Associates as well. So if you’re hosting an application or data governed by HIPAA on AWS, you need to have a BAA in place with AWS.
So it makes sense for businesses in the HCLS space to use AWS as the infrastructure partner of choice so that they can both maintain HIPAA compliance while also spending more resources on their core competencies.
Below are a few additional reasons why AWS is the ideal infrastructure for HCLS applications.
Allows Rapid Innovation with Security Compliance
AWS has a wide variety of managed services that are HIPAA-eligible like RDS and SQS. Leveraging AWS also allows you to rapidly build an application that’s reliable, fault-tolerant and highly available. AWS provides the hardware and software needed to create these environments with just a few clicks in the console. And with DevOps automation, software developers can build a Continuous Integration (CI) / Continuous Deployment (CD) pipeline while ensuring that the infrastructure remains compliant.
Enforces Essential HIPAA-Compliance with Encryption
AWS has a native way to encrypt just about anything nowadays that is on the HIPAA eligible services list if it actually holds or processes PHI data. AWS also requires AWS customers to encrypt PHI in transit and at rest, as per Department of Health and Human Services guidance.
Enables Detailed Logging and Auditing
With AWS, you can swiftly identify breaches and keep detailed, centralized logs of these breaches. The logs are stored safely in case they need to be audited at a future date.
Provisions Real-time Backup and Disaster Recovery
AWS provides reliable and continuous backup, and Disaster Recovery (DR) that’s ready to go with real-time access and real-time data application. This is critical in HCLS because in some cases, you very well might be providing service with life and death implications.
Where Mission Fits in
Mission is an AWS Advanced Consulting Partner and holds both healthcare and life sciences competencies. We have a BAA in place with Amazon and have long been recognized by AWS as an expert in designing and implementing solutions for the needs of healthcare and life sciences companies. To learn more about how we can help your organization get HIPAA-compliant ready and prepare for HITRUST certification, talk to one of our specialists today.