For any healthcare provider preparing to embark on a major migration from an on-premise data center to the Cloud, data security is a key concern. Achieving compliance with HIPAA regulations for processing and managing Protected Health Information (PHI) requires careful planning and execution. Healthcare providers face the additional pressure of knowing that they are one of the most targeted industries for data breaches. According to the Data Security Incident Response Report from the law firm Baker & Hostetler, healthcare systems account for around one-fourth of all U.S. cyber attacks.
While achieving HIPAA compliance can be challenging, three key resources are available to help healthcare providers reach their goal.
- HITRUST CSF® is a comprehensive framework that organizations can use to guide their compliance and risk strategy.
- AWS provides a wide range of cloud services that can be deployed to meet HIPAA requirements.
- A consulting partner with AWS Healthcare Competency has the expertise to help healthcare providers architect an AWS cloud environment to securely process, maintain, and store protected health information. A brief explanation will help you understand how each of these plays a critical role in achieving HIPAA compliance in a cloud environment.
HITRUST CSF Compliance and Risk for Healthcare
No single data security standard addresses the diversity of industry, government, and technical requirements. However, widely accepted standards defined by ISO, NIST, PCI, HIPAA, PDPA, and GDPR provide a well-reasoned foundation for defining enterprise security architectures.
The HITRUST CSF (health information trust alliance common security framework) builds on these standards to create a single overarching information privacy and security framework. The HITRUST CSF is commonly adopted by healthcare providers. By normalizing widely accepted security standards, HITRUST CSF allows an organization to modify the security control baselines to support a healthcare provider’s unique industry, size, systems, and regulatory requirements.
AWS Cloud Services Support HITRUST CSF
AWS Cloud is used by an ever-growing number of healthcare providers to achieve compliance with HITRUST CSF. AWS supports HITRUST Common Security Framework (CSF) via a shared responsibility model where AWS manages the security of the cloud environment and infrastructure and the client is responsible for security infrastructure. In other words, AWS provides and manages the compliance-ready cloud infrastructure and a wide range of services, tools, and controls that clients can use to secure workloads, deploy critical applications, and meet their compliance requirements in the AWS Cloud. AWS capabilities include:
- Amazon Elastic Compute Cloud (EC2) to build and manage reliable, scalable, and cost-effective healthcare applications in the Cloud.
- Amazon Redshift to support high-volume data needs via a petabyte-scale data warehouse service in the Cloud.
- AWS Key Management Services and/or CloudHSM appliances to support encryption for data “at rest”—storage, backups, temporary, and cache files, as well as data “in motion” within and outside of a virtual private network.
- AWS CloudWatch to monitor, store, and access log files from Amazon EC2 instances and other sources. Data is encrypted in transit and at rest, avoiding the need to re-encrypt PHI created by other services.
The HITRUST CSF and AWS services and tools provide a powerful combination of capabilities to help healthcare providers migrate to the cloud. However, one additional resource is required to ensure a successful migration—an AWS Competency Partner.
AWS Healthcare Competency Partner
An AWS Healthcare Competency Partner provides proven technical expertise in building secure, scalable, innovative healthcare solutions in the AWS cloud. By applying their knowledge of the HITRUST CSF and deep experience in implementing AWS capabilities, an AWS Competency Partner uses the HITRUST CSF assessment tool to identify the required security and privacy controls. Based on this assessment, they then implement the corresponding AWS services, tools, and controls. The partner can also coordinate additional activities such as working with third-party auditors to test and verify the solution and submit the results to HITRUST for review and certification.
Cloud Migration: Complex, But Achievable With the Right Resources
A cloud migration initiative is a major undertaking, but the complexity can be significantly diminished with the help of the right resources. The HITRUST CSF provides a well-developed framework to guide healthcare providers’ privacy and security strategies. AWS offers proven capabilities in securely supporting healthcare providers’ data and workload needs in a cloud environment. An AWS Healthcare Competency Partner provides the knowledge and experience to apply the HITRUST CSF to the unique needs of a healthcare provider and implement AWS services, tools, and controls to achieve HIPAA-compliant solutions.