HIPAA Compliance on AWS

What is AWS?

Amazon Web Services (AWS), like Microsoft Azure, Google Cloud, or IBM Softlayer, provides infrastructure-as-a-service (IaaS) in the form of a Public Cloud. In a Public Cloud, the data centers are owned and managed by the cloud provider but are made available through a shared service model to the general public or industry groups.

Healthcare developers often prefer public clouds like AWS since pay-as-you-go pricing models provide economies of scale and the same levels of security and compliance can be achieved today as on private clouds.

How does the Datica Platform work with AWS?

AWS is an Infrastructure as a Service (IaaS) offering. Datica is a Platform as a Service (PaaS) company and Datica is an APN Healthcare Partner of Amazon AWS. Our PaaS requires an IaaS, and we use AWS by default at all levels of our platform. At the enterprise-level, the Datica Platform is also available on multiple clouds including Microsoft Azure, Rackspace, or IBM SoftLayer. When it comes down to it, we basically make AWS easier to use for the healthcare developer market. It’s less expensive, less time-intensive, less risky, and a better experience to use Datica to reap the benefits of AWS than for makers of digital health applications to deploy on AWS directly.

Datica supports three types of AWS customers:

1. Those who just want to use a multi-tenant cloud. These organizations are Datica customers and are on Datica’s AWS account.
2. Those who need dedicated resources like VMs. These organizations are Datica customers and are on Datica’s AWS account.
3. Those who already have their own AWS Account and want to install some of Datica’s technology on it, which we call “On-Account” customers. These organizations have both Datica and AWS accounts.

Is AWS HIPAA Compliant?

Being compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA) is not easily defined. So, is AWS HIPAA compliant? Yes! But, to be clear, just because AWS is HIPAA compliant and your application runs on AWS doesn’t mean that you are HIPAA compliant too. Here’s where it gets complicated. AWS is HIPAA compliant exactly to the extent they are required to be at the infrastructure level and as spelled out in their Business Associate Agreement (BAA).

You’re not building infrastructure though, you are building an application and that adds greatly to the list of HIPAA controls that apply to you. In other words, the specific subset of the hundreds of HIPAA controls that apply to your company and product is a different subset than those that apply to AWS. To be deemed HIPAA compliant, and prove that with a HITRUST Certification, you only need to comply with the subset of controls that apply in your case.

Those additional controls vary depending on your specific case but, generally, include additional infrastructure-level controls, application-level controls and controls at the company level. AWS has what they call a shared responsibility model which means when you build your application directly on top of AWS, you have to take it the other 90% of the way toward HIPAA compliance.

Datica’s platform includes AWS and takes you the rest of the way down the path toward full HIPAA compliance at the infrastructure level, and further down the path toward compliance at the company and application levels so you can focus on the functionality of your application and not on compliance. With Datica, you get a compliant platform for deploying and managing critical healthcare applications in the cloud.

Does HIPAA Matter on AWS?

HIPAA kicks in when a digital health product handles Protected Health Information (PHI). There are several different categories of PHI, like someone’s name, home address, or phone number. When a digital health product stores, processes, or transmits PHI, HIPAA asserts rules as to how it should handle a multitude of security, privacy, and policy procedures, called “controls”. In HIPAA terms, there are physical, technical, and administrative “safeguards”. Datica manages the physical and technical safeguards of HIPAA at the infrastructure-level, leaving you to the administrative HIPAA safeguards, which are almost always custom to your organization, and a few remaining technical safeguards within your application code itself. Thus, Datica provides more than two-thirds of what it takes to be HIPAA compliant. Demonstrating that a company and its digital health product meets all those controls is how it can call itself compliant.

Understanding AWS Primitives

AWS offers about 53 different services, or cloud primitives, to provide a great amount of flexibility in order to make it possible for any AWS healthcare developer to bundle what they need for their application’s infrastructure. Some well-known examples of these services are Amazon EC2, Amazon S3, and Amazon RDS. We bundle a subset of those 53 primitives (a majority of the 37 that are HIPAA-eligible services like CloudTrail (for logging) and S3 (for object storage) together into the Datica Platform to address the specific use case of building, maintaining, and running a cloud-based digital health application that creates, receives, maintains, or transmits PHI in a HIPAA compliant manner.

Services Included in the Datica Platform

What is the AWS Shared Responsibility Model?

Here’s a high-level summary: The AWS shared responsibility model grants excellent security for the security OF the cloud but customers (you) are still responsible for security IN the cloud. That means, if you were to deploy your application right on AWS instead of the Datica Platform, you’d be responsible for setting up and maintaining everything beyond the basic cloud infrastructure — and that includes not only the work and expense to do that but also the risks of security for everything else.

The cloud infrastructure that AWS is responsible for includes the hardware, software, networking, and facilities that run AWS Cloud services.

• Security in the cloud (i.e. the customer’s responsibilities) is dependent on the exact application being developed and which cloud services are being used by the customer. In general, AWS customers are responsible for security, including HIPAA compliance, on all of the following:
• Client-side data encryption & Data Integrity Authentication
• Server-side encryption (file system and/or data)
• Network traffic protection (encryption, integrity, identity)
• Operating System, network, and firewall configuration
• Platform, applications, identity, and access management
• Customer Data

Customers of Datica benefit from the fact that our BAA extends the security coverage of AWS HIPAA Compliance to pick up responsibility where AWS leaves off. Another way to think of it is that AWS takes your infrastructure about 10% of the way toward HIPAA Compliance, while if you use the Datica Platform, Datica’s HIPAA mappings take you much further toward 100% compliance. That means you not only eliminate the need for the labor, expense, or time of all of the above, but you also pass the risk of security onto Datica for everything our much more extensive BAA covers.

Datica’s version of the AWS Shared Responsibility Agreement

Why the Datica Platform on AWS is the Best Option

When making the decision on whether to build out the requisite infrastructure for your application yourself vs. buying the pre-built Datica Platform that already includes AWS, here are the major points to keep in mind:

• Building all of this yourself is possible, and setting up the individual primitives is, in fact, not the hard part. Ensuring compliance while orchestrating the DevOps between all the components in an ongoing and compliant basis with each and every deployment IS the hard part. Datica does that for you.
• It’s important to understand this key point: AWS’s shared responsibility model grants excellent security for the security OF the cloud but customers (you) are still responsible for security IN the cloud. Choosing the Datica Platform means Datica picks up that responsibility and the burden of risk where AWS leaves off.
• Making each cloud primitive service HIPAA compliant might be straightforward but not if you plan to employ any modern environment paradigms — namely containerization and orchestration via Docker or Kubernetes — that require an added level of development and maintenance that isn’t achieved by simply making a single primitive compliant.

Typical Healthcare Deployment Process Comparison on AWS Directly vs. Datica

If you build everything yourself, you also shoulder the risk. In contrast, Datica’s BAA takes on all of the infrastructure-level risk. Make life easier with a single BAA from Datica.

Aligning Business Associate Agreements amongst all technology partners is a full-time job. You sign one BAA with Datica to cover the entirety of compliance in the cloud, including AWS HIPAA compliance.