2

HIPAA Security Hounds...How would you view an AWS deployment that included a set of systems deployed together at AWS (within a single, secured Virtual Private Cloud), using a key to encrypt all storage, and only allowing authenticated users to access anything related to the deployment, and using SSL certificates (or IPsec VPN) to encrypt all traffic to and from the server systems?

If that does comply with the laws regarding of data storage and transmission of HIPAA/HITECH, and the organization properly documents and trains it's employees, are there still "open doors" from a security standpoint that should be addressed?

JoeD
  • 21
  • 2

1 Answers1

2

I know we don't typically like links as answers and we don't offer legal advice, however, AWS has a white paper on HIPAA specifically at http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepaper-hipaa/. The short answer is that Amazon believes it to be legally doable.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Thanks AJ- While I agree with Amazon's perspective, they are publishing this as the vendor of the service itself- As a result of their configuration, they do not sign BA's with HIPAA Covered entities, so gathering opinions (and sharing any facts uncovered on this issue) could save millions of dollars for many companies housing PHI. – JoeD Jan 17 '13 at 20:39
  • @JoeD - that's true, but at the same time, if they published a white paper with significant problems in it, it would look very bad for them. IANAL, but claiming to be able to be HIPPA compliant might even have some legal baring since they are responsible for the physical security side of things for their servers. They do also have several case studies of other companies doing it. – AJ Henderson Jan 17 '13 at 21:06
  • 1
    AWS has been signing BAAs for several years now. The BAA stipulates the subset of the AWS services that may be utilized for handling PHI. It is generally understood at this point that PHI on AWS legally requires that you sign a BAA with AWS. – Rob Aug 10 '17 at 11:49