Migrating HIPAA Compliant Workloads to AWS or Azure

Public clouds are growing in popularity. According to a recent HIMSS Analytics survey, 83 percent of healthcare organizations are already using cloud-based resources. But what about HIPAA/HITECH? How much risk do you assume when transmitting Personal Health Information (PHI) data over the public internet for storage in a public cloud?

This article will examine things you need to know about HIPAA/HITECH compliance in a public cloud. We’ll specifically focus on the two leading public cloud provides AWS and Azure. Next, I’ll go into some considerations you’ll need to think about before you make the leap to the public cloud.

What You Need to Know

Have questions about moving your PHI workloads to the public cloud on Azure or AWS? The first thing you need to know is that no cloud platform, public or otherwise, is inherently HIPAA compliant. That’s probably not news to you, but it needs to be said. Secondly, Azure and AWS can absolutely be used to create a HIPAA/HITECH compliant cloud environment. However, they must be set up and maintained by seasoned staff with expertise in both HIPAA/HITECH compliance and the platform(s) you choose. In our opinion, neither Azure nor AWS is inherently better for the healthcare industry. At a high-level, they both cover the basics, though sometimes in slightly different ways:

Shared Responsibility Model

Both Azure and AWS follow what they call a “shared responsibility model.” AWS makes a distinction between “of” the cloud and security “in” the cloud. AWS handles infrastructure security, including the physical security of the data center itself. The customer is responsible for the security of everything else.

AWS Shared Responsibility Model

Azure’s shared responsibility model reflects the broader space Microsoft occupies in the market. For example, Microsoft also offers SaaS business applications including Office 365 and Dynamics 365. In that space, the responsibility for identity and access management is shared between Microsoft and the cloud customer.

Azure Shared Responsibility Model

Direct, Private Connections

Both Azure and AWS offer direct, private connections that bypass the public internet. This reduces some of the security risks and concerns inherent in shared resources. However, this does NOT eliminate the need for encryption. Azure’s Express Route is generally marketed as a “high availability” option. This offers greater reliability, faster speeds, and lower latency than standard connections. AWS offers Direct Connect, a similar, although not identical, ability to link directly to your AWS cloud environment. Also marketed as a high availability solution, AWS touts its solution as a way for bandwidth-heavy workloads to reduce costs.

To be clear, HIPAA/HITECH compliance does not explicitly require a direct, private connection to your public cloud. What it does require is a security assessment and the mitigation of risks. So, if PHI data for which you are responsible is stolen and the cause is found to be your public internet connection, you could still be held liable. We highly recommend you not leave anything to chance and use either Direct Connect or ExpressRoute when deploying PHI workloads in a public cloud.

Virtual Private Cloud

Both AWS and Azure also offer a virtual private cloud (VPC), an isolated section of their cloud that is yours and yours alone. Again, while not expressly required by HIPAA/HITECH, we highly recommend setting up a VPC to ensure compliance.

Business Associate Agreements

Last but not least, both Microsoft and Amazon offer signed Business Associate Agreements (BAA), something that IS required for HIPAA/HITECH compliance. On a related note, even if you decide the public cloud is not for you and you prefer to house your workloads on a private, hosted cloud managed by a cloud service provider, you still need a signed BAA from that provider.

The Devil is in the Details

You can set up a HIPAA/HITECH environment, but whether or not you should is another matter altogether. We tell clients to consider two important questions before migrating their workloads to a public cloud:

Are your applications fit for the public cloud?

If you have a legacy application that handles PHI that isn’t designed for the cloud, the public cloud may be too risky. That’s because older applications don’t always have the built-in security protocols required for secure cloud computing. This is especially true if the application hasn’t been updated in a while. Before migrating these applications to any cloud environment, public or private, consider upgrading to a newer cloud-ready version.

Do you have the expertise and bandwidth?

More and more, this is the issue faced by the customers we help. First, HIPAA requires that all covered entities conduct a risk assessment at least once a year and more often is recommended. Any change to your IT infrastructure, especially the migration of workloads to the cloud, should trigger a new HIPAA security assessment. To properly conduct that assessment requires more than just a cursory knowledge of the environment gained from reading blog posts like this one.

Once you’ve decided the risks can be mitigated, you need the experts who can set up your cloud environment to address those concerns. Both AWS and Azure have numerous optional offerings that can help with compliance, but unless the implementor understands the various options, it’s easy to miss something.

Finally, once your site goes live, you need to remain vigilant with tools like log monitoring, access controls, and regular security assessments to address any risks introduced by changes to your infrastructure such as the introduction of a new mobile app or the rollout of a patient portal. And, of course, you need someone who is consistently on top of all the new and proposed changes to the HIPAA/HITECH regulations, including any new interpretations of the rules.

Contact Connectria with any questions. While the above may seem like a tall order, a qualified cloud provider like us can help.