The following is a guest post by Dave Rocamora, VP of DevOps, Control Group
A lot of businesses are looking to cloud computing to increase flexibility, to reduce infrastructure costs, and to innovate their IT practices. If you aren’t already evaluating cloud computing as part of your next solution, it’s time to at least take a look.
There are a number of benefits to going with a public cloud provider like Amazon Web Services (AWS). But when it comes to privacy, is the public cloud capable of meeting the HIPAA physical and technical safeguards?
At Control Group, I do a lot of work with the cloud and HIPAA compliance. AWS provides clear documentation, strong infrastructure building blocks, and plenty of third party tools and integration that make it an excellent choice for HIPAA compliant applications.
AWS is an Infrastructure As A Service (IAAS) provider. They provide the cloud computing building blocks for their customers to use when putting together their solutions. With a shared responsibility approach, AWS is responsible for security of the physical world from the data centers filled with servers all the way up to the hypervisor. AWS customers are responsible for security from the operating system and up. This frames the AWS approach to HIPAA: since AWS only interfaces with things at a low level, they don’t have access to the data. This makes them more like the post office than a party that is working with the PHI. It’s for this reason that AWS doesn’t sign Business Associate Agreements (BAA).
Amazon’s position of HIPAA compliance is that their platform can support HIPAA compliant applications if they are created properly. Amazon’s policies handle the physical safeguards pretty well. Their data centers are secured and compliant with a lot of certifications. They separate people with physical access to the computers from those who have logical access to the things running on them. Most people at AWS don’t even know where the data centers are located!
The technical safeguards require a little more customer involvement. The shared responsibility model means that AWS will only handle things from the hypervisor down– it’s up to the customer to implement the proper safeguards in the OS and application.
Fortunately, Amazon provides a lot of building blocks that make this possible:
- Identity and Access Management (IAM) – This allows a customer to control who can access your Amazon account and what they can do there. This can even include two-factor authentication.
- Virtual Private Cloud (VPC) – Customers can create isolated networks that are walled off from the Internet and only accessible by VPN. Customers can also create complex networking rules within a VPC to protect data.
- Plenty of encryption options – AWS provides encryption options in their S3 service and transmission security by providing SSL endpoints for all services.
- And many more – The pace of innovation at AWS is staggering. In 2012, AWS released dozens of new security features.
Also, since their customers have full control of the software from the operating system up, it’s possible to use the same security and privacy software they already use with traditional infrastructure. Even better, many of the security and privacy services that customers already use are available on the AWS Marketplace making deployment simpler than ever.
At the end of the day, security and privacy in the public cloud is not very different than what occurs with traditional infrastructure. Someone still needs to be responsible for physical security and people still need to design systems that maintain privacy and security. We’re already seeing a number of organizations (both large and small) use the public cloud as part of their HIPAA compliant solution. These organizations are gaining improvements in agility while driving down costs and remaining as secure as ever.
There’s a lot of activity in cloud computing, and the advances in services and products will continue to make it a compelling solution for any industry including healthcare. If you’re taking a closer look at your technology it’s worth evaluating cloud computing to see if it’s a fit.