The following is a guest post by Dave Rocamora, VP of DevOps, Control Group
A lot of businesses are looking to cloud computing to increase flexibility, to reduce infrastructure costs, and to innovate their IT practices. If you aren’t already evaluating cloud computing as part of your next solution, it’s time to at least take a look.
There are a number of benefits to going with a public cloud provider like Amazon Web Services (AWS). But when it comes to privacy, is the public cloud capable of meeting the HIPAA physical and technical safeguards?
At Control Group, I do a lot of work with the cloud and HIPAA compliance. AWS provides clear documentation, strong infrastructure building blocks, and plenty of third party tools and integration that make it an excellent choice for HIPAA compliant applications.
AWS is an Infrastructure As A Service (IAAS) provider. They provide the cloud computing building blocks for their customers to use when putting together their solutions. With a shared responsibility approach, AWS is responsible for security of the physical world from the data centers filled with servers all the way up to the hypervisor. AWS customers are responsible for security from the operating system and up. This frames the AWS approach to HIPAA: since AWS only interfaces with things at a low level, they don’t have access to the data. This makes them more like the post office than a party that is working with the PHI. It’s for this reason that AWS doesn’t sign Business Associate Agreements (BAA).
Amazon’s position of HIPAA compliance is that their platform can support HIPAA compliant applications if they are created properly. Amazon’s policies handle the physical safeguards pretty well. Their data centers are secured and compliant with a lot of certifications. They separate people with physical access to the computers from those who have logical access to the things running on them. Most people at AWS don’t even know where the data centers are located!
The technical safeguards require a little more customer involvement. The shared responsibility model means that AWS will only handle things from the hypervisor down– it’s up to the customer to implement the proper safeguards [Read more…]