The Forecast is Cloudy for HIPAA-Covered Entities

Kenneth Johnson / November 20, 2014

As the popularity of all things “cloud” is skyrocketing, more and more industries are considering adoption of cloud technology. For the healthcare industry, HIPAA compliance presents some unique obstacles to enjoying the benefits of cloud IaaS. In addition to the requirements that apply to all HIPAA data processing, two specific requirements present challenges to would-be cloud adopters:

  • All applications which operate against PHI and PII must run on dedicated hardware which is not used to serve applications owned by other entities; and
  • All data must be encrypted at rest and in transit.

As a result of these requirements, many healthcare IT managers shy away from taking advantage of cloud solutions. After all, the essence of cloud computing is the efficiency of hosting multiple guests on shared hardware. Plus, it is not always clear what level of encryption is supported by cloud IaaS providers.

Some leading cloud providers, most notably AWS, have solved the first problem by reserving racks of servers exclusively for HIPAA workloads. When a customer spins up a new instance, the logic is in place to ensure that workloads from other customers are processed on separate hardware. Taking advantage of this on AWS is as easy as a mouse click to designate the dedicated hardware requirement. There is a per-region fee for this service (right now about $1,400 per month on AWS) but the customer pays only one fee that covers all workloads in that region. Once this fee is paid, the incremental per-hour charge to have each instance guaranteed to run on dedicated hardware is minimal.

Additionally, AWS supports full 4096-bit encryption (most customers opt for 2048-bit encryption for performance and browser compatibility reasons) of data at rest on all of its storage products including S3, EBS and others, as well as all standards for network encryption such as https, VPN/IPsec tunnels, etc. AWS offers its own encryption services including method, key storage and key management, but also allows customers to implement their own encryption method and supports varying degrees of control and management of encryption keys. The following diagram illustrates the various flavors of encryption, method, key management and key control supported by AWS:


The Forecast is Cloudy for HIPAA-Covered Entities

The above diagram is lifted from an AWS whitepaper which explains in detail how encryption works and which encryption products are recommended and supported across all of its storage platforms. Read the full white paper here.

Fortunately for companies in the healthcare space, HIPAA-compliance is not only achievable in the cloud but, with features like these, it becomes much easier and cheaper in the cloud. Combine these features with built-in data replication for backups across availability zones (eleven 9’s of durability on AWS’s S3), Direct Connect options that avoid use of the public internet altogether and the tremendous cost savings that are possible, and Cloud IaaS becomes a no-brainer for HIPAA. Both AWS and Microsoft Azure will even enter into BAA agreements with covered entities. To see the terms of these agreements you need to contact a cloud partner, like Blue Sentry, who can facilitate an NDA with either entity, allowing them to share the terms of their respective agreements.

In addition to HIPAA, it is also worthy of note that currently AWS is the only provider certified by the Centers for Medicare and Medicaid Services for the storage of Affordable Care Act data. To read more about that go here.

Blue Sentry is an advanced-tier Amazon Web Services (AWS) consulting partner specializing in application and data migrations, expert managed services and virtual desktops. Blue Sentry serves clients globally, with operations in North Carolina and South Carolina.