How to Assure HIPAA Compliance in the Cloud

Major cloud service providers like Amazon’s AWS or Microsoft’s Azure are making it easy to get a server launched with the click of a mouse. You get “on demand” infrastructure without buying equipment.  What you don’t get is “management” and administration of your services; server configuration support is “do it yourself”, including compliance support. You still have to manage most of the security, including user administration, and applications/operating system updates. And more.

The Shared Responsibility Model in Amazon Web Services (AWS)

In AWS, you are responsible for a great deal of the compliance. See Figure 1 below for the details.

Figure 1. AWS Shared Responsibility Model (from AWS)

Shared_Responsibility_Model_V2

AWS and Azure will provide the datacenter hardware infrastructure (such as the datacenter’s power systems, physical servers, network connections, switches, and routers). To achieve full compliance, you can hire cloud providers like IXN.com, A.J. Boggs’ managed hosting service. IXN’s Team is very experienced in managing compliant solutions. If your solution involves an AWS or Azure service, you need to verify that those services are HIPAA compliant (not all of their services are). There are many dimensions to security, such as access controls and permissions in databases that require configuration management. Firewalls, vulnerability scans, OWASP reviews, operating system (OS) updates…they all will need to be managed. In fact, Amazon clearly states in its HIPAA Security Controls Reference that “AWS does not provide legal or compliance advice. Customers are solely responsible for determining and complying with their obligations.” They give you the servers and other services, but you need to manage for compliance.

Microsoft Azure’s Security Development Lifecycle

Microsoft’s Azure has implemented security in a similar fashion to AWS. Figure 2 below shows Microsoft’s Security Development Lifecycle (SDL) phases.

Figure 2. Microsoft’s® Security Development Lifecycle (SDL)

So, is AWS or Azure HIPAA compliant? They “can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use” (from  The HIPAA Journal).

Compliant Hosting with IXN Managed Services

IXN’s offers compliant hosting, managing your services so you can focus on your business. The IXN Team tracks, monitors, and coordinates deployments and operations, including continual vulnerability scanning, user support, and other compliance services. If you need to call someone to sort out an issue, the IXN Team is there 24x7x365. The major cloud providers offer the servers, but their technical support is often web page of Frequently Asked Questions (FAQ). Discover the difference at www.ixn.com.

Leave a Reply

Your email address will not be published. Required fields are marked *