All That You Should Know about HIPAA Readiness of Google Cloud & AWS Platform
Are you thinking of moving some healthcare services to the cloud? If yes, then you might want to know whether Google Cloud Storage and Amazon Cloud are HIPAA-compliant?
It is important to determine whether these platforms can be use by healthcare organizations to build applications using protected health information (PHI) and host the infrastructure? Numerous Healthcare facilities are trying to leverage the advantages and the market is expect to expand manifolds in the coming times. Google and AWS are the leading HIPAA compliant video platform with a major market share in their strides. Compared to hardware storage, these public cloud computing stores have many more advantages. Cloud storage structure is very flexible in terms of expansion for physical data and They have numerous in-built services that can be use on a pay-as-you-go basis, letting the costs of maintaining cloud storage optimal.
This blog further explains how Google Cloud and AWS are HIPAA-compliant cloud services.
How Do You Know If Google Cloud Platform is HIPAA Compliant?
Healthcare that deals with PHI are identifi as a Covered Entity. The organizations or individuals who provide services to these Covered Entities and require them to access PHI are calle Business Associates (BAs). Access to such data can only be provided to BAs after signing the Business Association Agreement (BAA).
Google Cloud Platform is considered a Business Associate when offering services to healthcare facilities. So, here is how Google meets HIPAA requirements for its BAs.
Google Cloud Platform signs BAA with Healthcare Organizations
A BAA agreement is signe by GCP when entering into serving a healthcare facility and also This agreement should mention the type of PHI that Business Associates will access and how this information will be processe by them. The Google Cloud Business Associate Agreement also should state how PHI is to be destroyed after its use. This agreement ensures that Google Cloud confirms its responsibilities towards treatment and protection of the PHI data as a Covered Entity.
GCP’s Compliance Page Updates the List of Such Services
GCP lays down a concrete list of products and services that should be covered by its general BAA. GCP’s compliance page publishes and updates this list constantly. For your plans to launch your healthcare service in Google HIPAA Compliant Cloud, ensure that you use only the covered services also ensure that you provide only HIPAA-compliant services to your users.
HIPAA Compliant Infrastructure on Google Cloud Platform
As per GCP’’s official compliance statement, all of its infrastructures are shield by the BAA it has and this makes it HIPAA compliant. Let us examine this statement in detail.
- It means that the data exchange between the GCP and its healthcare client is done with utmost security over encrypted channels.
- GCP provides an IAM (Identity and Access Management) interface. IAM allows assigning roles and access levels to various users for data access management.
- GCP keeps a log of all the user interactions and stores them for 10 years. This is a requirement laid down by HIPPA for user activity monitoring and further auditing.
- GCP uses Multi-factor authentication requiring a unique randomly generated code to enter the wearable device.
- The GCP protects data at rest by applying multiple encryption methods. GCP uses the AES256 standard for encryption automatically.
- GCP makes use of WAAP for protecting for web applications against cyber-attacks and DDoS threats.
How to Set Up A HIPAA Compliant Environment on AWS Cloud?
Amazon Web Services provides a highly secure infrastructure for retaining sensitive health information. It signs a Business Associate Agreement (BAA) for compliance under HIPAA.
Shared Responsibility Model by AWS
In addition responsibility model used by AWS HIPAA compliant services intensifies the security level of this cloud infrastructure. This model makes Amazon responsible for the management and security of their infrastructure, running their services which includes hardware, networking, software, and other physical devices. On the other hand and the customers must configure their use of AWS cloud services based on HIPAA-compliant standards. Depending upon the level of the configuration chosen, the customer takes the responsibility for the required security configuration and tasks.
Guidelines on Putting AWS HIPAA-Compliant Software in Effect
Here are a few technical safeguards require and as per HIPAA to set up a secure environment on AWS:
Access Control Model
According to HIPAA, that only an authenticated user accesses information, only to an extent that is necessary. AWS has Identity and Access Management (IAM) that provides controlling access to AWS.
User Authentication Requirements
This authentication is to verify if a particular user is authorized to use your system and how the user is accessing and Entity Authentication is implement through permissions. Yet is by unique passwords that users can set for authorized access, which can be virtual or physical multi-factor authentication..
Implementing AWS Security Token Service (STS) helps in requesting temporary, limited-privilege credentials. These credentials can be use for AWS Identity and Access Management (IAM).
Data Disposal Requirements
A company that collects PHI, must also ensure that it is properly destroyed and that the media is cleared as per HIPAA guidelines so that it cannot be retrieve. Therefore, every account owner on AWS cloud can install and configure retention for all services so as to prevent unnecessary data from being stored and to delete it upon request.
Storage and Backup of Data
Data backup for a mandatory HIPAA requirement. This helps hospitals and patients retrieve PHI when the need arises. They have an organized, policy-based solution that gives automatic backup application data for both in the cloud and on-premises data. AWS monitors current backups, searches, restores backups as per regulations.
Data Security Requirements
AWS has strong data encryption choices. yet Amazon S3 uses Server-Side Encryption and in which every object is encrypt with a unique key which is again encrypte with a master key. Amazon S3 uses 256-bit Advanced Encryption Standard (AES-256), which is the strongest block cipher available today.
Data Encryption Requirements
For encryption of PHI data, Amazon uses AWS KMS, yet which is a perfect HIPAA compliant solution for handling encryption keys with other AWS services and This provides unified control over encryption keys to delineate user data.
Auditing and Monitoring Control Requirements
For auditing and monitoring according to HIPAA guidelines, Amazon introduced AWS Config also It streamlines security examination, inspecting, change management, and operational troubleshooting. yet HIPAA Security Rules require that the covered entities should track logins and report errors. This event history of AWS account activity is provided by CloudTrail. It also captures successful logins by users in IAM and root.
Automatic Logoff after a Certain Time
With the AWS console also you can set a preferred AWS user session length. If using an AssumeRole* API operations in your URL, include the SessionDuration HTTP parameter to specify and the duration of the console session, which can be between 15 minutes to 12 hours.
And if you use the GetFederationToken API operation in your URL, include also the DurationSeconds parameter to specify the duration that can range from 15 minutes to 36 hours.
Takeaway
Google Cloud and AWS help healthcare facilities in setting up a strong HIPAA-compliant telehealth platform. Yet, for the most optimal configuration of your systems according to HIPAA software security rules, there subscribe to a reliable and supporting communication solution (APIs and SDKs) that can work with these or rather any cloud service provider to help you set up an online healthcare service that follows HIPAA compliant environment. Choose a communication provider, For instance assure that all your data transmission and storage resources are safe and compliant.