News Stay informed about the latest enterprise technology news and product updates.

AWS cloud security earns federal government approval

AWS cloud security gets a lift past skeptics with new federal government approval for some insurance issuers to collect healthcare data using EC2.

A federal government agency's recent blessing for insurance issuers to use Amazon Web Services is a sign of changing attitudes toward cloud security.

The Centers for Medicare & Medicaid Services (CMS) confirmed this month that it approved the use of AWS for processing and storing healthcare data as part of new risk adjustments mandated under the Affordable Care Act of 2010.

Under the law, funds are transferred between high-risk pools of patients and low-risk pools to protect insurance issuers financially. To identify which groups are higher-risk, patient data must be analyzed and the results submitted to CMS before funds are redistributed.

This analysis can now be done using AWS' Elastic Compute Cloud. Issuers can create an Amazon account and download a particular application to do the data processing for CMS, where previously, only internally managed hardware was approved.

Tech experts say this has implications for a wider IT market that has harbored doubts about AWS cloud security.

If AWS is good enough for the government, it's probably good enough for you.
Dave Bartolettianalyst, Forrester Research

"If AWS is good enough for the government, it's probably good enough for you," said Dave Bartoletti, analyst with Forrester Research based in Cambridge, Massachusetts. "Everyone considering AWS should take a fresh look at AWS' current certifications and security practices -- they might be better than what you've got in your own data center."

Some healthcare organizations that already store sensitive data in the Amazon cloud agree.

"Particularly for emerging firms that don't have the expertise or resources to build out a compliant data center, AWS-like environments become very attractive to allow firms like ours to focus on core competencies," said Brendan McKernan, president and co-founder of Courtagen Life Sciences Inc., a genetic testing company based in Boston.

However, some larger companies that are eligible to use AWS following the CMS decision are undecided.

Aetna Inc., a large insurance issuer based in Hartford, Connecticut, already has a relationship with AWS through its healthcare technology subsidiary Healthagen, but it also purchased hardware to perform the CMS data analysis under the original requirements.

"This is something that the industry has asked about since Day 1, for the past couple of years, whether or not cloud computing or virtual servers are allowed for this purpose," said John Caruso, a senior director at Aetna. "The timing of it could've been better if we'd known about it in advance."

Caruso said the company will evaluate the suitability of AWS services according to its performance and availability, rather than scrutinizing cloud security.

Meanwhile, it would also be preferable for CMS to approve the use of other cloud vendors.

"Ideally, they wouldn't lock us into one specific vendor from a cost perspective," Caruso said.

Beth Pariseau is senior news writer for SearchAWS. Write to her at or follow @PariseauTT on Twitter.

Dig Deeper on AWS security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Will you store or process sensitive data on Amazon Web Services? Why or why not?
Yes. This article skips over a lot of details. I am sure it does not mean any AWS configuration meets CMS' or HIPAA requirements. The most important part of using AWS or other cloud system for HIPAA is having a Business Associate Agreement with the provider. Each configuration that the customer builds in AWS used to store, receive, transmit, or maintain e-PHI needs to have a risk assessment and compliance assessment of the customer's configuration in AWS and the customer's people, policies, and procedures used with that system. AWS in turn needs to ensure in the Business Associate Agreement that it will meet HIPAA requirements for its systems used by the customer including risk assessment and compliance assessment. Essentially the line of demarcation in the case of AWS is between the IaaS offered by AWS and the application installed by the customer on it.
You are correct that this article does not address HIPAA compliance -- it's unclear whether the Edge data being processed here for CMS is personally identifiable information. Some experts, however, say that it is, and as such the considerations you point out are important for readers to consider -- thank you for adding your comment!

On another, related note, it is unknown at this time whether "vanilla" EC2 meets CMS's requirements because to my knowledge they have not offered specific guidance on the configuration that is to be used. I was not able to get a clear answer from them about whether GovCloud is required, for example, or VPCs. I will go back to them to see if I can get some clarification.

Thanks again for your comment.