Luis Louro - Fotolia

AWS RDS now HIPAA-eligible, but that's only half the battle

AWS RDS, DynamoDB and EMR have been declared HIPAA-eligible, but healthcare organizations must do more to ensure HIPAA compliance.

AWS RDS is now HIPAA-eligible, along with a handful of other services that IT pros say have been on the watch list...

for healthcare organizations, though this is only the first of many steps for organizations seeking compliance.

The MySQL flavor of Amazon Web Services' (AWS) Relational Database Service (RDS), DynamoDB and Elastic MapReduce were among services that became eligible for compliance with the federal Health Insurance Portability and Accountability Act (HIPAA) on July 8.

Attendees at an AWS Summit last week and other AWS customers waiting for HIPAA eligibility for RDS welcomed the news.  

"We were one of the early AWS life sciences partners, and we've been waiting three or four years for RDS to be HIPAA compliant," said Sri Vasireddy, President at REAN Cloud Solutions, Inc., an IT consulting firm in Washington D.C. "I have two or three customers who can switch to RDS now."

For some organizations still evaluating AWS, the news about HIPAA compliance overshadowed other product announcements last week.

"The HIPAA compliance news makes AWS more appealing as we deal with some patient data," said Alex Malek, system architect at Solutions for Progress, Inc., a non-profit social services organization in Philadelphia. "Years ago we had to make sure we had SLAs with colocation, data center and technology partners, and it was unclear how we would get something like that with AWS. They've obviously passed that hurdle now."

It's a similar story for Mark Szynaka, a cloud architect for CloudeBroker, based in New York, who said after the Summit that one of his clients, a medical records storage company, has been waiting for Amazon DynamoDB to become HIPAA eligible.  

"Up until now my client has used S3 to store HIPAA records under their Business Associate Agreement with AWS," said Szynaka, who is also a TechTarget contributor. "They have wanted to extend their capabilities into a NoSQL database such as DynamoDB for over a year."

Read the fine print for full AWS RDS HIPAA compliance

Still, HIPAA eligibility is only the first step for healthcare organizations who wish to use these services properly.

According to AWS officials, "HIPAA-eligible" means the services met the criteria for recent external and internal audits which are based on the Federal Risk and Authorization Management Program (FedRAMP), criteria for government purchase of IT products. It also means Amazon is now willing to sign business associate agreements (BAAs) with companies looking to achieve HIPAA compliance with the newly eligible services.

"That's why we're calling them HIPAA-eligible, because they are eligible if you have a BAA," said Matt Wood, general manager of product strategy for AWS. "We don’t want to create the impression that just by using RDS on MySQL you are automatically blessed by the HIPAA fairy."

Signing a BAA with Amazon is only part of the process organizations must undertake for HIPAA-compliance. There is no formal certification for HIPAA-compliant cloud products and healthcare organizations must pass their own external audit under HIPAA to be fully compliant, according to Sekhar Puli, Managing Partner at REAN Cloud.

"This only gets you so far," Puli said.

Other IT consultants don't expect a rush to adopt RDS.

"In the healthcare community, folks commonly refer to the five-year lag in technology adoption," said Daniel Heacock, a consultant with c3/consulting, an IT consulting and managed services firm based in Nashville, Tenn. "Some would argue that it's getting longer -- burdened by the regulation and responsibility of very sensitive information, healthcare IT is just a slow-moving beast."

There are some smaller health care analytics companies that see the value of cloud services, and larger entities see the benefits through contractual engagements, Heacock said, but few of the larger companies take the dive themselves, and when they consider it, Microsoft Azure often comes to mind first.

"The change is happening, but the biggest roadblock is simply momentum," Heacock said. "AWS is doing everything they can, but when push comes to shove, they will have trouble convincing the healthcare giants to make the leap to AWS while Azure is a contender."

Other AWS compliance news: WORM for Glacier

AWS took another step in compliance last week with its Amazon Glacier cold storage environment. It now has Write Once Read Many (WORM) features for customers who choose to lock down Glacier vaults.

Attendees at AWS Summit said this probably would be most welcome at organizations that must maintain compliance with the Sarbanes–Oxley Act, which specifies data retention rules for publicly traded companies.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Dig Deeper on AWS compliance, governance, privacy and regulations