How to Achieve PCI / HIPAA Compliance with AWS / Azure

  1. compliance

The rapid growth of the cloud is wrought with concerns about security. These concerns are heightened when companies using cloud services are also responsible for maintaining compliance with strict regulations such as HIPAA or PCI. Indeed, security and compliance are the two most cited concerns surrounding cloud migration, especially when large vendors such as Amazon Web Services (AWS) and Microsoft Azure claim this responsibility is entirely for the customer to shoulder. Many companies do not understand the underlying technology of a cloud platform and choose to establish in-house solutions with the perception of having better control over compliance requirements.

HIPAA Compliance

HIPAA legislation was passed before the onslaught of cloud computing when all health care providers had single tenant IT environment. HIPAA sought to increase information sharing through electronic health records and included provisions relevant to Protected Health Information (PHI). In 2009, HIPAA was expanded by HITECH to further protect the security and privacy of PHI. Neither legislation addresses the unique concerns of a multi-tenant environment.

When seeking compliance, primary responsibility falls on the healthcare company using the cloud service as the “covered entity”. Compliance requirements can extend to the cloud service provider as “business associates”. HIPAA requirements state that covered entities and business associates must enter a contract when business associates perform functions or activities on behalf of the covered entity. This contract serves to clarify and limit permissible use and disclosure of PHI by the business associate. Cloud service providers are unique because they provide an environment for covered entities to develop HIPAA/HITECH compliant products, but they themselves do not have to be certified for the same. In fact, there is no HIPAA certification for cloud providers at this time.

AWS aligns their HIPAA management program with FedRAMP and NIST 800-53, which have higher standards than HIPAA. Only nine AWS services are HIPAA-eligible. Azure has more eligible services. Both companies will enter a business associate agreement (BAA) with covered entities.

PCI Compliance

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard requiring organizations to incorporate controls around customer data to prevent credit card fraud. The standard applies to any organization which holds, processes, or exchanges cardholder information.

Like HIPAA/HITECH, cloud service providers simply provide the environment which is compliant to the standard, but certification is the responsibility of the company using the cloud service. Compliance does not automatically translate to certification.

Most AWS services have been validated by an independent Qualified Security Assessor (QSA) to be compliant to the PCI standard. AWS will provide a PCI Compliance Package to merchant customers which contains the appropriate compliance documentation to use in seeking certification. The package clarifies the responsibilities of AWS and the merchant. AWS further demonstrates their compliance by meeting all applicable requirements to be included on the Visa Global Registry of Service Providers and MasterCard Compliant Service Provider List.

Fewer Azure services are compliant with PCI DSS requirements. Azure provides the Azure Customer PCI Guide to customers seeking PCI DSS certification and is not listed as a complaint service provider on MasterCard or Visa lists. Azure performs an annual assessment of their environment to validate compliance to the standard.

The Problem

While security and compliance are top issues for CIOs and CTOs, the problem rests on the customer of a cloud service provider to resolve, not the service provider. AWS and Azure provide the virtualized environment used by customers to develop respective solutions. Several organizations have achieved HIPAA or PCI compliance and certification on these public cloud platforms.

Not every cloud platform should be considered when seeking compliance to HIPAA or PCI. Organizations should partner with service providers who offer security and compliance guarantees in SLAs. Documenting responsibilities between entities through SLAs ensure all parties, including assessors, understand how compliance requirements are being met and by whom.

HOSTING is the only managed cloud provider to have achieved full PCI DSS, HIPAA, and SOC 2/3 compliance accreditations across public and private cloud platforms. For nearly a decade we have been delivering compliant hosted solutions across the leading public and private platforms like AWS, Microsoft Azure and the like. We support our customers with over 400 security assessments annually, and we have never had a customer fail their own compliance obligations. We encourage our customers to not just ask for copies of our compliance reports, but to compare them against anyone else in the industry. It’s clear that HOSTING is doing more than the bare minimum approach taken by most of the market — we exist to ensure that your applications are protected and your regulatory obligations are met. Period.

We don’t just defend these assertions with our audit reports, we also provide our customers with a 100% Audit Assurance SLA because we know that ultimately it isn’t about HOSTING’s compliance status, it’s about our customers meeting their own regulatory obligations. The SLA states that if our customers experience any impediment to their own compliance obligations, that HOSTING will resolve that at no cost to the customer, no matter the problem. And don’t just take our word for it, check out the scores of healthcare and financial services customers that have chosen to share their stories publicly on our YouTube channel. HOSTING is the only provider to carry full PCI, HIPAA, and SOC accreditations for our solutions across every type of platform — public cloud, private cloud, dedicated server, or colocation.

Leave a Reply

Your email address will not be published. Required fields are marked *