Your health and credit card information is the set of the most secured assets on the internet, protected by compliance laws in every major legislature. Two of the most popular of these are HIPAA and PCI DSS.
HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and regulates the processing, storage, and transmission of Personal Health Information (PHI) of U.S residents.
PHI is simply a legal term for digital medical records of Americans with one or more personal identifiers: prescriptions, medical reports, health insurance details, hospital bills, and so on. Every firm that handles the medical records of Americans, incorporated in the US, Canada, Europe, or the rest of the world must be HIPAA compliant.
The Payment Card Industry Data Security Standard (PCI DSS) is associated with the transmission, processing and storage of credit card information. The standard is maintained by an independent agency created with members from major credit card issuers: Visa, MasterCard, American Express, Discover, and JCB.
Non-compliance to standards set by HIPAA and PCI may lead to substantial fines and loss of operating license to healthcare and financial institutions. Managing these large data sets is another challenge for these establishments.
For example, for a large banking corporation, managing customer transactions on its data center is a costly affair, considering the amount of personnel and hardware units it has to deploy and maintain.
Indeed, a lot of these organizations are looking to move their workloads to the cloud. Fortunately, the top three cloud vendors, Google Cloud, Microsoft Azure, and Amazon AWS, all offer compliance to HIPAA and PCI requirements.
Both HIPAA and PCI issue a set of requirements that every organization handling credit card and healthcare data must fulfill (or become subject to penalties and fines). For instance, both HIPAA and PCI require that the institution responsible for the data must conduct independent audits on its IT infrastructure.
If an organization runs its IaaS from a major cloud service provider, then the burden of HIPAA requirements naturally extends to that particular cloud vendor.
We further explore below HIPAA and PCI compliance offerings by the Big 3 cloud service providers.
HIPAA and CSPs
When a healthcare institution subcontracts a CSP to process, store, and transmit PHI, the CSP comes under the provision of HIPAA as a business associate.
Now, the US Department of Health and Human Services (HHS) – the statutory body maintaining HIPAA – doesn’t have any certification program for business associates to demonstrate compliance to HIPAA.
Therefore, CSPs rather show compliance to several existing security standards HIPAA requirements can be mapped to. In addition, they enter into a so-called Business Associated Agreement with the institution.
Moreover, CSPs offer blueprints and templates to allows organizations handling PHI to adhere to HIPAA.
Regardless of the aforementioned, the CSP must obey the three rules of HIPAA:
- Privacy Rule: Nobody can access a patient’s EMRs without their consent. The CSP must add measures to ensure that this is the case every time.
- Security Rule: Administrative, technical, and physical safeguards must be in place to ensure the integrit, security and confidentiality of PHI.
- Breach Notification Rule: Institutions and business associates must notify the concerned authorities in case of a data breach.
Amazon AWS and HIPAA
In a scenario when no certification program is available from the US Department of Health and Human Services (HHS), Amazon undergoes third-party validation for 1,000s of global requirements to offer HIPAA compliance.
Users and their business associates can use the highly scalable, low-cost and secure IT components provided by Amazon to architect applications in alignment with HITECH and HIPAA compliance requirements.
AWS enters Business Associate Addendum (BAA) with its customers as governed by HIPAA protocols for business associates.
Google Cloud and HIPAA
In the absence of an official or authorized certification from the US Department of Health and Human Services (HHS), Google undergoes numerous, regular third-party audits to offer healthcare institutes with independent verification. Google also provides links, reports, and certificates to these audits.
Independent audits that examine the control presets in Google Cloud’s data centers, infrastructure, and operations offer an added layer of transparency.
Google undergoes annual audits to ensure compliance to these standards that are mapped to HIPAA requirements:
- SSAE16 / ISAE 3402 Type II
- ISO 27001
- Google has ISO 27001 certification for the systems, application stack, human resources, tech stack, business processes, and servers running Google Cloud Platform.
- ISO 27017, Cloud Security – a universal standard of practice for information security controls based on the ISO/IEC 27002, especially for cloud services.
- ISO 27018, Cloud Privacy – a global standard for the protection of PII (personally identifiable information) in public clouds such as Amazon AWS and Google Cloud.
- PCI DSS v3.2.1
Moreover, Google Cloud enters BAA with its customers as recommended by HIPAA.
Microsoft Azure and HIPAA
In absence of an official or authorized certification from the US Department of Health and Human Services (HHS), Microsoft Azure maps HIPAA requirements to other, existing security standards to show compliance.
These are some of the standards Microsoft Azure maps to prove compliance to HIPAA as prescribed by An Introductory Resource Guide for Implementing the HIPAA Security Rule, The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), and The HHS HIPAA Security Rule Crosswalk to NIST Cyber Security Framework:
- NIST SP 800-66
- NIST SP 800-53
- CSA STAR Certification
- CSA STAR Attestation
- NIST CSF
- ISO/IEC 27001.
Moreover, Microsoft Azure enters BAA and offers Azure Blueprints for HIPAA and HITRUST.
CSPs and PCI DSS
Unlike HIPAA, to be compliant with PCI DSS, CSPs can invite an independent Qualified Security Assessor (QSA) to run compliance evaluations. Upon successful compliance to the latest version of PCI DSS, the CSP gains The PCI DSS Attestation of Compliance (AOC), which the CSP can display on their website and is user verifiable.
Customers who want to develop a card processing service or a cardholder environment can use these attempts in some of the core portions, thus decreasing the joint effort and price of obtaining their PCI DSS certification.
It is important to recognize that PCI DSS compliance grade for a cloud provider doesn’t always result in PCI DSS certification for the services that customers build or host on these cloud platforms. Customers are responsible for ensuring that they achieve compliance with PCI DSS requirements.
Amazon AWS and PCI
It’s important to note that AWS is officially certified as a PCI DSS Level 1 Service Provider – that’s the highest level of assessment available out there.
Responsibility Summary and the PCI DSS Attestation of Compliance (AOC) are easily accessible via AWS Artifact. Artifact is a self-help portal for anytime access to compliance reports on Amazon AWS.
Financial institutes that wish to have a cardholder environment or want to process credit cards transaction can run those validations in some of the original portions, thereby dropping the supplementary effort and expenditures of receiving their PCI DSS certification.
Google Cloud and PCI
According to various sources including the information on the official website of the CSP, Google Cloud services were certified by an independent, third-party Qualified Security Assessor to be compliant with PCI DSS 3.2.1.
Unlike Amazon, Google doesn’t provide any information on at which Service Provider Level Google Cloud Platform (GCP) is compliant with the latest version of PCI DSS.
Once we keep that information aside, there isn’t much of a difference between the three CSPs in terms of compliance with PCI DSS.
For instance, customers may access PCI DSS Attestation of Compliance (AOC) from the Google Cloud dashboard. The certificate is valid for one year from the day of attestation.
Microsoft Azure and PCI
Microsoft runs a yearly PCI DSS assessment using an authorized Qualified Security Assessor (QSA). In the last audit, QSA auditors examined Microsoft Azure, OneDrive Business, and SharePoint Online environments, including the CSP’s IT infrastructure, growth, operations, administration, assistance, and in-scope services.
The PCI DSS appoints quad compliance levels according to the transaction volume. Microsoft Azure, Microsoft OneDrive, and Microsoft SharePoint Online are certified PCI DSS version 3.2 compliant at Service Provider Level 1. Service Provider Level 1 refers to the largest volume of transactions exceeding 6 million a year.
The assessment grants the organization an Attestation of Compliance (AoC). QSA also Issues Report on Compliance (RoC). AoC can be made visible to the public. The compliance is valid for one year from the date passing the audit and receiving the AoC.
Financial institutes who wish to have a cardholder environment, or want to process credit cards can run those validations in some of the original portions, thereby dropping the supplementary effort and expenditures of receiving their PCI DSS certification.
It is imperative to understand that PCI DSS compliance status for Microsoft Azure, Microsoft OneDrive Business, and Microsoft SharePoint Online doesn’t directly translate to PCI DSS certification for the services the customers build or host on.
The Shared Responsibility
In an on-premise data center, the organization is responsible for security: physical, premises, network, applications, and data. For cloud vendors like Amazon AWS, Microsoft Azure, and Google Cloud, the security responsibilities are shared between them and their users.
For instance, Amazon makes sure that its data center is secured from unauthorized access controls on locks, access cards, and video surveillance. In addition, it makes sure the services are dependable and fault resistant and can revert to nearby data centers in case of downtime.
Regardless, customers must always take precautions to ensure their data is kept secure in the cloud. For example, imposing strong password policies and mandating 2-factor authentication on access keys to check unauthorized entries.
One method to contemplate shared responsibility is to associate your cloud deployments to a multi-tenant office. In the office, the management secures the entry with securities, video surveillance, and an access control list at the entry gate.
The management makes sure that the restrooms and mailrooms are kept monitored, and that only personnel who are employed in the office has access.
Which CSP is the most compliant?
CSPs from Google, Microsoft, and Amazon offer more or less the same value when it comes to compliance with the U.S HIPAA and PCI DSS.
In absence of a certification program coming from the HHS, attributing HIPAA compliance is a little tricky because of the act’s Business Associates clause.
It isn’t surprising to see how far CSPs are ready to go to pull all the strings. The way they have found workarounds to be compliant with the most tedious industry regulation is pure genius. Microsoft and Amazon take the lead but Google isn’t very far either.
Proving compliance with PCI DSS is a pretty straightforward affair. CSPs have to invite a QSA once every year to audit their infrastructure and get certified. Therefore, there is a little point of distinction between the CSPs in this compliance matter.
Competition is indeed working in the favor of the customers. Every major CSP is running neck to neck withstanding on two of the most important compliances affecting the credit card and healthcare industry.
And of course, data security on the cloud is a shared responsibility. If you’re a large organization with a convoluted device and data policy, then your confused employees are more of a threat to your infrastructure than a man-in-the-middle intercepting communication over a secured line.
Our dedicated cloud experts turn your IT-related issues into creative solutions, all the whilst sparing your company wallet from high, unpredicted expenses.
An affordable, no-commitment, subscription-based service designed to take care of all your DevOps needs. It’s that simple.
Sign up today for a 90-day trial, and get your first 15 tickets free.