AWS: How to Do Business With AWS

Data streams from all areas of our lives. IBM reports that the world generates twice as much data every 18 months. It is no longer a fantasy to imagine that we will be faced with petabyte-scale data storage.
This is a reality that we are currently dealing with in my company. Scale is a major concern. Data is never going to stop coming at you. We are becoming increasingly data-driven in our business, so we need tools like Amazon Web Services (AWS), to manage this exponential growth.
My team was an institute in a health care system and needed to verify that the data we were accumulating was secure at rest and in transit. We were held to the high standards of our health system and still are. We initially used AWS to store large genomic data files. It was scalable and durable. AWS allowed us to move forward with our research projects despite the large data files we would need to support our genome research efforts.
Even though our patients were de-identified, AWS provided the highest level security. To ensure a long-lasting relationship, we also reached out to our compliance and IT departments at the hospital. We needed to create a Business Associate Agreement with AWS in order to do so.
The security responsibilities of cloud providers like AWS in relation to protected health information (PHI) were not clearly defined until recently. This changed with the HIPAA Privacy Security, Enforcement, and Breach Rules updates in 2013. These changes are known collectively as the Omnibus rule. This rule clarified the role cloud providers played as datacenter operators. They are now considered business associates and are directly liable for complying with HIPAA regulations. The document can be found here in a.PDF (notice the location — some government agencies use AWS).
It took AWS many months to reach an agreement due to the importance and sensitive nature of the relationship. Both sides worked hard and persevered to reach an agreement with AWS. My team was well on their way to setting up AWS environments that comply with the BAA by the time the agreement was accepted. A key to this relationship with AWS is a shared-responsibility model, which means both parties in the agreement are responsible for certain parts of the overall security of the cloud services. You can find more information about this model here. Notable: While only certain AWS services are currently covered by the BAA, more will be added in future.
As I attend conferences that focus on health care data, and share my experience, I am frequently asked about the AWS BAA process. Many health systems are evaluating cloud providers such as AWS but are concerned about security and compliance. Below are some suggestions I would recommend to help health IT teams (or IT teams with similar requirements) evaluate whether AWS or another similar provider is a viable option.
1. Be specific about the benefits of AWS and similar services. Cloud services can be used for PHI and other private data, regardless of how mature cloud security and services are. This can be perceived by your IT, compliance, and administration as a high-risk situation. If the benefits of cloud usage are not solid, you will face a difficult battle.
Benefits should be clearly defined, including monetary and efficiency metrics. These can be compared to the existing infrastructure or other options. This is a powerful process that will allow you to learn a lot about the subject.