Data Delivery

The Business of Doing Business with AWS

Establishing a Business Associate Agreement with AWS can be a months-long ordeal that requires organizations to take every aspect of their IT environments into consideration. Here are some suggestions to streamline the process.

• By Aaron Black
• 04/23/2015

Data streams from every area of our lives. According to a report by IBM, the total amount of data generated in the world doubles every 18 months! Gone are the days when it seemed outlandish to think we would be faced with petabyte-scale data storage and analysis.

In my organization, we are dealing with this reality now. Scale is of utmost concern. The data is not going to stop coming at us. Because we are increasingly data-driven in our businesses, we need to use tools like Amazon Web Services (AWS) to handle this exponential growth.

As an institute within a health care system, my team needed to validate that the data we were accumulating and utilizing was secure, in both transit and at rest. We were and are still held to the justifiably rigorous standards of our health care system. At first, we used AWS as a scalable and durable location to store our large genomic data files. AWS helped us move forward in our research projects even with the potentially massive data sizes we would need to support our genomic research efforts.

Even with our patients de-identified, we needed the highest level of security that AWS could provide. We also engaged our hospital IT and compliance departments to get their approval to ensure a long-lasting relationship with AWS. In order to do this, we needed to establish a Business Associate Agreement (BAA) with AWS.

Up until recently, the scope was not clear for the security responsibilities of cloud providers such as AWS when it came to protected health information (PHI). However, this changed in early 2013 with updates to the HIPAA Privacy, Security, Enforcement and Breach Rules. These changes are known as the Omnibus rule. This rule clarified the role of cloud providers as datacenter operators and they are now officially considered business associates, directly liable for being compliant with HIPAA regulations that apply to all business associates. A .PDF of the document is located here (note the location -- certain government agencies use AWS).

Due to the sensitivity and importance of this relationship, it took many months to come to an agreement with AWS. Both parties worked diligently, and it took passion and persistence to get it completed. By the time it was accepted, my team was well on its way to establishing our AWS environment to comply with the BAA. A key to this relationship with AWS is a shared-responsibility model, which means both parties in the agreement are responsible for certain parts of the overall security of the cloud services. For more detailed information on that model, go here. Of note: Only certain AWS services are covered by its BAA, but more will be added in the future.

As I go to conferences centered on health care data and I share this experience, I am constantly asked about the BAA process with AWS. Many are health systems evaluating cloud providers like AWS, but are worried about security and compliance. Below is an outline of suggestions that I would recommend to help those health care IT teams -- or IT teams with similar requirements --  evaluate whether AWS or a similar provider would be a viable option for your institution.

1. Determine the real benefits of using AWS or a similar service -- and be specific. Regardless of the maturity of cloud security and services, there is risk in using cloud services for PHI and other private data sets. Your health system IT, compliance and administration can perceive this to be a very high risk. If the presented benefits for cloud usage are not rock-solid, then you will be fighting an up-hill battle that will be hard to overcome.  

Benefits need to be defined as distinctly as possible, meaning giving monetary or efficiency metrics. These can be effectively weighed against the current infrastructure or other options. This is extremely powerful and, as part of the process, you will learn a great deal about the services and capabilities of AWS. If the value of AWS is not sufficient, your evaluation process probably ends here, saving everyone time and effort.

Also, don't evaluate into the future much more than one or two years. The services and costs are changing so rapidly, that your evaluation must be for 2015. Projections will be completely different for projects implemented in 2017 or 2018.

2. Ask for references from other organizations of similar size and project scope. More than likely, some institution has or is currently going through that same evaluation. Leave a comment below or contact me via LinkedIn and Twitter (see my author bio at the end of this column) if you think you will be using AWS and need some discussion. More often than not, these are productive conversations. A better description of my team's environment can be seen in the video below, though we are constantly evolving it.

3. Look at the total cost of ownership (TCO) and, in particular, implementation and support. Will you be looking to outsource or grow your own talent? Another caveat is that the skillset to build AWS environments and support can be challenging. Why? Good IT talent can be difficult. Add AWS experience and it becomes even more challenging.

With the right IT talent, AWS and IT can work much easier. However, it's a different mindset than traditional systems engineering. As AWS becomes more widely adopted, the talent pool will become even more stretched, which will (and has) resulted in a higher premium to pay for good AWS talent.

If you still feel this is a good fit, then the last step is to prepare yourself for pushback. Now, I can say that typically this comes from a place of true concern for the privacy and security of data. Changing paradigms (and perceived control) to a new technology is difficult, and AWS -- and cloud in general -- is just one of the poster children for this in health care. If you have done your due diligence on items 1, 2 and 3 above, you should be ready for intelligent and productive discussions.

Overall, be prepared and patient. If you have gone through the steps above and still believe AWS is the best solution for your team, then the process and products will be well worth it.