Comparing Azure, AWS, and GCP for HIPAA Compliance in the Digital Age

In 2018, the healthcare industry was shaken when Anthem, one of the largest US-based healthcare players, had to pay a staggering $16 million to settle a class-action lawsuit following a data breach. This large penalty is not an isolated incident, as healthcare data breaches continue to occur. Fast forward to 2024, and it is still happening with Montefiore Medical Center paying a $4.75 million fine for a HIPAA violation. Aside from paying huge penalties, safeguarding patient data is not just a legal obligation but a cornerstone of patient trust and loyalty. And now that healthcare organizations are increasingly modernizing their IT infrastructure and embracing cloud computing, another question arises — which public cloud provider can ensure reliable HIPAA compliance and provide confidence in data privacy? Let’s have a look at three leading cloud service providers (CSP) — Azure, AWS, and GCP — to make sure that the cloud of your choice does not bring any storms.

What do HIPAA-compliant cloud services look like?

First of all, it’s worth mentioning that the Office for Civil Rights does not approve or advocate for any particular cloud, technology, or platform. There is no official HIPAA certification that a CSP can obtain to demonstrate their compliance. And since HIPAA compliance is achieved not by adopting a particular platform or technology but by configuring it correctly, large CSPs like Azure, AWS, and GCP facilitate HIPAA compliance but cannot guarantee it. They all operate under a shared responsibility model where the CSP is responsible for the security of the cloud while it’s up to organizations to ensure the security of their applications in the cloud. Source: Dash All three CSPs commit to signing a Business Associate Agreement (BAA) — the first step to clarifying responsibilities and commitments regarding HIPAA compliance for both the CSP and the healthcare organization.

Azure HIPAA compliance

When it comes to cloud infrastructure availability, Azure is the top choice, and rightfully so. With over 60 regions and 113 zones, Azure provides greater availability and reliability for mission-critical healthcare applications than any other public cloud provider. To further support healthcare customers, Microsoft launched Microsoft Cloud for Healthcare in 2020. This suite of apps and solutions is designed to improve workflow efficiency and deliver personalized patient experiences. As for the HIPAA-required safeguards, both technical and administrative, Azure offers: Access control:

• Integrating Active Directory as a way to control access to servers and cloud workloads.

Logging and monitoring:

• Log monitoring tools like Azure Monitor can be used for searching and aggregation of searching logs.

Data backups: 

• Azure Backup with controlled access to Recovery Services vaults, soft delete, and Cross Region Restore (CRR) functionality.

Encrypting data at rest:

• All data stored in Azure Storage is encrypted by default via 256-bit AES encryption.
• Transparent data encryption is used for protecting SQL databases.

Encrypting data in transit:

• Transferring data through secure encryption protocols like TLS.

Firewall and network:

• Azure network security groups and Azure Firewall can be used to filter the traffic.

A common practice for these major CSPs is to outline what services and products are covered under signed BAAs. Here’s the list of Azure in-scope services that are HIPAA-compliant. If you need help integrating a HIPAA-compliant service or building a cloud-based healthcare solution, talk to our experts to find the best approach.

AWS HIPAA compliance

Just like its rival, AWS offers tailored cloud solutions for healthcare providers to address the core industry challenges. From AWS HealthLake for comprehensive patient data management to AWS HealthImaging for analyzing medical images at scale, AWS Omics for turning omics data into insights and AWS HealthScribe powered by generative AI, AWS empowers healthcare organizations to shape the future of healthcare and life sciences. With customers like Phillips, Roche, AstraZeneca, Merck and other healthcare giants, AWS takes HIPAA compliance seriously. To enable customers to run sensitive workloads containing ePHI, AWS offers: Access controls:

• AWS IAM (Identity and Access Management) enables centralized management of security credentials and permissions for the use of AWS resources.

Logging and monitoring:

• AWS CloudTrail records API calls and related events made on your AWS account.
• AWS Config monitors changes in configuration and provides configuration history that can be used to meet HIPAA auditing requirements.
• Amazon CloudWatch can be used to monitor all log activity and notify in case of any suspicious events.

Data backup: 

• Allows you to establish data backup policies and monitor backup operations across multiple AWS resources.

Encrypting data at rest:

• Amazon S3 automatically applies server-side encryption to all uploaded data. 
• AWS Key Management Service enables users to grant permissions and audit operations.

Encrypting data in transit:

• Supporting standard transport encryption mechanisms like TLS or IPsec virtual private networks.

Firewall and network:

• AWS Network Firewall can be used to simplify network protection for Amazon Virtual Private Cloud.

Just like Microsoft, AWS too provides a full list of HIPAA eligible services for developers to consult with before making a decision on what services to use. This ensures the delivery of a truly HIPAA-compliant healthcare solution.

GCP HIPAA compliance

Bayer, Mayo Clinic, Hackensack Meridian Health, and other leading healthcare providers choose GCP as their go-to cloud platform, and for good reason. Last year, GCP received the IDC 2023 Cloud CSAT Award for Life Sciences, achieving the highest customer satisfaction scores. With MedLM generative AI models, Vertex AI, Target and Lead ID Suite, Multiomics Suite and other services, GCP is truly pushing the envelope for healthcare players. In terms of HIPAA compliance, GCP maintains an up-to-date list of products and services that are covered by a BAA. It also offers all the tools and controls to ensure that organizations do their part in the shared responsibility model. Access controls:

• Identity-Aware Proxy (IAP) establishes a centralized authentication layer to control access to cloud workloads.
• Two-factor authentication can be added as an extra layer of security.

Logging and monitoring:

• Google Cloud Audit Logging helps monitor activity in GCP-based applications and maintains three distinct audit logs for each project.

Data backup: 

• Cloud Backup and DR is a managed service that offers space-efficient backups and on-demand recovery.

Encrypting data at rest:

• All data stored in GCP is encrypted by default at the storage layer using AES-256 encryption.
• Encryption key management via a fully managed encryption key service (provided by default) or a Cloud Key Management System (KMS).

Encrypting data in transit:

• Default protections like secure communication via TLS are used.

Firewall and network:

• Firewall policies can be selectively configured at either the network or project level.

Wrapping up: Who is the winner?

All three leading CSPs excel in data privacy, security, and compliance, but the best choice for your organization depends on your unique needs. Think about your previous experiences with each provider, the unique services they offer, and how well they fit into your current ecosystem of solutions. By carefully considering these factors, you can determine which cloud service provider will best support your goals and help drive your organization forward. As a Microsoft Gold Partner, an AWS Advanced Consulting Partner, and a Google Cloud Premier Partner, Kanda Software has the necessary expertise to support your decision-making process and deliver a secure, HIPAA-compliant healthcare solution. Drop us a line and our healthcare experts will get back to you to discuss your project needs.