Cloud Security Requirements for Healthcare Applications
Healthcare applications that run on cloud infrastructure are subject to the same HIPAA Security Rule requirements as on-premises systems. The cloud provider handles physical security and some infrastructure-level controls — this is the shared responsibility model — but the healthcare organisation remains responsible for access controls, audit logging, encryption, and data integrity.
This article covers the technical safeguard requirements that matter most for cloud-hosted healthcare applications.
Access Control (§164.312(a)(1))
Every user who accesses the system must have a unique identifier. Shared accounts are not compliant. Access must be limited to the minimum necessary for the user's role. Administrative access must require multi-factor authentication.
In cloud terms: IAM users or roles with defined permissions, no shared credentials, MFA enforced for console access, and service accounts scoped to only the permissions their function requires.
Audit Controls (§164.312(b))
The system must maintain audit logs of who accessed what data and when. Log tampering must be prevented. Logs must be retained for at least six years.
In cloud terms: application-level audit logging, CloudTrail for infrastructure-level activity, log storage in S3 with Object Lock or a WORM-compliant configuration, and alerts for unusual access patterns.
Transmission Security (§164.312(e)(1))
Protected health information transmitted over networks must be encrypted. This applies to API calls, database connections, and any other data in transit.
In cloud terms: TLS 1.2 or higher on all connections, HTTPS-only endpoints, no unencrypted database connections, VPC private subnets for database traffic.
Encryption at Rest
HIPAA does not mandate encryption at rest but treats it as an addressable specification — meaning you must assess whether it is appropriate and implement it if the assessment concludes that it is. For cloud-hosted healthcare data, encryption at rest is almost always appropriate and AWS provides it as a default option on RDS, S3, and EBS.
Business Associate Agreements
Cloud service providers who process or store protected health information on behalf of a covered entity are business associates. AWS, Google Cloud, and Azure all sign Business Associate Agreements. These agreements must be in place before PHI is stored on those platforms.
Vendor tools used within the application — CRM systems, communication platforms, analytics services — may also be business associates if they touch PHI. Each vendor relationship that involves PHI requires a BAA.
Cloudain Perspective
Cloudain and Healthzee work with healthcare organisations on cloud security and compliance for healthcare applications. If you are building or evaluating a healthcare application in the cloud, we can help assess the security controls against HIPAA requirements.
Cloudain
Expert insights on AI, Cloud, and Compliance solutions. Helping organisations transform their technology infrastructure with innovative strategies.