Menu
I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.
My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.
Here's my obvious concerns:
Saying the images will be encrypted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.
It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.
I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.
935
All Amazon RDS database engines are now HIPAA-eligible. You can use Amazon RDS to build HIPAA-compliant applications and store healthcare related information, including protected health information (PHI) under an executed Business Associate Agreement (BAA) with AWS.
Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes.
There is no HIPAA certification for a cloud service provider (CSP) such as AWS.
On the face of it, it seems unlikely that cloud computing could be HIPAA compliant. Surely it is impossible to satisfy the Security Rule when the instance is hosted on someone else's hardware, tended by someone else's sysadmins?
However, Amazon have published a whitepaper on this very topic: Creating HIPAA-compliant Medical Data Applications with AWS. It is well-worth reading, and seems to address the main concerns. It does end with a disclaimer:
"This white paper is not intended to constitute legal advice. You are advised to seek the advice of counsel regarding compliance with HIPAA and other laws that may be applicable to you and your business."
Naturally the same applies to any advice you get from some random bloke off Das Interwebs.
66
Contrary to some of the other answers, cloud computing and cloud data storage can in fact be HIPAA compliant (note that they were written in 2010, when this was a much tougher call).
There are two main things you should consider for this:
Here are some cloud providers that will sign BAA's:
(Up until recently, Amazon wasn't willing to sign a BAA, so even though they had a whitepaper on compliance, following their guidelines just didn't cut it - all that has changed, though).
For image storage, AWS has S3 and Azure has blob storage.
As far as your concerns about serving the images in the browser, I'm actually not sure how strict you have to be, but it seems like you could embed your images within:
It looks like PracticeFusion started off using Flex & Flash and is in the process of gradually transitioning to HTML5.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
