19

I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.

My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.

Here's my obvious concerns:

  1. You cannot store unencrypted images in any temporary file cache when client views images within the browser.
  2. Even if I setup an ashx to generically handle the image in memory, couldn't this get stored in cache?

Saying the images will be encrypted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.

It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.

I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.

Ned Batchelder
  • 323,515
  • 67
  • 518
  • 625
xkingpin
  • 621
  • 7
  • 16

5 Answers5

17

On the face of it, it seems unlikely that cloud computing could be HIPAA compliant. Surely it is impossible to satisfy the Security Rule when the instance is hosted on someone else's hardware, tended by someone else's sysadmins?

However, Amazon have published a whitepaper on this very topic: Creating HIPAA-compliant Medical Data Applications with AWS. It is well-worth reading, and seems to address the main concerns. It does end with a disclaimer:

"This white paper is not intended to constitute legal advice. You are advised to seek the advice of counsel regarding compliance with HIPAA and other laws that may be applicable to you and your business."

Naturally the same applies to any advice you get from some random bloke off Das Interwebs.

Scott Stensland
  • 22,853
  • 10
  • 81
  • 88
APC
  • 137,061
  • 19
  • 153
  • 266
11

Contrary to some of the other answers, cloud computing and cloud data storage can in fact be HIPAA compliant (note that they were written in 2010, when this was a much tougher call).

There are two main things you should consider for this:

  1. you must get the cloud provider to sign a HIPAA Business Associate Agreement (BAA)
  2. you must adhere closely to the Security Rule in the development of your system (encryption, audit trails, etc.)

Here are some cloud providers that will sign BAA's:

  1. Amazon Web Services
  2. Rackspace
  3. Windows Azure (as of July 2012)

(Up until recently, Amazon wasn't willing to sign a BAA, so even though they had a whitepaper on compliance, following their guidelines just didn't cut it - all that has changed, though).

For image storage, AWS has S3 and Azure has blob storage.

As far as your concerns about serving the images in the browser, I'm actually not sure how strict you have to be, but it seems like you could embed your images within:

  1. a Java Virtual Machine (JVM)
  2. Flash
  3. Flex
  4. HTML5

It looks like PracticeFusion started off using Flex & Flash and is in the process of gradually transitioning to HTML5.

Ryan Shea
  • 4,164
  • 4
  • 29
  • 31
  • 1
    This is the most current and correct answer. Cloud vendors do have some requirements for signing the BAA they may have implications on costs (they do not publish this, so ask for the BAA as soon as possible and read it carefully) – keisar Jun 23 '14 at 12:04
9

The HIPAA and the credit card PCI compliance are basically impossible to implement, or trivial - it all depends on what consultant you hire to tell you what the meaning of a 'closed' network is - is that mathematically closed (which I would argue is the highest form), or is that closed as in behind a wall and not connected to the outside world, but trivially easy to eavesdrop with some basic equipment on the sidewalk outside?

When you get done with consultants, the fact that much computer equipment is leased, the fact that computers have usb ports and their users camera phones, how could storing encrypted data anywhere be a problem? If you store encrypted data on S3, then S3 is not storing ANYTHING other than random bits of garbage. Some key owned by you + the garbage = data and that only happens in your system.

I have seen 'HIPAA compliant' software that runs with no encryption on a PC with XP on it. Considering how many laptops are owned by botnets and keystroke loggers, the whole thing is an basically an exercise in deniability.

The HIPAA rules explicitly state that data does not have to be encrypted when its sitting on your users computer: "Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional."

Tom Andersen
  • 6,788
  • 2
  • 34
  • 53
4

A couple comments. Images served via https are not always stored in the browser cache. Even so, you can control this using headers.

When you upload an image you can stream it into memory and directly into a database using your favorite encryption technique. When the user requests a page with a url to an encrypted image, you simply call your controller, grab the encrypted data from the database, decrypt it in memory and return the image.

    [AcceptVerbs(HttpVerbs.Get)]
    public ActionResult ShowImage(string id)
    {
        ImageEntity image = Repository.For<ImageEntity>().Where(a => a.AssetIdd == id).First();

        var decryptedImage = Decrypt(image);

        ImageResult result = new ImageResult(decryptedImage.ImageData, decryptedImage.ContentType);

        return result;
    }

You use it like this:

<img src="/Assets/ShowImage/<%=Model.Id%>" alt="" />
rboarman
  • 7,936
  • 8
  • 53
  • 85
-1

No. HIPAA compliance is impossible due to the conflict between the network encryption requirement and the network monitoring requirement.

Joshua
  • 34,237
  • 6
  • 59
  • 120