Can you create a HIPAA compliant Amazon S3 Web Application?

Question

I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.

My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.

Here's my obvious concerns:

1. You cannot store unencrypted images in any temporary file cache when client views images within the browser.
2. Even if I setup an ashx to generically handle the image in memory, couldn't this get stored in cache?

Saying the images will be encrypted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.

It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.

I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.

Answer 1

On the face of it, it seems unlikely that cloud computing could be HIPAA compliant. Surely it is impossible to satisfy the Security Rule when the instance is hosted on someone else's hardware, tended by someone else's sysadmins?

However, Amazon have published a whitepaper on this very topic: Creating HIPAA-compliant Medical Data Applications with AWS. It is well-worth reading, and seems to address the main concerns. It does end with a dsiclaimer:

"This white paper is not intended to constitute legal advice. You are advised to seek the advice of counsel regarding compliance with HIPAA and other laws that may be applicable to you and your business."

Naturally the same applies to any advice you get from some random bloke off Das Interwebs.

Answer 2

No. HIPAA compliance is impossible due to the conflict between the network encryption requirement and the network monitoring requirement.

Answer 3

A couple comments. Images served via https are not always stored in the browser cache. Even so, you can control this using headers.

When you upload an image you can stream it into memory and directly into a database using your favorite encryption technique. When the user requests a page with a url to an encrypted image, you simply call your controller, grab the encrypted data from the database, decrypt it in memory and return the image.

    [AcceptVerbs(HttpVerbs.Get)]
    public ActionResult ShowImage(string id)
    {
        ImageEntity image = Repository.For<ImageEntity>().Where(a => a.AssetIdd == id).First();

        var decryptedImage = Decrypt(image);

        ImageResult result = new ImageResult(decryptedImage.ImageData, decryptedImage.ContentType);

        return result;
    }

You use it like this:

<img src="/Assets/ShowImage/<%=Model.Id%>" alt="" />