Amazon CloudFront & HIPAA Compliance

Amazon CloudFront is a web service that enables users to optimize the speed of their web content delivery via the Internet and for website hosting. Normally, when a website is viewed, the visitor experiences some latency loading static and dynamic content.

The reason for this is viewers will not make a direct connection to the content, instead they will be directed through a path to reach the server where the content can be seen. The path can involve many routing points, will inevitably have an effect on the speed at which content can be viewed. By using a content delivery network such as Amazon CloudFront, it is possible to cut latency and improve reliability and access to web content.

By loading content through  a network of data centers (edge locations), users are routed to the closest location with the least latency, thus speeding up their connection. The service also provides a level of protection against DDoS attacks and other cyber attacks that can be harmful to web services.

For any cloud service to be legally used along with protected health information, HIPAA-covered groups must enter into a business associate agreement with the service provider. Therefore, before Amazon CloudFront can be configured, a HIPAA-compliant business associate agreement must be completed.

Recently, Amazon has amended its HIPAA compliance program and CloudFront has now been included as a HIPAA-eligible service. CloudFront is now included in the range of services covered by the business associate agreement provided for AWS. If you have already completed a BAA for AWS, it is possible to use CloudFront to send content containing PHI. However, make sure you review that your BAA specifically states CloudFront is included.

The service should also be set up to record CloudFront usage data for auditing purposes for HIPAA-compliant workloads. Access logs should be turned on for the platform and requests sent to the CloudFront API should be saved.

Once a BAA has been completed for AWS – that includes CloudFront – and the solution is configured properly, Amazon CloudFront is HIPAA compliant and can be deployed by healthcare organizations without breaching HIPAA Rules.

Author: Maria Perez