HIPAA Compliance and Amazon CloudFront

Amazon CloudFront is a web tool that permits users to quicken web content delivery across the Internet. In most case, when a website is visited, the visitor encounters some latency accessing static and dynamic pieces of content.

This is due to the fact that web visitors will not make a direct connection to the content, instead they will be taken through a path to log onto the server where the content can be obtained. The path can include several routing points, will inevitably affect the speed at which content can be obtained. By employing a content delivery system such as Amazon CloudFront, one can minimize latency and enhance reliability and availability of web content.

Through sending content over a network of data centers (edge locations), users are routed to the closest location with the least latency, thereby speeding up their connection. The service also allows a level of protection against DDoS attacks and other digital threats that can be dangerous to web services.

Ffor any cloud service to be employed in tandem with protected health information, HIPAA-covered bodies must complete a business associate agreement with the service provider. Therefore, before Amazon CloudFront can be put in place, a HIPAA-compliant business associate agreement must be signed.

Recently, Amazon has renewed its HIPAA compliance program and CloudFront has now been listed as a HIPAA-eligible service. CloudFront is now included among the services covered by the business associate agreement provided for AWS. If you have already completed a BAA for AWS, it is possible to use CloudFront to send content that includes PHI. However, make sure you look over that your BAA to ensure that it states outright that CloudFront is covered.

The service should also be set up to log CloudFront usage data for auditing reasons for HIPAA-compliant workloads. Access logs should be configured on the network and requests transmitted to the CloudFront API should be recorded.

Once a BAA has been obtained for AWS – that incorporates CloudFront – and the solution is implemented properly, Amazon CloudFront is HIPAA compliant and can be employed by healthcare groups without breaching HIPAA Regulations.

Author: Maria Perez