Is Amazon CloudFront HIPAA compliant and can the web service be used by HIPAA covered entities without violating HIPAA Rules? In this post we determine whether Amazon CloudFront supports HIPAA compliance or if it should be avoided by HIPAA-covered entities.
What is Amazon CloudFront?
Amazon CloudFront is a web service that allows users to speed up web content delivery over the Internet. Typically, when a website is accessed, the visitor experiences some latency accessing static and dynamic content.
The reason for this is visitors will not make a direct connection to the content, instead they will be routed through a path to reach the server where the content can be accessed. The path can involve many routing points, will inevitably have an impact on the speed at which content can be accessed. By using a content delivery network such as Amazon CloudFront, it is possible to reduce latency and improve reliability and availability of web content.
By delivering content via a network of data centers (edge locations), users are routed to the nearest location with the least latency, thus speeding up their connection. The service also offers a level of protection against DDoS attacks and other cyberthreats that can be harmful to web services.
Is Amazon CloudFront HIPAA Compliant?
In order for any cloud service to be used in conjunction with protected health information, HIPAA-covered entities must enter into a business associate agreement with the service provider. Therefore, before Amazon CloudFront can be deployed, a HIPAA-compliant business associate agreement must be obtained.
Recently, Amazon has updated its HIPAA compliance program and CloudFront has now been included as a HIPAA-eligible service. CloudFront is now included in the list of services covered by the business associate agreement provided for AWS. If you have already executed a BAA for AWS, it is possible to use CloudFront to deliver content containing PHI. However, make sure you check that your BAA specifically states CloudFront is covered.
The service should also be configured to log CloudFront usage data for auditing purposes for HIPAA-compliant workloads. Access logs should be enabled on the platform and requests sent to the CloudFront API should be captured.
Provided a BAA has been obtained for AWS – that includes CloudFront – and the solution is configured correctly, Amazon CloudFront is HIPAA compliant and can be used by healthcare organizations without violating HIPAA Rules.