I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.
My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.
Here's my obvious concerns:
Saying the images will be encrypted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.
It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.
I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.
On the face of it, it seems unlikely that cloud computing could be HIPAA compliant. Surely it is impossible to satisfy the Security Rule when the instance is hosted on someone else's hardware, tended by someone else's sysadmins?
However, Amazon have published a whitepaper on this very topic: Creating HIPAA-compliant Medical Data Applications with AWS. It is well-worth reading, and seems to address the main concerns. It does end with a disclaimer:
"This white paper is not intended to constitute legal advice. You are advised to seek the advice of counsel regarding compliance with HIPAA and other laws that may be applicable to you and your business."
Naturally the same applies to any advice you get from some random bloke off Das Interwebs.