您可以创建符合 HIPAA 要求的 Amazon S3 Web 应用程序吗?

发布于 2024-08-28 21:06:39 字数 480 浏览 9 评论 0原文

在尝试使用 ASP.NET MVC 设计 S3 应用程序并尝试保持 HIPAA 合规性时,我遇到了一些问题。

我最初的计划是需要与我的 Web 服务器建立 SSL 连接,对我的服务器上的图像进行加密,然后使用我的私钥将它们发送到 s3。

这是我明显的担忧:

  1. 当客户端在浏览器中查看图像时,您无法将未加密的图像存储在任何临时文件缓存中。
  2. 即使我设置一个 ashx 来一般处理内存中的图像,它也不能存储在缓存中吗?

说图像将被加密,因为您将通过 https 连接到我的服务器,但这仍然不能保证所有浏览器不会缓存数据。

甚至不可能考虑带有过期选项的“查询字符串”,因为数据在存储在 s3 的磁盘上之前将被加密,并且将在我的服务器内存中再次解密。

我认为我唯一的选择是编写/购买某种 ActiveX 组件,该组件不会将图像公开为简单的 html 图像源,也不会将我的应用程序编写为客户端 WinForm 应用程序。

I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.

My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.

Here's my obvious concerns:

  1. You cannot store unencrypted images in any temporary file cache when client views images within the browser.
  2. Even if I setup an ashx to generically handle the image in memory, couldn't this get stored in cache?

Saying the images will be encrypted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.

It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.

I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

生死何惧 2024-09-04 21:06:39

从表面上看,云计算似乎不太可能符合 HIPAA。当实例托管在其他人的硬件上时,当然不可能满足安全规则 ,由其他人的系统管理员管理?

但是,Amazon 已就该主题发布了一份白皮书:创建 HIPAA-符合 AWS 的医疗数据应用程序。这是非常值得一读的,并且似乎解决了主要问题。它确实以免责声明结束:

“本白皮书无意
构成法律建议。你是
建议寻求律师的意见
关于遵守 HIPAA 和
其他可能适用的法律
您和您的企业。”

自然,这同样适用于你从 Das Interwebs 上随机得到的任何建议。

On the face of it, it seems unlikely that cloud computing could be HIPAA compliant. Surely it is impossible to satisfy the Security Rule when the instance is hosted on someone else's hardware, tended by someone else's sysadmins?

However, Amazon have published a whitepaper on this very topic: Creating HIPAA-compliant Medical Data Applications with AWS. It is well-worth reading, and seems to address the main concerns. It does end with a disclaimer:

"This white paper is not intended to
constitute legal advice. You are
advised to seek the advice of counsel
regarding compliance with HIPAA and
other laws that may be applicable to
you and your business."

Naturally the same applies to any advice you get from some random bloke off Das Interwebs.

别在捏我脸啦 2024-09-04 21:06:39

与其他一些答案相反,云计算和云数据存储实际上可以符合 HIPAA(请注意,它们是在 2010 年编写的,当时这是一个更加艰难的决定)。

为此,您应该考虑两件主要事情:

  1. 您必须让云提供商签署 HIPAA 业务伙伴协议 (BAA)
  2. 您必须严格遵守 系统开发中的安全规则(加密、审计跟踪等)。

以下是一些将签署 BAA 的云提供商:

  1. 亚马逊网络服务
  2. Rackspace
  3. Windows Azure (截至 2012 年 7 月

(直到最近,亚马逊还不愿意签署 BAA,因此即使他们有 合规性白皮书,遵循他们的指导方针并没有解决问题 - 不过,一切都已经改变了)。

对于图像存储,AWS有S3,Azure有blob 存储

至于您对在浏览器中提供图像的担忧,我实际上不确定您必须有多严格,但似乎您可以将图像嵌入到:

  1. Java 虚拟机(JVM)
  2. Flash
  3. Flex
  4. HTML5

它看起来像PracticeFusion 开始使用 Flex 和Flash 正在逐步过渡到 HTML5

Contrary to some of the other answers, cloud computing and cloud data storage can in fact be HIPAA compliant (note that they were written in 2010, when this was a much tougher call).

There are two main things you should consider for this:

  1. you must get the cloud provider to sign a HIPAA Business Associate Agreement (BAA)
  2. you must adhere closely to the Security Rule in the development of your system (encryption, audit trails, etc.)

Here are some cloud providers that will sign BAA's:

  1. Amazon Web Services
  2. Rackspace
  3. Windows Azure (as of July 2012)

(Up until recently, Amazon wasn't willing to sign a BAA, so even though they had a whitepaper on compliance, following their guidelines just didn't cut it - all that has changed, though).

For image storage, AWS has S3 and Azure has blob storage.

As far as your concerns about serving the images in the browser, I'm actually not sure how strict you have to be, but it seems like you could embed your images within:

  1. a Java Virtual Machine (JVM)
  2. Flash
  3. Flex
  4. HTML5

It looks like PracticeFusion started off using Flex & Flash and is in the process of gradually transitioning to HTML5.

倾城°AllureLove 2024-09-04 21:06:39

HIPAA 和信用卡 PCI 合规性基本上不可能实现,或者微不足道 - 这完全取决于您聘请的顾问来告诉您“封闭”网络的含义是什么 - 是数学上的封闭(我认为这是最高形式),还是封闭在墙后,不与外界相连,但很容易用外面人行道上的一些基本设备窃听?

当您与顾问打交道时,事实上,许多计算机设备是租赁的,计算机有 USB 端口及其用户的拍照手机,在任何地方存储加密数据怎么会成为问题呢?如果您在 S3 上存储加密数据,那么 S3 除了随机的垃圾位之外不会存储任何内容。您拥有的某个密钥+垃圾=数据,而这只发生在您的系统中。

我见过“符合 HIPAA 要求”的软件,在装有 XP 的 PC 上运行时无需加密。考虑到有多少笔记本电脑被僵尸网络和击键记录器所拥有,整个事件基本上是一种否认行为。

HIPAA 规则明确规定,数据位于用户计算机上时不必加密:
“必须保护包含 PHI 的信息系统免受入侵。当信息通过开放网络流动时,必须使用某种形式的加密。如果使用封闭系统/网络,现有的访问控制被认为是足够的,并且加密是可选的。”

The HIPAA and the credit card PCI compliance are basically impossible to implement, or trivial - it all depends on what consultant you hire to tell you what the meaning of a 'closed' network is - is that mathematically closed (which I would argue is the highest form), or is that closed as in behind a wall and not connected to the outside world, but trivially easy to eavesdrop with some basic equipment on the sidewalk outside?

When you get done with consultants, the fact that much computer equipment is leased, the fact that computers have usb ports and their users camera phones, how could storing encrypted data anywhere be a problem? If you store encrypted data on S3, then S3 is not storing ANYTHING other than random bits of garbage. Some key owned by you + the garbage = data and that only happens in your system.

I have seen 'HIPAA compliant' software that runs with no encryption on a PC with XP on it. Considering how many laptops are owned by botnets and keystroke loggers, the whole thing is an basically an exercise in deniability.

The HIPAA rules explicitly state that data does not have to be encrypted when its sitting on your users computer:
"Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional."

静水深流 2024-09-04 21:06:39

一些评论。通过 https 提供的图像并不总是存储在浏览器缓存中。即便如此,您可以使用 标头 来控制它。

当您上传图像时,您可以使用您最喜欢的加密技术将其流式传输到内存中并直接传输到数据库中。当用户请求带有加密图像 URL 的页面时,您只需调用控制器,从数据库中获取加密数据,在内存中解密并返回图像。

    [AcceptVerbs(HttpVerbs.Get)]
    public ActionResult ShowImage(string id)
    {
        ImageEntity image = Repository.For<ImageEntity>().Where(a => a.AssetIdd == id).First();

        var decryptedImage = Decrypt(image);

        ImageResult result = new ImageResult(decryptedImage.ImageData, decryptedImage.ContentType);

        return result;
    }

你像这样使用它:

<img src="/Assets/ShowImage/<%=Model.Id%>" alt="" />

A couple comments. Images served via https are not always stored in the browser cache. Even so, you can control this using headers.

When you upload an image you can stream it into memory and directly into a database using your favorite encryption technique. When the user requests a page with a url to an encrypted image, you simply call your controller, grab the encrypted data from the database, decrypt it in memory and return the image.

    [AcceptVerbs(HttpVerbs.Get)]
    public ActionResult ShowImage(string id)
    {
        ImageEntity image = Repository.For<ImageEntity>().Where(a => a.AssetIdd == id).First();

        var decryptedImage = Decrypt(image);

        ImageResult result = new ImageResult(decryptedImage.ImageData, decryptedImage.ContentType);

        return result;
    }

You use it like this:

<img src="/Assets/ShowImage/<%=Model.Id%>" alt="" />
可爱暴击 2024-09-04 21:06:39

不可以。由于网络加密要求和网络监控要求之间存在冲突,HIPAA 合规性是不可能的。

No. HIPAA compliance is impossible due to the conflict between the network encryption requirement and the network monitoring requirement.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文