4

I'm going to implement client/server application - 1 server - [0-N] clients.

In order to organize communication between clients and server I plan to use Amazon SQS or something like that.

Right now I have a two questions:

Is Amazon SQS HIPAA compliant ?

How to organise multi tenancy support based on Amazon SQS queues ?

The data between clients must not be shared. Each client can only deal with a data that was sent only for this client.

Is it possible to implement on the single Amazon SQS queue or I need to create a separate queue for each client ?

alexanoid
  • 24,051
  • 54
  • 210
  • 410

4 Answers4

4

Since there is no cost to create seperate queues, that is clearly the best option for you if you need to not comingle the data. Assuming that each 'client' is going to poll the queue, there would be no good way to segregate the access based on whats in the message, using multiple queues is the best solution. It will also be more performant in that you won't have the request messages from the queue and then thrown them away if they are not for the right client.

E.J. Brennan
  • 45,870
  • 7
  • 88
  • 116
4

You should read this page which covers Amazon's HIPAA compliance: https://aws.amazon.com/compliance/hipaa-compliance/

Note that (at this time) SQS isn't in the list of services that are covered under the AWS HIPAA agreement. You can use AWS services that aren't in the HIPAA compliance list, but you can't store PHI data in them. So you would either have to make sure you don't ever store any PHI in your SQS messages, or use a different queue system, such as RabitMQ or ActiveMQ, that you can install on EC2.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thanks for your answer. Is it enough to install for example ActiveMQ on EC2 and configure it with HTTPS in order to make this architecture HIPAA compliant ? – alexanoid Aug 25 '15 at 17:36
  • I'm not going to tell you exactly what you need to do in order to be HIPAA compliant. You need to read all the documentation and understand the requirements and then create an architecture that meets all those requirements. For example you need to be logging certain information and then storing it somewhere (S3/Glacier) for a certain number of years. You need to be storing all PHI data on encrypted disk volumes (encryption at rest). You need to be using dedicated EC2 instances instead of multi-tenancy. You need to sign the AWS HIPAA business agreement. – Mark B Aug 25 '15 at 18:25
3

Regarding HIPAA and SQS: While your BAA with AWS probably does not allow you to use SQS for PHI, it probably does allow you to use S3 (but don't take my word for it, look in your BAA to be sure).

If this is the case, then you can put your message payload (PHI) in an (encrypted) S3 file and send an SQS message that references the S3 key. When you handle the SQS message, you go grab the file from S3 and process it, deleting the message and/or the file as appropriate.

There is even an "extended" SQS client that you may be able to use that handles this magic for you.

Another option is to enable and configure Event Notifications on your S3 bucket such that a message is queued for each file uploaded to the bucket. In other words, the file is uploaded and the message is sent as a side-effect. Then, when you process the message you get a handle to the S3 file. By keeping your PHI in S3, you avoid the BAA restrictions on SQS.

Rob
  • 6,247
  • 2
  • 25
  • 33
2

To be HIPAA compliant, don't forget to:

  • encrypt the 'at rest' data (database or S3 bucket).
  • encrypt the 'in transit' data during communication
  • make the data storage dedicated instances or hosts

The PHI data can rest in a relational db or a S3 bucket as mentioned above by Rob. Depends on your situation, S3 bucket might be a better solution as far as multiple tenancy is concerned. Larger payload is easily available as well. Historic messages can be easily surfaced to different clients on different S3 bucket path.

Similarly this approach can be applied for lambda server-less solution or any other non-HIPAA-compliant AWS services, which are not supposed to hold any PHI data even after encryption.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Denis Wang
  • 965
  • 12
  • 13