CDNs for HIPAA Compliance and Security

One of the most frustrating aspects of becoming HIPAA compliant is the ambiguous nature of the law itself. Not only have the HIPAA Security and Privacy rules changed many times since 1996, but the law is still very nebulous as to what “HIPAA compliance” means.

What Does a CDN Do?

CDN offerings vary greatly, as each company creates its own list of additional services. Here are some of the most common ways that having a CDN and related services can increase HIPAA security while speeding up your site.

Caching Static Content

In general, CDNs enable a global network to take static content—content that would otherwise be cached within your web application—and cache it in the most efficient place. This includes static files such as images, files, HTML code, CSS files, and JavaScript.

Caching static content means that each request doesn’t have to return to the origin server every time it wants to access common material. This can significantly speed up page load times.

Increase Page Speed Per Region

Content managed by a CDN will be stored on multiple servers, and site users (patients and customers) will be connected to the server that will deliver them the best performance. This prevents them from having to get the information from the origin server, which speeds up the content delivery time and alleviates excess strain on the origin server.

The CDN decides storage location based on machine learning/artificial intelligence. CDN will study the site’s visitors and traffic and figure out the best way to cache the content so that users have a better overall experience.

Having CDNs distribute the content to multiple servers can reduce latency significantly. Without a CDN, international users might have to wait additional seconds for each page to load. This time increases significantly on mobile devices.

Added Security Layer

While distributing data in multiple places might sound like a security concern, using a CDN actually increases security by getting in the way of many common hacking attempts. CDNs and their related features are constantly updating security as new attacks are discovered.

Having an additional layer between public portals and ePHI lets the CDN act like a human security guard outside a real-world bank vault. Increased security includes:

• DDoS Protection – This is protection from distributed denial-of-service attacks, where someone will try to deny access to legitimate users by flooding the server with too many requests.
• Scrape Protection – This offers protection from bots and crawlers that grab content in bulk from websites. You want to avoid scraping attempts because it can slow down access for real users. You also want to make it less easy for anyone to duplicate your public-facing information for nefarious purposes, I.e., spoofing your site.
• Geo-Blocking – Geo-blocking prevents suspicious requests coming from certain IP addresses or parts of the world. If all your customers are in your home state and you get a bevy of requests from Nigeria, those requests will be denied.
• “Attack of the Day” – Geo-blocking is also enabled if the CDN notices a new attack coming from a particular country or IP address. In other words, the AI prevents the “attacks of the day” that pops up to attack huge portions of the web.
• Robot Detection – What if one of your customers is visiting Nigeria and wants to access your site? While your site might not always need a CAPTCHA or “I am not a robot” clickable box, a CDN can insert that as needed so that your users can still get the information they need.
• Cached Versions During Site Updates – If you need to take your HIPAA website/portal/app offline to perform significant upgrades or maintenance, CDNs can offer a cached site while you do so. Customers won’t get the complete experience and will be informed of the slightly out-of-date content, but they will still be able to make use of basic features.

Are There Any Downsides to CDNs?

There is only one major problem with CDNs that could affect you: downtime. Since your CDN is providing your portal to the world, the world can’t get to your portal if the CDN is down. Fortunately, uptime has improved for CDNs over time, making them considerably more reliable. As you are comparing CDN options, make sure to investigate the uptime of each.

A minor problem with CDNs is the cost. Like all security, content delivery networks have an associated cost, and that cost can vary wildly between providers. The number of features you require will also add to the cost of CDN services.

Do I Really Need a CDN for HIPAA?

As we mentioned before, CDNs are currently part of industry best practices. CDNs are highly recommended, not only to stop attacks before they start, but also to show OCR that you have taken additional steps to protect the HIPAA EMR/EHR in your care. The logging provided by some CDNs shows the steps you have taken to protect ePHI, which can go a long way to alleviating fines that the OCR can levy.

Find a Developer with HIPAA Experience

If you do the slightest bit of research in HIPAA compliance, it becomes obvious very quickly: It’s incredibly complex, more so than most internet security needs.

Clarity’s primary piece of advice is to work with a developer that has HIPAA security experience. No matter which content delivery network you’re working with, CDNs won’t provide all the security you need for HIPAA-compliant portals, websites, and medical apps. There are many other aspects to HIPAA security, so it’s best to work with a developer that has solved many of the problems that arise. Much of that comes down to knowing what problems will be coming in the first place.

Clarity has been working on HIPAA-compliant websites, apps, and portals for more than a decade. We can help you choose which CDN is right for your business, primarily based on your business size and budget. Whether you work with us or not, we offer a complimentary discovery process to help you make these decisions, with no obligation. Here's hoping we hear from you soon!