Case Study

Building a HIPAA Compliant Application on AWS

Building a HIPAA Compliant Application on AWS



Case Study
17 April 2020

This article was written in collaboration with Ibexlabs. Ibexlabs is a Dash Partner that provides DevOps and managed services for organizations operating on AWS. Organizations seeking DevOps or AWS architecture expertise may consider looking at their services.


More and more companies operating in the healthcare vertical are opting to take advantage of the multiple benefits cloud computing has to offer. However, given the unique laws and regulations that such companies must conform to brings about a set of unparalleled software compliance and security challenges too. The use case we’re studying in this article, as an example for how to build HIPAA-compliant architecture, is an insurtech company that unites all parties with a stake in healthcare payments. For this reason, the use case company channeled Ibexlabs to engineer a cost-effective, highly available, fault tolerant cloud implementation which also reconciled their primary concerns of security and data protection.

 

Challenge

As the company deals directly with the sensitive personal health information (PHI) of its patients, the cloud infrastructure the platform runs on must comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as well as with the revisions to HIPAA made in 2009’s Health Information Technology for the Economic and Clinical Health (HITECH) Act.

 

The Ibexlabs Solution 

Core Platform

Ibexlabs leveraged the AWS Enterprise Accelerator—Compliance with a Quick Start for NIST SP 800-53—to deploy a cloud architecture through a NIST-based assurance framework. The architecture comprises a multi-account VPC solution that provides a standard set of controls around information security compliance: access control, audit and accountability, configuration management, incident response, maintenance, etc.

secure cloud architecture

Security, Identity, and Compliance

Okta and AWS IAM

Along with AWS Identity and Access Management (IAM) to configure custom IAM policies, with associated groups, roles, and instance profiles, Okta was one of the SSO services from which Ibexlabs administrators centrally manage users, applications, and policies across the cloud architecture. Okta was configured as the Identity Provider (IDP) on the company’s AWS Accounts and added as a Trusted Source in AWS Roles. SAML 2.0 was configured with parameter values that have been customized for the company with specific values.

In each account, multiple AWS IAM Roles and appropriate policies have been defined and are readdressed continually for IT (Security, DevOps, Development) as well as the company’s end users. Ibexlabs structured access using AWS’ principles of least privilege in line with HIPAA standards.

cloud access control

 

AlienVault, AWS CloudTrail, and AWS GuardDuty

AlienVault is a third-party AWS technology partner which can be leveraged for vulnerability and threat detection . AlienVault USM Sensor provides a unified dashboard for all security events within the platform including AWS CloudTrail, AWS VPC FlowLogs, AWS GuardDuty, and Macie that have been enabled across all regions and accounts. Also, the USM agent—which is deployed across all the company’s infrastructure (VMs)—reports on any new vulnerabilities within the OS.

For OS level patching, Ibexlabs AWS Systems Manager can be used to deploy patches as part of a regular maintenance cycle.

 

Hosting Platform  

To set up the company’s hosting platform for the backend in a quick, cost-effective and compliant way, Ibexlabs chose Elastic Beanstalk which provides a Java-based run time and also takes care of best practices such as auto-scaling, reliability, and availability. The backend infrastructure is made up of API and workers, and Elastic Beanstalk supports both use cases as well as helping to reduce the operational complexity of the platform. The front end was set up using Amazon S3 and Cloudfront which provides a cost-effective and reliable platform for hosting static content.

 

Continuous Integration and Continuous Delivery

CI and CD workflows were integrated using Jenkins. Jenkins provided a simple way for Ibexlabs to set up a continuous integration or continuous delivery (CI/CD) environment for the company as the tool can leverage almost any combination of languages and source code repositories using pipelines, as well as automating other routine development tasks. The Ibexlabs team used Jenkins to enable manual and automated deployments to Non-Production and direct or blue/green deploys to both Non-Prod and Production. This solution provides flexibility to perform fully automated builds and for CI to staged deployment for CD.

cloud continuous integration

 

Content and Storage

In addition, Amazon Elasticsearch was set up as a central logging tool to meet the customer requirements of bulk indexing with swagger with full-text search, analysis, and time-series data visualization capabilities that helps the company get the most out of a growing data set. Centralized logging can be useful for companies to exploit to identify problems with servers or applications, as ElasticSearch allows users to search through all available data logs in a single place. It is also useful because it enables companies to identify issues that span multiple servers by correlating their logs during a specific time frame. Multiple Elasticsearch clusters were implemented to meet the demand with AWS KMS encryption for all data in transit and at rest.

Adherence to HIPAA requirements requires a multi-pronged approach to ensure the business’s data disaster recovery is swift. Which is why the company’s instances are replicated in multiple-Availability Zones, and the databases have a number of Read Replicas to provide enhanced performance and durability.

Amazon Aurora’s features are well-suited to meet the company requirements as it provides a fault-tolerant, self-healing storage system that auto-scales up to 64TB.

Amazon Redshift was optimized for the company to provide data warehousing that supports online analytical processing (OLAP). Choosing this database service meant the company would be equipped to implement complex insurance claim queries against large datasets to provide insights into future decisions and changes that should be implemented.

 

Results

The combination of these best practice methods and AWS services allow the business’ PHI privacy and security to move in tandem. Ibexlabs’ innovative solution helps the company meet increasing HIPAA compliance demands proactively and cost-effectively based on the latest AWS technologies. With the continuing weekly support and performance optimization from AWS Trusted Advisor, Ibexlabs is also able to address the company’s evolving, complex cost optimization, reliability, and scalability needs. Furthermore, our ongoing support team maintains the company’s software to streamline their software processes in the management of policies, billing & rating, and claims through high availability and fault tolerant performance. This process yielded a solution from Ibexlabs that is in full alignment with the company’s business objectives as you can see from the Healthbridge testimonial.

“From navigating the complexities of AWS to dealing with the constantly shifting requirements of an early stage startup, Ibexlabs handled all this gracefully. Their deep experience in security and compliance has allowed our company to scale quickly and effortlessly while maintaining our rigid security posture. Ibexlabs really feels like a natural extension of our own team—we highly recommend them!” Kyle Alwyn, HEYDOCTOR CTO

If you’re interested in Ibexlabs realizing a tailormade, HIPAA-compliant solution for your healthcare business with Dash Solutions, contact us today to find out more. 


This post was originally published here on Ibexlabs.com.

Ibexlabs is an experienced DevOps; Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and makes recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.