Building a HIPAA Compliant Application on AWS
More and more companies operating in the healthcare vertical are opting to take advantage of the multiple benefits cloud computing has to offer. However, given the unique laws and regulations that such companies must conform to brings about a set of unparalleled software compliance and security challenges too. The use case we’re studying in this article, as an example for how to build HIPAA-compliant architecture, is an insurtech company that unites all parties with a stake in healthcare payments. For this reason, the use case company channeled Ibexlabs to engineer a cost-effective, highly available, fault tolerant cloud implementation which also reconciled their primary concerns of security and data protection.
Challenge
Insurtechs are technology-led businesses that enter the insurance sector by taking advantage of new technologies to deliver coverage to a more digitally savvy customer base. The use case’s patient-centric business model is designed to help employees manage out-of-pocket medical expenses like deductibles and coinsurance. To achieve this goal, the company’s SaaS platform connects all parties with a stake in payment from the health insurer and provider to the patient by facilitating the design, underwriting, and servicing of credit solutions.As the company deals directly with the sensitive personal health information (PHI) of its patients, the cloud infrastructure the platform runs on must comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as well as with the revisions to HIPAA made in 2009’s Health Information Technology for the Economic and Clinical Health (HITECH) Act.
The Ibexlabs Solution
Core Platform
Ibexlabs leveraged the AWS Enterprise Accelerator—Compliance with a Quick Start for NIST SP 800-53—to deploy a cloud architecture through a NIST-based assurance framework. The architecture comprises of a multi-account VPC solution that provides a standard set of controls around information security compliance: access control, audit and accountability, configuration management, incident response, maintenance, etc.
Security, Identity, and Compliance
Okta and AWS IAMAlong with AWS Identity and Access Management (IAM) to configure custom IAM policies, with associated groups, roles, and instance profiles, Okta was one of the SSO services from which Ibexlabs administrators centrally manage users, applications, and policies across the cloud architecture. Okta was configured as the Identity Provider (IDP) on the company’s AWS Accounts and added as a Trusted Source in AWS Roles. SAML 2.0 was configured with parameter values that have been customized for the company with specific values.In each account, multiple AWS IAM Roles and appropriate policies have been defined and are readdressed continually for IT (Security, DevOps, Development) as well as the company’s end users. Ibexlabs structured access using AWS’ principles of least privilege in line with HIPAA standards.
(How to Configure SAML 2.0 for Amazon Web Service)
AlienVault, AWS CloudTrail, and AWS GuardDutyFor threat and vulnerability detection, Ibexlabs leveraged AlienVault. AlienVault is a third-party AWS technology partner. AlienVault USM Sensor provides a unified dashboard for all security events within the platform including AWS CloudTrail, AWS VPC FlowLogs, AWS GuardDuty, and Macie that have been enabled across all regions and accounts. Also, the USM agent—which is deployed across all the company’s infrastructure (VMs)—reports on any new vulnerabilities within the OS.
For OS level patching, Ibexlabs leverages AWS Systems Manager to deploy patches as part of a regular maintenance cycle.
Hosting Platform
To set up the company’s hosting platform for the backend in a quick, cost-effective and compliant way, Ibexlabs chose Elastic Beanstalk which provides a Java-based run time and also takes care of best practices such as auto-scaling, reliability, and availability. The backend infrastructure is made up of API and workers, and Elastic Beanstalk supports both use cases as well as helping to reduce the operational complexity of the platform. The front end was set up using Amazon S3 and Cloudfront which provides a cost-effective and reliable platform for hosting static content.
Continuous Integration and Continuous Delivery
CI and CD workflows were integrated using Jenkins. Jenkins provided a simple way for Ibexlabs to set up a continuous integration or continuous delivery (CI/CD) environment for the company as the tool can leverage almost any combination of languages and source code repositories using pipelines, as well as automating other routine development tasks. The Ibexlabs team used Jenkins to enable manual and automated deployments to Non-Production and direct or blue/green deploys to both Non-Prod and Production. This solution provides flexibility to perform fully automated builds and for CI to staged deployment for CD.
Content and Storage
In addition, Amazon Elasticsearch was set up as a central logging tool to meet the customer requirements of bulk indexing with swagger with full-text search, analysis, and time-series data visualization capabilities that helps the company get the most out of a growing data set.Centralized logging can be useful for companies to exploit to identify problems with servers or applications, as ElasticSearch allows users to search through all available data logs in a single place. It is also useful because it enables companies to identify issues that span multiple servers by correlating their logs during a specific time frame. Multiple Elasticsearch clusters were implemented to meet the demand with AWS KMS encryption for all data in transit and at rest.Adherence to HIPAA requirements requires a multipronged approach to ensure the business’s data disaster recovery is swift. Which is why the company’s instances are replicated in multiple-Availability Zones, and the databases have a number of Read Replicas to provide enhanced performance and durability.Amazon Aurora’s features are well-suited to meet the company requirements as it provides a fault-tolerant, self-healing storage system that auto-scales up to 64TB.Amazon Redshift was optimized for the company to provide data warehousing that supports online analytical processing (OLAP). Choosing this database service meant the company would be equipped to implement complex insurance claim queries against large datasets to provide insights into future decisions and changes that should be implemented.
HIPAA Compliant Results
The combination of these best practice methods and AWS services allow the business’ PHI privacy and security to move in tandem. Ibexlabs’ innovative solution helps the company meet increasing HIPAA compliance demands proactively and cost-effectively based on the latest AWS technologies. With the continuing weekly support and performance optimization from AWS Trusted Advisor, Ibexlabs is also able to address the company’s evolving, complex cost optimization, reliability, and scalability needs. Furthermore, our ongoing support team maintains the company’s software to streamline their software processes in the management of policies, billing & rating, and claims through high availability and fault tolerant performance. This process yielded a solution from Ibexlabs that is in full alignment with the company’s business objectives.“From navigating the complexities of AWS to dealing with the constantly shifting requirements of an early stage startup, Ibexlabs handled all this gracefully. Their deep experience in security and compliance has allowed our company to scale quickly and effortlessly while maintaining our rigid security posture. Ibexlabs really feels like a natural extension of our own team—we highly recommend them!” If you’re interested in Ibexlabs realizing a tailormade, HIPAA-compliant solution for your healthcare business, contact us today to find out more.For more on compliant architecture, read our article on Technical Safeguards for HIPAA Compliance.Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.