SlideShare una empresa de Scribd logo

Building & Maintaining HIPAA-Compliant Applications in AWS

Control Group
Control Group
TecnologíaEmpresariales
1 de 25
Descargar para leer sin conexión
+ Building & Maintaining HIPAA-Compliant Applications in AWS July 11, 2012
BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services 2 CONTROL GROUP
CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services 3 CONTROL GROUP
AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions 4 CONTROL GROUP
HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. 5 CONTROL GROUP
HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls 6 CONTROL GROUP
BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate 7 CONTROL GROUP
UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals 8 CONTROL GROUP
HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54% 9 CONTROL GROUP
HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS 10 CONTROL GROUP
HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA 11 CONTROL GROUP
HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA 12 CONTROL GROUP
WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES 13 CONTROL GROUP
AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions 14 CONTROL GROUP
CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor 15 CONTROL GROUP
CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING 16 CONTROL GROUP
AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside 17 CONTROL GROUP
IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp2 18 CONTROL GROUP
HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production 19 CONTROL GROUP
APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy 20 CONTROL GROUP
CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours. 21 CONTROL GROUP
THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI 22 CONTROL GROUP
CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS. 23 CONTROL GROUP
Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil lisa.oneil@controlgroup.com 212-343-2525 x 192 CONTROLGROUP.COM 24
THANK YOU + David Rocamora, david.rocamora@controlgroup.com Lisa O’Neil, lisa.oneil@controlgroup.com Tom Stickle, tstickle@amazon.com

Recomendados

DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsAndris Soroka
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Andris Soroka
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Varonis
 
5 things it should be doing (but isn't!)
5 things it should be doing (but isn't!)5 things it should be doing (but isn't!)
5 things it should be doing (but isn't!)Mike Egli
 
WeSecure Data Security Congres: How to build a data governance framework
WeSecure Data Security Congres: How to build a data governance frameworkWeSecure Data Security Congres: How to build a data governance framework
WeSecure Data Security Congres: How to build a data governance frameworkWeSecure
 
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012itandlaw
 
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Amazon Web Services
 
Actiance enabling social_networks
Actiance enabling social_networksActiance enabling social_networks
Actiance enabling social_networksDavid ChoActiance
 

Recomendados

DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsAndris Soroka
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Andris Soroka
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Varonis
 
5 things it should be doing (but isn't!)
5 things it should be doing (but isn't!)5 things it should be doing (but isn't!)
5 things it should be doing (but isn't!)Mike Egli
 
WeSecure Data Security Congres: How to build a data governance framework
WeSecure Data Security Congres: How to build a data governance frameworkWeSecure Data Security Congres: How to build a data governance framework
WeSecure Data Security Congres: How to build a data governance frameworkWeSecure
 
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012
Cloud Computing Webinar: Legal &amp; Regulatory Update for 2012itandlaw
 
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...
Data-driven storytelling and security stakeholder engagement - FND326-S - AWS...Amazon Web Services
 
Actiance enabling social_networks
Actiance enabling social_networksActiance enabling social_networks
Actiance enabling social_networksDavid ChoActiance
 
Backup and Archiving in the AWS Cloud
Backup and Archiving in the AWS CloudBackup and Archiving in the AWS Cloud
Backup and Archiving in the AWS CloudAmazon Web Services
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network StrategyAmazon Web Services
 
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...WSO2
 
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...HKISPA
 
Data Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformationData Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformationCisco Canada
 
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel SessionCloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel SessionNetAppUK
 
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT TeamAWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT TeamAmazon Web Services
 
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...Amazon Web Services
 
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...Amazon Web Services
 
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...Amazon Web Services
 
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...Amazon Web Services
 
SUSE Open Stack Cloud.
SUSE Open Stack Cloud.SUSE Open Stack Cloud.
SUSE Open Stack Cloud.briggsy_uk
 
Value, TCO & Cost Optimisation
Value, TCO & Cost OptimisationValue, TCO & Cost Optimisation
Value, TCO & Cost OptimisationAmazon Web Services
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...Amazon Web Services
 
AWS Partnership Model
AWS Partnership ModelAWS Partnership Model
AWS Partnership ModelAmazon Web Services
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSAmazon Web Services
 
Cloud Transformations
Cloud TransformationsCloud Transformations
Cloud TransformationsAmazon Web Services
 
Amazon S3 Deep Dive
Amazon S3 Deep DiveAmazon S3 Deep Dive
Amazon S3 Deep DiveAmazon Web Services
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management ServicesMarlabs
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 

Más contenido relacionado

Destacado

Backup and Archiving in the AWS Cloud
Backup and Archiving in the AWS CloudBackup and Archiving in the AWS Cloud
Backup and Archiving in the AWS CloudAmazon Web Services
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network StrategyAmazon Web Services
 
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...WSO2
 
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...HKISPA
 
Data Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformationData Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformationCisco Canada
 
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel SessionCloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel SessionNetAppUK
 
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT TeamAWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT TeamAmazon Web Services
 
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...Amazon Web Services
 
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...Amazon Web Services
 
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...Amazon Web Services
 
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...Amazon Web Services
 
SUSE Open Stack Cloud.
SUSE Open Stack Cloud.SUSE Open Stack Cloud.
SUSE Open Stack Cloud.briggsy_uk
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...Amazon Web Services
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSAmazon Web Services
 

Destacado (20)

Backup and Archiving in the AWS Cloud
Backup and Archiving in the AWS CloudBackup and Archiving in the AWS Cloud
Backup and Archiving in the AWS Cloud
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy
 
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
SUSE Cloud and WSO2 Stratos - Bridging OpenStack and PaaS to Deliver the Serv...
 
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
Data center 2.0: Data center built for private cloud by Mr. Cheng Che Hoo of ...
 
Data Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformationData Center, Private Cloud/IT transformation
Data Center, Private Cloud/IT transformation
 
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel SessionCloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
Cloud for the Hybrid Data Center Private Cloud & Service Provider Panel Session
 
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT TeamAWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
AWS Summit Sydney 2014 | Building a "Cloud Ready" IT Team
 
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
AWS Summit Sydney 2014 | Powering a Hybrid Cloud with CommVault and Amazon We...
 
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
AWS Summit Sydney 2014 | AWSome Data Protection with Veeam - Session Sponsore...
 
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Closing Keynote - Dr Werner Vogels, VP & CTO, Amazon...
 
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
AWS Summit Sydney 2014 | Opening Keynote - Dr Werner Vogels, VP & CTO, Amazon...
 
SUSE Open Stack Cloud.
SUSE Open Stack Cloud.SUSE Open Stack Cloud.
SUSE Open Stack Cloud.
 
Value, TCO & Cost Optimisation
Value, TCO & Cost OptimisationValue, TCO & Cost Optimisation
Value, TCO & Cost Optimisation
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
Enterprise Cloud Computing with AWS - How enterprises are using the AWS Cloud...
 
AWS Partnership Model
AWS Partnership ModelAWS Partnership Model
AWS Partnership Model
 
Rackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWSRackspace: Best Practices for Security Compliance on AWS
Rackspace: Best Practices for Security Compliance on AWS
 
Cloud Transformations
Cloud TransformationsCloud Transformations
Cloud Transformations
 
Amazon S3 Deep Dive
Amazon S3 Deep DiveAmazon S3 Deep Dive
Amazon S3 Deep Dive
 

Similar a Building & Maintaining HIPAA-Compliant Applications in AWS

Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management ServicesMarlabs
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloudInterop
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
Touchcom Sales Presentation
Touchcom Sales PresentationTouchcom Sales Presentation
Touchcom Sales Presentationewickline
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copyOracleIDM
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
Day 2 p1 - operate simply
Day 2 p1 - operate simplyDay 2 p1 - operate simply
Day 2 p1 - operate simplyLilian Schaffer
 
Day 2 p1 - operate simply
Day 2 p1 - operate simplyDay 2 p1 - operate simply
Day 2 p1 - operate simplyLilian Schaffer
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTARJeroen Mengerink
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity RoadmapRaleigh ISSA
 

Similar a Building & Maintaining HIPAA-Compliant Applications in AWS (20)

Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 
Touchcom Sales Presentation
Touchcom Sales PresentationTouchcom Sales Presentation
Touchcom Sales Presentation
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copy
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Day 2 p1 - operate simply
Day 2 p1 - operate simplyDay 2 p1 - operate simply
Day 2 p1 - operate simply
 
Day 2 p1 - operate simply
Day 2 p1 - operate simplyDay 2 p1 - operate simply
Day 2 p1 - operate simply
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTAR
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
 
2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap2012-01 How to Secure a Cloud Identity Roadmap
2012-01 How to Secure a Cloud Identity Roadmap
 

Último

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Último (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Building & Maintaining HIPAA-Compliant Applications in AWS

  • 1. + Building & Maintaining HIPAA-Compliant Applications in AWS July 11, 2012
  • 2. BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services 2 CONTROL GROUP
  • 3. CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services 3 CONTROL GROUP
  • 4. AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions 4 CONTROL GROUP
  • 5. HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. 5 CONTROL GROUP
  • 6. HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls 6 CONTROL GROUP
  • 7. BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate 7 CONTROL GROUP
  • 8. UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals 8 CONTROL GROUP
  • 9. HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54% 9 CONTROL GROUP
  • 10. HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS 10 CONTROL GROUP
  • 11. HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA 11 CONTROL GROUP
  • 12. HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA 12 CONTROL GROUP
  • 13. WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES 13 CONTROL GROUP
  • 14. AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions 14 CONTROL GROUP
  • 15. CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor 15 CONTROL GROUP
  • 16. CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING 16 CONTROL GROUP
  • 17. AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside 17 CONTROL GROUP
  • 18. IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp2 18 CONTROL GROUP
  • 19. HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production 19 CONTROL GROUP
  • 20. APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy 20 CONTROL GROUP
  • 21. CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours. 21 CONTROL GROUP
  • 22. THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI 22 CONTROL GROUP
  • 23. CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS. 23 CONTROL GROUP
  • 24. Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil lisa.oneil@controlgroup.com 212-343-2525 x 192 CONTROLGROUP.COM 24
  • 25. THANK YOU + David Rocamora, david.rocamora@controlgroup.com Lisa O’Neil, lisa.oneil@controlgroup.com Tom Stickle, tstickle@amazon.com