Building & Maintaining HIPAA-Compliant Applications in AWS
1. +
Building & Maintaining
HIPAA-Compliant Applications
in AWS
July 11, 2012
2. BIOS
DAVID LISA TOM
ROCAMORA O’NEIL STICKLE
VP of DevOps VP of Enterprise Sr. Manager
Cloud Expert Consulting Solutions Architecture
Control Group Control Group Amazon Web Services
2 CONTROL GROUP
3. CONTROL GROUP
• Technology & design services company based in NYC
• Full stack of expertise across strategy, engineering,
software development, and design
• AWS Consulting Partner that provides architecture,
migration, development, and support services
3 CONTROL GROUP
4. AWS PARTNER ECOSYSTEM
CONSULTING PARTNERS TECHNOLOGY PARTNERS
Operating
Healthcare Manufacturing Application
System
Life Sciences Retail Middleware Security
Financial
Government Database Management
Services
AMAZON WEB SERVICES
Management & Administration
Administration
Identity & Access Deployment Monitoring
Console
Application Platform Services
Content Parallel
Messaging Libraries & SDKs
Distribution Processing
Foundation Services
Compute Storage Database Networking
Availability Zones
AWS Global Infrastructure Edge Locations
Regions
4 CONTROL GROUP
5. HIPAA SUMMARY
Health Insurance Portability & Accountability Act
Title II - Administrative Simplification
This provision addresses the security and privacy of health data. The
standards are meant to improve the efficiency and effectiveness of the
nation's health care system by encouraging the widespread use of
electronic data interchange in the U.S. health care system.
5 CONTROL GROUP
7. BUSINESS ASSOCIATE
AGREEMENT & AMAZON
• Business Associate assumes responsibilities of
covered entity
- Policies and procedures
- Access controls
- Reporting
• AWS is not a Business Associate
7 CONTROL GROUP
8. UNDERSTANDING EXISTING
THREATS
• Data collected by HHS for breaches impacting 500
or more individuals
• Data limitations - timeliness, completeness
• 435 reported incidents to date (as of 7/10/12)
impacting 20MM individuals
8 CONTROL GROUP
9. HIPAA BREACHES
% OF INCIDENTS
Other/Unknown
1%
Improper Disposal
Hacking/IT 5%
Incident
8%
Unauthorized
Access/Disclosure
19%
Loss
13%
67% THEFT + LOSS Theft
54%
9 CONTROL GROUP
10. HIPAA BREACHES
% OF AFFECTED INDIVIDUALS
Unauthorized Other/Unknown
Access/Disclosure 0%
4%
Improper Disposal
Hacking/IT 2%
Incident
9%
Theft
39%
Loss
46%
85% THEFT + LOSS
10 CONTROL GROUP
11. HIPAA BREACHES
BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS
Unauthorized Theft and Loss: Hacking/IT
Unauthorized
Access/Disclosure: Paper/Other Incident:
Access/Disclosure: 1% Computer/Other
Digital
Paper/Other 0%
2% Other
2%
0%
Improper Disposal
3%
Hacking/IT
Incident:
Network Server
8%
Theft and Loss:
Theft and Loss: Computer/HW
Electronic Media 54%
30%
92% RELATED TO
PHYSICAL HARDWARE/
DIGITAL MEDIA
11 CONTROL GROUP
12. HIPAA BREACHES
BY YEAR; % OF AFFECTED INDIVIDUAL
12,000,000
10,000,000
Loss
8,000,000 Theft
Unauthorized Access/
Disclosure
6,000,000
Improper Disposal
Hacking/IT Incident
4,000,000
Other/Unknown
2,000,000
0
2009* 2010 2011 2012* * INCOMPLETE DATA
12 CONTROL GROUP
13. WHY AWS IS A GREAT OPTION
FOR HEALTHCARE COMPANIES
13 CONTROL GROUP
14. AWS PLATFORM
Your Applications
Management & Administration
Administration
Identity & Access Deployment Monitoring
Console
Application Platform Services
Content Distribution Messaging Parallel Processing Libraries & SDKs
Foundation Services
Compute Storage Database Networking
Availability Zones
AWS Global Infrastructure Edge Locations
Regions
14 CONTROL GROUP
15. CUSTOMERS HAVE COMPLETE CONTROL
OVER APPLICATION INFRASTRUCTURE
Customer 1 Customer 2 … Customer n
Virtual Interfaces
Customer 1
Security Groups
Customer 2
Security Groups
… Customer n
Security Groups
Firewall
Physical Interfaces
Hypervisor
15 CONTROL GROUP
17. AWS REGIONS &
AVAILABILITY ZONES
Customer Decides Where Applications and Data Reside
17 CONTROL GROUP
18. IDENTITY & ACCESS
MANAGEMENT ROLES
• Secure credential delivery
• No need to embed secrets
Account .
Group Group Group
EC2 Admins Developers Test
Instance
Bob Brad Cathy
Susan Jim Allen
Mark TestApp1
Kevin TestApp2
DevApp1
DevApp2
18 CONTROL GROUP
19. HOW CONTROL GROUP USES AWS FOR
HIPAA APPS
INFRASTRUCTURE AS CODE Infrastructure Template & App Code
• Versionable
App
App
• Testable <?php
Code
Code
• Auditable
Dev QA Production
19 CONTROL GROUP
20. APPROACH
AUDIT DEPLOY, TEST, UPDATE... REPEAT
• Examine existing apps, infrastructure, • Deploy the application in AWS
and process
• Test for functionality, security, and
• Provide recommendations for load
recommended changes
• Continue to improve the application
• Business Associate Agreement (BAA) and its infrastructure
UPDATE
Audit
• Provide dev and devops support to
update existing apps and code base
Update Update
• Create a testable AWS infrastructure
template that is versioned with app
code
Test Deploy
20 CONTROL GROUP
21. CASE STUDY: PRONIA
Pronia Medical Systems provides the GlucoCare
Intensive Glycemic Control System that helps
hospitals and care facilities manage
hyperglycemia in critically ill patients.
• The process of deploying and configuring trial
infrastructure for each prospective client took
anywhere from 1 to 3 months before migrating
to AWS.
• With their GlucoCare trial infrastructure in
AWS, Pronia cut their sales cycle down to 24
hours.
21 CONTROL GROUP
22. THE APPROACH
AUDIT DEPLOY, TEST, UPDATE... REPEAT
• Identified changes required to encrypt • Pronia now uses template to create
data stored in database new environments for hospitals using
AWS
• Determined who required access to
app • Testing environments are created
whenever a bug needs to be isolated
• Business Associate Agreement (BAA) or new features need to be tested
UPDATE RESULTS
• Updated application code to add • Pronia cut their trial sales cycle down
encryption capabilities to model from 3 months to 24 hours
• AWS infrastructure template created
using Python, Puppet, and a custom
AMI
22 CONTROL GROUP
23. CONCLUSION
• AWS provides building blocks to create secure and
HIPAA-compliant systems
• AWS enables customers to improve security via
predictable deployments for HIPAA compliant apps
• Control Group can partner as a Business Associate
under a BAA
• Control Group is an experienced partner that can
help healthcare organizations build and maintain
applications securely in AWS.
23 CONTROL GROUP
24. Q&A
For more information on building & maintaining
healthcare applications in AWS:
Lisa O’Neil
lisa.oneil@controlgroup.com
212-343-2525 x 192
CONTROLGROUP.COM
24
25. THANK YOU
+
David Rocamora, david.rocamora@controlgroup.com
Lisa O’Neil, lisa.oneil@controlgroup.com
Tom Stickle, tstickle@amazon.com