Healthcare is a rapidly changing field with new technologies arising every day. However, one thing that has remained steadfast through the years is HIPAA compliance and its necessary requirements for data security. This blog will examine how AWS can be used to set up your own secure cloud for healthcare applications without having any special knowledge of encryption or networking!

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which regulates how patient data is transmitted electronically. For a more in-depth look at HIPAA’s requirements and specifics, check out the US Department of Health and Human Services’ website detailing what it entails.

Why you should be concerned?

It only takes one employee to click the wrong thing in Gmail or send an unprotected email for privacy violation to happen. If you have a lot of data, it can cost thousands of dollars just to be able to sift through your emails looking for that patient’s records. And if you don’t do it yourself, you will probably have employees who aren’t trained to be HIPAA compliant to do it. This creates an avenue for your patients’ sensitive data to go missing, not to mention the liability that comes with losing their information.

What Amazon can do?

Amazon Web Services (AWS) offers a whole host of storage and computing services that are specifically designed for use by cloud-based applications. These services encompass everything from databases to content delivery and everything in between. With AWS, you can build HIPAA-compliant applications with relative ease by following a few best practices which we’ll go into more detail below.

How Amazon’s Services can be combined?

Amazon Web Services (AWS) can be easily integrated with other services that tie two or more of their services together. For instance, you can build an S3 bucket, which is a storage solution for objects (in the case of HIPAA, files containing patient information), and then use a Lambda function to encrypt those files before they are stored. The encryption key could be passed in as a parameter, and you can ensure that each file gets encrypted with its own unique key!

How to use this Blog?

This post is not meant to be an exhaustive guide on all the things you can do with AWS. However, it will give you enough information so you can get started and begin building your own applications! To that end, the rest of this article will cover some of AWS’s core features, services and how they work with each other, and how to implement them without having to be a networking wizard.

1. Secure Third-Party Data Storage

First, it is a best practice to store sensitive data such as PHI in encrypted form both at rest and while in transit. AWS CloudHSM helps organizations to add cryptographic keys and certificates to their applications that they can use for encrypting or decrypting data on the fly. This makes sure that all sensitive data is encrypted before it leaves the organization’s perimeter.

Enterprise customers can use Amazon Elastic Block Store (Amazon EBS) to encrypt customer data on-the-fly without any additional load on application servers. Since all applications and databases reside in one common AWS Virtual Private Cloud, there are no security concerns with regards to network segregation.

2. Data Processing through AWS Glue and AWS Lambda

AWS Glue is a data ingestion, transformation, and loading (ETL) service for non-relational data stores such as Hadoop and Amazon DynamoDB. Since it is compatible with AWS Lambda, you can execute your lambda function on the data that has just been extracted out of the source database using Glue ETL jobs.

AWS Lambda lets you run code without provisioning or managing servers. They handle all of the required infrastructure for you so that you can focus on your application code.

AWS Lambda functions are stateless, which means they cannot access any data stored within the application’s environment. To read and write to a database server, you can use either Amazon DynamoDB or Amazon Relational Database Service (Amazon RDS).

3. Securing APIs through AWS API Gateway

This layer acts as a common entry point to securely exchange data between the server application and its consumers. Here, you can use various authorizers like Amazon Cognito Identity, IAM roles or AWS Security Tokens Service (STS) to create fine-grained API security policies.

AWS API Gateway lets you create APIs that are secure and highly available, and in turn is compatible with AWS Lambda.

4. Serverless Applications

Serverless application architecture involves deploying applications that do not require OS level deployment, virtual machines or any other external hosting environment. This enables to deploy an application without worrying about its underlying infrastructural dependencies.

Enterprise customers have the option of using Lambda@Edge to develop and deploy serverless applications that are available for all users, without the need to set up any servers, load balancers or other infrastructure.

AWS Lambda is compatible with both Amazon EC2 Container Service and Amazon Elastic Container Service for Kubernetes. This enables you to run your lambda function on-premise in a secure environment with no extra effort.

5. Secure Serverless Applications

Lambda functions are stateless, which means it does not store any data inside the server application’s environment. To read or write persistent data from/to AWS DynamoDB or any other database, you will need to use either Amazon DynamoDB or Amazon Relational Database Service (Amazon RDS).

AWS Cognito can be used to add additional security layers on top of your lambda functions. You can use AWS IAM or STS to generate
temporary credentials for users and allow them to call the lambda function directly from a browser.

6. Secure Data in Transit using TLS 1.2

Enterprise customers can use Amazon Certificate Manager (ACM) with a custom domain name to provision and manage SSL/TLS certificates that come standard with the highest validation levels of 256-bit encryption. ACMs provide you with a secure and highly available private CA infrastructure, giving you complete control over your certificate lifecycle while reducing operational complexities and cost.

AWS CloudHSM can be used to manage and administer Hardware Security Modules (HSMs) that encrypt and protect sensitive data.

Enterprise customers can use Amazon S3’s Server-Side Encryption with AWS Key Management Service (KMS) or Amazon EBS encryption in order to keep their customers’ data secure at rest as well.

7. Limit Data Exposure and Compliance

AWS data-loss prevention (DLP) policies are used to help prevent accidental or intentional exposure of sensitive information to any unauthorized person, either within the enterprise or during a transfer outside the enterprise. They apply encryption to on-premise data that is stored in S3 buckets and configured for Amazon S3 server-side encryption.

AWS can be used to help maintain compliance with industry regulations such as HIPAA, PCI DSS and SOX. They offer a set of services like: AWS CloudTrail, AWS Config for log management, AWS Identity Access Management (IAM) for managing security credentials and activity logs, AWS Certificate Manager (ACM) for secure communication and AWS Web Application Firewall (WAF) which can be used to filter out malicious traffic.

8. Manage Third-Party Applications and Services

AWS provides a centralized dashboard for tracking the costs of all AWS services that are consumed by your enterprise, including various products like Amazon S3, EC2, RDS etc.

Enterprise customers can use AWS Service Catalog to create and manage a private catalog of approved services in their enterprise. This enables them to request and deploy applications through a self-service portal, reducing the need for custom code development and infrastructure management.

9. Governance, Risk & Compliance (GRC)

AWS is used by several enterprises to set up and enforce security, privacy and compliance policies for their applications. AWS Config is a service that enables customers to collect information about the resources they are using in order to audit them against certain criteria like cost-efficiency, adherence to industry regulations etc.

This gives enterprises complete control over user access. They can block users if their account doesn’t have a valid credit card or deny access based on the user’s employee type.

AWS IAM is used to create fine-grained security policies for services like Amazon S3 and Amazon EC2. Users can access AWS resources through roles that have permissions, which are assigned by administrators based on user needs (e.g. read-only access or full access).

Using AWS Config Rules, you can create rules for your resources in order to monitor their usage and enforce certain policies that are meaningful to your enterprise.

10. User Provisioning & Delegated Access

AWS provides a single console for managing all of your users and user permissions. This enables you to create a single point of access for your users and services. Using AWS IAM, you can create policies that allow specific groups or individuals to perform privileged actions on your resources.

Enterprise customers use IAM to control user access to their data in S3 buckets and Amazon EBS volumes as well as other AWS services such as CloudTrail, CloudWatch Logs, etc.

Access to data in an S3 bucket can be controlled through policies like Case Sensitivity and Bucket Versioning. For Amazon EBS volumes, you can control user access by defining IAM users and attaching Amazon EC2 instances to them.

11. Testing & Development

Testing your applications is crucial for identifying any potential security issues or bugs. AWS offers various services that you can use for testing your applications, including Amazon EC2 and Amazon ECS.

AWS Lambda is used by enterprises to run automated tests on large development code bases using containers without writing a single line of code. You can write scripts in JavaScript or Python instead.

Enterprises provision EC2 instances to run their testing frameworks on them. Amazon ECS is used by enterprises for running and orchestrating containers across multiple EC2 instances.

The AWS Cloud Formation service helps you create a stack of related AWS resources, such as security groups, IAM roles/policies or VPCs. This enables software architects to construct complex environments for testing.

EC2 Systems Manager is used to automate EC2 instance management tasks like startup/shutdown, configuration management and software updates.

AWS Trusted Advisor is an AWS service that evaluates your environment on a regular basis and reports potential issues as well as performance best practices. This helps enterprises in identifying the areas where they can improve their performance.

12. Data Processing & Management

AWS is used by enterprises to run batch jobs using services like Amazon EMR. AWS Lambda and Amazon Kinesis streams are also used for data transformation or real-time analytics tasks. Enterprises can use these services to build their own applications without relying on a separate database.

AWS Lambda is a service that allows you to run code and trigger functions without provisioning or managing any servers. You can use it to build applications using your existing data instead of having to manage your own infrastructure. This makes it easier for enterprises, as they do not have to invest in setting up large-scale computing environments for running batch jobs etc.

13. Fault Tolerance and Monitoring

AWS offers various services for setting up fault tolerant frameworks for your applications. Using Amazon EBS, you can set up multi- AZ replicated storage to provide data redundancy in the case of hardware failures. Similarly, you can deploy multiple copies of your application and its related resources on AWS Availability Zones. This minimizes the downtime of
your application, in the case of any hardware failures.

AWS provides many options for you to monitor and track network traffic coming into or going out of your resources. This is important as healthcare organizations have to comply with HIPAA regulations related to data privacy & security. AWS CloudTrail and Amazon VPC Flow Logs are used for tracking all the network activities on AWS resources. These services provide records of who accessed your resource, when and from where. You can also track network data transfer between Amazon EC2 instances using Amazon CloudWatch.

Many healthcare organizations use AWS Config service to collect metadata information about their resources in an AWS account and periodically store this information in a centralized location for auditing and compliance purposes. AWS Configure helps healthcare consumers understand what software, and tools are used in healthcare applications hosted on AWS. It helps healthcare organizations to identify and track the healthcare applications owned by them on AWS cloud computing platform.

AWS CloudTrail service logs every change made to your resources in an account; from creating a new instance to changing a DNS record. It captures configuration management commands such as change in IAM user passwords and all the API requests made. AWS Config service helps healthcare organizations to audit, monitor, and protect their resources on Amazon cloud computing platform using this information.

14. Scale up/Scale out

Enterprises need to add or remove compute capacity very often during healthcare apps development life cycle to meet the end user demand. In healthcare applications, you may need to scale up instances based on the number of users or load and scale out when you need to process more data due to an explosion in business.

AWS allows healthcare enterprises to scale their resources between any two instance sizes (e.g., t2. small to m4. large) without any downtime, thereby minimizing the risk of downtime caused due to load spikes. Enterprises can also use Amazon Auto Scaling to automatically scale their applications between two distinct AWS instance sizes based on a defined threshold.

15. Low cost and low maintenance healthcare apps development & hosting environment

AWS provides a very cost-effective solution for healthcare applications development and deployment. You can pay only for the services you use by setting up your own instance in EC2, creating storage with Amazon EBS and/or Amazon S3 and taking advantage of Auto Scaling service if needed. Since you are not constrained by the hardware and software choices, you can build cost-effective applications that will run faster on AWS. You can also reduce the on-premise hardware and software maintenance costs while using AWS compute, storage, databases services which eliminates any capital expenditure or long-term contracts.

16. Integration of healthcare applications running in private data centers

Healthcare organizations can build a hybrid architecture with workload running on-premises and in the AWS cloud. Many healthcare organizations already have private data centers, such as hospital/pharmacies, where they host their applications and patient records. In case an organization wants to migrate to the cloud or use AWS for new healthcare apps development work, it is fairly easy to integrate existing on-premises infrastructure through an API into AWS Cloud.

Healthcare enterprises can also access enterprise health record systems deployed on premises from Amazon EC2 instances via Open Connect (Direct connect). When you need a secure connection between your enterprise’s network and Amazon Web Services’ Virtual Private Cloud (VPC), you can set up your VPN using the VPC Endpoints service offered by AWS.

17. Disaster Recovery

If there is a disaster, such as fire or water leakage in the data center where healthcare applications are hosted, you can lose all of your data and your IT team will need to reconstruct them from scratch to restore business continuity.

With AWS Backup service, it takes no more than 15 minutes for Amazon S3 to back up an object into Amazon Glacier ensuring that your data is safe from any disaster.

You can gain access through APIs to Amazon S3 backups even when the application services are offline due to failures or unplanned maintenance; they may also be restored using AWS Import/Restore service without affecting customers’ applications.

18. Scalable infrastructure management

AWS provides seamless integration between DevOps teams and resources (infrastructure management) so that application development and IT operations teams can work together continuously for the production environment. They also need to focus on how to improve business processes, flexibility, supportability, deliver new features and enhance existing functionality of healthcare apps without worrying about underlying infrastructure.

For instance, you can stop or start servers with an AWS command line interface or through a web-based management console instead of logging into individual physical machines to do those tasks.

19. Platform as a Service

Platform as a service (PaaS) is another AWS service for building scalable healthcare applications very easily. With AWS, developers don’t have to worry about issues such as hardware provisioning, operating systems upgrades, patches or backups because all these things are taken care of by AWS.

To build a healthcare application, you need to create and configure your instance in Amazon EC2 and focus on developing the business logic layer of the apps. You can take advantage of AWS Mobile Hub for creating, deploying and monitoring Android or iOS mobile applications using Continuous Integration (CI) and Delivery process for your healthcare enterprise.

20. Healthcare big data analytics

In today’s world where large volumes of patient records are being created in various healthcare organizations, cloud computing is very easy to manage this bulk amount of data effectively with cost-effective tools such as Hadoop running on AWS.

For instance, running NoSQL databases such as MongoDB in the cloud helps you gain more organization agility with high performance at lower costs by running multiple copies of your databases to achieve high availability and scalability. With AWS, healthcare enterprises can leverage Amazon Elastic Map Reduce (EMR) for big data analytics in the cloud to support Analytics applications such as reporting, querying and processing large datasets using Java/Python or command line tools.