Your SlideShare is downloading. ×
  • Like
Building & Maintaining HIPAA-Compliant Applications in AWS
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Building & Maintaining HIPAA-Compliant Applications in AWS



Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. + Building & MaintainingHIPAA-Compliant Applications in AWS July 11, 2012
  • 2. BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services2 CONTROL GROUP
  • 3. CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services3 CONTROL GROUP
  • 4. AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions4 CONTROL GROUP
  • 5. HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nations health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.5 CONTROL GROUP
  • 6. HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls6 CONTROL GROUP
  • 7. BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate7 CONTROL GROUP
  • 8. UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals8 CONTROL GROUP
  • 9. HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54%9 CONTROL GROUP
  • 10. HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS10 CONTROL GROUP
  • 11. HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA11 CONTROL GROUP
  • 12. HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA12 CONTROL GROUP
  • 14. AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions14 CONTROL GROUP
  • 15. CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor15 CONTROL GROUP
  • 17. AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside17 CONTROL GROUP
  • 18. IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp218 CONTROL GROUP
  • 19. HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production19 CONTROL GROUP
  • 20. APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy20 CONTROL GROUP
  • 21. CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.21 CONTROL GROUP
  • 22. THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI22 CONTROL GROUP
  • 23. CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.23 CONTROL GROUP
  • 24. Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil 212-343-2525 x 192 CONTROLGROUP.COM24
  • 25. THANK YOU +David Rocamora, david.rocamora@controlgroup.comLisa O’Neil, lisa.oneil@controlgroup.comTom Stickle,