Building & Maintaining HIPAA-Compliant Applications in AWS
Upcoming SlideShare
Loading in...5
×
 

Building & Maintaining HIPAA-Compliant Applications in AWS

on

  • 2,150 views

 

Statistics

Views

Total Views
2,150
Views on SlideShare
2,125
Embed Views
25

Actions

Likes
2
Downloads
70
Comments
0

5 Embeds 25

http://tickit.tumblr.com 15
http://shifthealth.tumblr.com 7
https://si0.twimg.com 1
http://www.google.com 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Building & Maintaining HIPAA-Compliant Applications in AWS Building & Maintaining HIPAA-Compliant Applications in AWS Presentation Transcript

  • + Building & MaintainingHIPAA-Compliant Applications in AWS July 11, 2012
  • BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services2 CONTROL GROUP
  • CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services3 CONTROL GROUP
  • AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions4 CONTROL GROUP
  • HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nations health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.5 CONTROL GROUP
  • HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls6 CONTROL GROUP
  • BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate7 CONTROL GROUP
  • UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals8 CONTROL GROUP
  • HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54%9 CONTROL GROUP
  • HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS10 CONTROL GROUP
  • HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA11 CONTROL GROUP
  • HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA12 CONTROL GROUP
  • WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES13 CONTROL GROUP
  • AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions14 CONTROL GROUP
  • CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor15 CONTROL GROUP
  • CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING16 CONTROL GROUP
  • AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside17 CONTROL GROUP
  • IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp218 CONTROL GROUP
  • HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production19 CONTROL GROUP
  • APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy20 CONTROL GROUP
  • CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.21 CONTROL GROUP
  • THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI22 CONTROL GROUP
  • CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.23 CONTROL GROUP
  • Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil lisa.oneil@controlgroup.com 212-343-2525 x 192 CONTROLGROUP.COM24
  • THANK YOU +David Rocamora, david.rocamora@controlgroup.comLisa O’Neil, lisa.oneil@controlgroup.comTom Stickle, tstickle@amazon.com