+       Building & MaintainingHIPAA-Compliant Applications                      in AWS                       July 11, 2012
BIOS       DAVID             LISA                  TOM     ROCAMORA           O’NEIL               STICKLE      VP of DevO...
CONTROL GROUP    • Technology & design services company based in NYC    • Full stack of expertise across strategy, enginee...
AWS PARTNER ECOSYSTEM            CONSULTING PARTNERS                                                   TECHNOLOGY PARTNERS...
HIPAA SUMMARY    Health Insurance Portability & Accountability Act    Title II - Administrative Simplification    This prov...
HIPAA TECH REQUIREMENTS    •  Risk analysis            •  Integrity controls    •  Admin policies &         •  Transmissio...
BUSINESS ASSOCIATE    AGREEMENT & AMAZON    •  Business Associate assumes responsibilities of       covered entity      - ...
UNDERSTANDING EXISTING    THREATS    •  Data collected by HHS for breaches impacting 500       or more individuals    •  D...
HIPAA BREACHES    % OF INCIDENTS                             Other/Unknown                                   1%           ...
HIPAA BREACHES % OF AFFECTED INDIVIDUALS                                 Unauthorized           Other/Unknown             ...
HIPAA BREACHES     BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS                                                Unauthorized   ...
HIPAA BREACHES     BY YEAR; % OF AFFECTED INDIVIDUAL     12,000,000     10,000,000                                        ...
WHY AWS IS A GREAT OPTION     FOR HEALTHCARE COMPANIES13                        CONTROL GROUP
AWS PLATFORM                                  Your Applications                                  Management & Administrati...
CUSTOMERS HAVE COMPLETE CONTROL     OVER APPLICATION INFRASTRUCTURE             Customer 1        Customer 2              ...
CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING16                          CONTROL GROUP
AWS REGIONS &     AVAILABILITY ZONES      Customer Decides Where Applications and Data Reside17                           ...
IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets                                ...
HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE   Infrastructure Template & App Code •  Versionable      ...
APPROACH AUDIT                                       DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructu...
CASE STUDY: PRONIA     Pronia Medical Systems provides the GlucoCare     Intensive Glycemic Control System that helps     ...
THE APPROACH     AUDIT                                      DEPLOY, TEST, UPDATE... REPEAT     •  Identified changes requir...
CONCLUSION     •  AWS provides building blocks to create secure and        HIPAA-compliant systems     •  AWS enables cust...
Q&A     For more information on building & maintaining     healthcare applications in AWS:     Lisa O’Neil     lisa.oneil@...
THANK YOU                           +David Rocamora, david.rocamora@controlgroup.comLisa O’Neil, lisa.oneil@controlgroup.c...
Upcoming SlideShare
Loading in...5
×

Building & Maintaining HIPAA-Compliant Applications in AWS

2,302

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,302
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
98
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Building & Maintaining HIPAA-Compliant Applications in AWS

  1. 1. + Building & MaintainingHIPAA-Compliant Applications in AWS July 11, 2012
  2. 2. BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services2 CONTROL GROUP
  3. 3. CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services3 CONTROL GROUP
  4. 4. AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions4 CONTROL GROUP
  5. 5. HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nations health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.5 CONTROL GROUP
  6. 6. HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls6 CONTROL GROUP
  7. 7. BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate7 CONTROL GROUP
  8. 8. UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals8 CONTROL GROUP
  9. 9. HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54%9 CONTROL GROUP
  10. 10. HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS10 CONTROL GROUP
  11. 11. HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA11 CONTROL GROUP
  12. 12. HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA12 CONTROL GROUP
  13. 13. WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES13 CONTROL GROUP
  14. 14. AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions14 CONTROL GROUP
  15. 15. CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor15 CONTROL GROUP
  16. 16. CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING16 CONTROL GROUP
  17. 17. AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside17 CONTROL GROUP
  18. 18. IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp218 CONTROL GROUP
  19. 19. HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production19 CONTROL GROUP
  20. 20. APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy20 CONTROL GROUP
  21. 21. CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.21 CONTROL GROUP
  22. 22. THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI22 CONTROL GROUP
  23. 23. CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.23 CONTROL GROUP
  24. 24. Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil lisa.oneil@controlgroup.com 212-343-2525 x 192 CONTROLGROUP.COM24
  25. 25. THANK YOU +David Rocamora, david.rocamora@controlgroup.comLisa O’Neil, lisa.oneil@controlgroup.comTom Stickle, tstickle@amazon.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×