Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building & Maintaining HIPAA-Compliant Applications in AWS


Published on

Published in: Technology, Business
  • Be the first to comment

Building & Maintaining HIPAA-Compliant Applications in AWS

  1. 1. + Building & MaintainingHIPAA-Compliant Applications in AWS July 11, 2012
  2. 2. BIOS DAVID LISA TOM ROCAMORA O’NEIL STICKLE VP of DevOps VP of Enterprise Sr. Manager Cloud Expert Consulting Solutions Architecture Control Group Control Group Amazon Web Services2 CONTROL GROUP
  3. 3. CONTROL GROUP • Technology & design services company based in NYC • Full stack of expertise across strategy, engineering, software development, and design • AWS Consulting Partner that provides architecture, migration, development, and support services3 CONTROL GROUP
  4. 4. AWS PARTNER ECOSYSTEM CONSULTING PARTNERS TECHNOLOGY PARTNERS Operating Healthcare Manufacturing Application System Life Sciences Retail Middleware Security Financial Government Database Management Services AMAZON WEB SERVICES Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Parallel Messaging Libraries & SDKs Distribution Processing Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions4 CONTROL GROUP
  5. 5. HIPAA SUMMARY Health Insurance Portability & Accountability Act Title II - Administrative Simplification This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nations health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.5 CONTROL GROUP
  6. 6. HIPAA TECH REQUIREMENTS •  Risk analysis •  Integrity controls •  Admin policies & •  Transmission security procedures •  Audit controls •  Facility & workstation access controls •  Backup & DR •  Software/data access •  Encryption controls6 CONTROL GROUP
  7. 7. BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of covered entity -  Policies and procedures -  Access controls -  Reporting •  AWS is not a Business Associate7 CONTROL GROUP
  8. 8. UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500 or more individuals •  Data limitations - timeliness, completeness •  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals8 CONTROL GROUP
  9. 9. HIPAA BREACHES % OF INCIDENTS Other/Unknown 1% Improper Disposal Hacking/IT 5% Incident 8% Unauthorized Access/Disclosure 19% Loss 13% 67% THEFT + LOSS Theft 54%9 CONTROL GROUP
  10. 10. HIPAA BREACHES % OF AFFECTED INDIVIDUALS Unauthorized Other/Unknown Access/Disclosure 0% 4% Improper Disposal Hacking/IT 2% Incident 9% Theft 39% Loss 46% 85% THEFT + LOSS10 CONTROL GROUP
  11. 11. HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS Unauthorized Theft and Loss: Hacking/IT Unauthorized Access/Disclosure: Paper/Other Incident: Access/Disclosure: 1% Computer/Other Digital Paper/Other 0% 2% Other 2% 0% Improper Disposal 3% Hacking/IT Incident: Network Server 8% Theft and Loss: Theft and Loss: Computer/HW Electronic Media 54% 30% 92% RELATED TO PHYSICAL HARDWARE/ DIGITAL MEDIA11 CONTROL GROUP
  12. 12. HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL 12,000,000 10,000,000 Loss 8,000,000 Theft Unauthorized Access/ Disclosure 6,000,000 Improper Disposal Hacking/IT Incident 4,000,000 Other/Unknown 2,000,000 0 2009* 2010 2011 2012* * INCOMPLETE DATA12 CONTROL GROUP
  14. 14. AWS PLATFORM Your Applications Management & Administration Administration Identity & Access Deployment Monitoring Console Application Platform Services Content Distribution Messaging Parallel Processing Libraries & SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions14 CONTROL GROUP
  15. 15. CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE Customer 1 Customer 2 … Customer n Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces Hypervisor15 CONTROL GROUP
  17. 17. AWS REGIONS & AVAILABILITY ZONES Customer Decides Where Applications and Data Reside17 CONTROL GROUP
  18. 18. IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery • No need to embed secrets Account . Group Group Group EC2 Admins Developers Test Instance Bob Brad Cathy Susan Jim Allen Mark TestApp1 Kevin TestApp2 DevApp1 DevApp218 CONTROL GROUP
  19. 19. HOW CONTROL GROUP USES AWS FOR HIPAA APPS INFRASTRUCTURE AS CODE Infrastructure Template & App Code •  Versionable App App •  Testable <?php   Code Code •  Auditable Dev QA Production19 CONTROL GROUP
  20. 20. APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Examine existing apps, infrastructure, •  Deploy the application in AWS and process •  Test for functionality, security, and •  Provide recommendations for load recommended changes •  Continue to improve the application •  Business Associate Agreement (BAA) and its infrastructure UPDATE Audit •  Provide dev and devops support to update existing apps and code base Update Update •  Create a testable AWS infrastructure template that is versioned with app code Test Deploy20 CONTROL GROUP
  21. 21. CASE STUDY: PRONIA Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients. •  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS. •  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.21 CONTROL GROUP
  22. 22. THE APPROACH AUDIT DEPLOY, TEST, UPDATE... REPEAT •  Identified changes required to encrypt •  Pronia now uses template to create data stored in database new environments for hospitals using AWS •  Determined who required access to app •  Testing environments are created whenever a bug needs to be isolated •  Business Associate Agreement (BAA) or new features need to be tested UPDATE RESULTS •  Updated application code to add •  Pronia cut their trial sales cycle down encryption capabilities to model from 3 months to 24 hours •  AWS infrastructure template created using Python, Puppet, and a custom AMI22 CONTROL GROUP
  23. 23. CONCLUSION •  AWS provides building blocks to create secure and HIPAA-compliant systems •  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps •  Control Group can partner as a Business Associate under a BAA •  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.23 CONTROL GROUP
  24. 24. Q&A For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil 212-343-2525 x 192 CONTROLGROUP.COM24
  25. 25. THANK YOU +David Rocamora, david.rocamora@controlgroup.comLisa O’Neil, lisa.oneil@controlgroup.comTom Stickle,