In the AWS Healthcare Days presentation you’ll learn best practices for architecting cloud-based applications for the healthcare industry with a deep technical overview and demos. Topics to be covered in this presentation include building a healthcare analytics pipeline in the cloud, leveraging the cloud for mobile, connected devices, and IoT, and using infrastructure-as-code to automate your security and HIPAA compliance policies. You will also see how cloud technology partner, Cognizant, is helping healthcare providers manage cloud infrastructure at scale, as well as leveraging tooling to maintain the security and compliance of applications and environments through automation.
Next-generation AAM aircraft unveiled by Supernal, S-A2
2016 AWS Healthcare Day | Chicago, IL – June 28th, 2016
1. Healthcare and Life Sciences Days
Chicago, IL
Mark Johnston, Director of Global Business Development,
Healthcare and Life Sciences
June 28, 2016
2. 05:00 PM – 06:30 PMClosing Remarks, Q&A and Networking6
04:15 PM – 05:00 PMLeveraging Amazon Echo and AWS to build IoT Applications5
03:30 PM – 04:15 PMCognizant: Managing Cloud Infrastructure at Scale4
02:45 PM – 03:30 PMHealthcare Analytics and Prediction using Amazon Machine Learning3
02:30 PM – 02:45 PMBreak
01:30 PM – 02:30 PMEmbracing DevOps with Improving Compliance and Security Agility and Posture2
01:00 PM – 01:30 PMIntroduction and Opening Remarks1
Agenda
3. 12 Regions
33 Availability Zones
54 Edge Locations
Coming Soon:
5 Regions
11 Availability Zones
AWS global infrastructure
4. * As of 1 Feb 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its services to support virtually
any cloud workload and it now has more than 50 services that range
from compute, storage, networking, database, analytics, application
services, deployment, management and mobile. Since inception AWS
has launched 776 new features and/or services for a total of 1,950
new features and/or services since inception in 2006.
AWS Rapid Pace of Innovation
5. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousin
g
Hadoop
/Spark
Streaming
Data Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click
App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps
Resource
Management
Application
Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational,
NoSQL, Caching,
Migration
Networking
VPC, DX,
DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web
application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming
Data Analysis
Business
Intelligence
Mobile
Analytics
7. Alex Dickinson
SVP, Strategic Initiatives
Working with AWS lets us focus
on what we’re good at, which is
doing sequencing
8. William H. Morris
Associate CIO
The cloud can lower the operating
cost, and actually allow us to
focus on what we do well, which
is taking care of patients.
9. David Bennett
EVP of Healthier Populations
The market acceptance of healthcare
running on AWS is pretty exciting to us
10. New technologies are emerging throughout
the industry
Data exchange
throughout your
healthcare network
New innovations in
care delivery
Consumer
applications and
personalized
medicine
11. Use Case: AWS for Precision Medicine
All the compute you need to deal with large,
complex data sets
Easily deploy to physicians throughout your
network
Cost-effective short-term and long-term
storage
12. Jason Gillman
Director of Precision Genomics
we wanted to provide information
to the oncologist as quickly as we
can. These new services ….
powered by AWS, helps provide
that.
13. Innovation in medication adherence
• Medication adherence for depression
and schizophrenia
• Therapeutic has an ingestible sensor
linked to a wearable patch
• Patch talks to the application
• Patient data (or lack of) is
communicated to care managers and
or physicians
14. Innovation in chronic care management
• Sensor attaches to existing inhaler
• Tracks therapeutic utilization
• Application allows environmental
condition capture
• Patient gets feedback regarding
their condition – Asthma and COPD
15. Jeroen Tas
CEO, Healthcare Informatics Solutions and Services
We combine data to make it
actionable….We’re doing that together with
Amazon, because there is only one company
that we can do this with which gives us the
reliability, scale, and performance we need.
Healthcare IoT – Philips HSDP
16. Torsten Kablitz
Vice President, IT Business Services
[Just one] of our customers…..500,000
transactions a day….AWS allows us to
bring up and bring down servers just as we
need them.
17. Security is foundational at AWS
Architected to be one of the most flexible and secure cloud
computing environments available today
19. • Environment built for the most security sensitive organizations
• AWS manages 1800+ security controls so you don’t have to
• Certified and regularly audited
AWS secures the
infrastructure....
Security: A Shared Responsibility
20. • You retain ownership of your IP and content – AWS does not have access
• You control where your data is stored
• Enabling end-to-end compliance
....so you can
secure your
patient dataCustomer
Security: A Shared Responsibility
21. In the Cloud, Infrastructure Security is Code
Templates determine what
infrastructure is deployed
and how it is deployed
Built-in tools to monitor
your environment
Automatic logging for audit
support
22. The AWS Cloud Improves your Compliance Posture
Controllable Infrastructure Repeatable Testing Automatic Traceability
23. AWS and Validated Systems
Major companies run GxP on AWS today
We have GxP resources available to help you
migrate GxP systems to the AWS Cloud
Developed with input from Lachman
Consultants
Multiple partners with solutions available: Sparta,
TraceLink, Waters, Medidata, etc.
24. Build HIPAA-compliant applications that store, process and transmit PHI
Business Associate Agreement (BAA) addendum available
HIPAA-eligible services for broad range of applications:
Compute Storage Database
Managed
Big Data
Archiving
Data
Warehousing
Enabling Compliance
Networking
25. Lee Kim
Director, Privacy and Security
HIMSS North America
Most healthcare institutions don’t have
the time and resources
to devote to cybersecurity that an
established cloud provider
might have
26. Embracing DevSecOps while improving your
compliance and security agility and posture
Scott Paddock
Security Solutions Architect
Gerry Miller
Founder & CTO, Cloudticity
27. Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to assist
• Example Compliance Workflows
28. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements and metrics
Building, coding and configuration
Ensuring quality; acceptance, regression testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application and infrastructure
Release coordination, promotion, scheduling, rollback and recovery
29. DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Manual Hacking
30. Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help
the business make decisions…
31. DevSecOps: Security as Code
Establishing these principles…
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
32. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
52. Actual workflow (diagram)
Post-commit hook
• Build & test
• Notify if failure - or
• Package manifest on success
• Executables
• Required resources
• Any other necessary
metadata
53. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• Install and configure any
packages or roles
• OS configuration and updates
• Download any required static
files
54. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• CloudFormation wait conditions
• CloudWatch events (uses tags)
64. Consult internally before implementing
These slides have been practices we have
used in industry – but security and compliance
is determined by YOU, the customer. So
please, please:
• Consult with your internal best practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance organization
• Do your due diligence
66. Advanced Analytics & Machine
Learning on AWS
Ujjwal Ratan
Healthcare and Life Sciences Solutions Architect
Amazon Web Services
67. This Talk Will Cover
Analytics on AWS overview
Reference architectures
Amazon Machine Learning (AML) Overview
Application of AML to a real world problem - patient readmission
A look at the end user application
Q&A
68. Gartner: User Survey Analysis: Key Trends Shaping the Future of Data Center Infrastructure Through 2011
IDC: Worldwide Business Analytics Software 2012–2016 Forecast and 2011 Vendor Shares
Available for analysis
Generated data
Data volume - Gap
1990 2000 2010 2020
A growing gap…
69. Amazon S3
Amazon Kinesis
Amazon DynamoDB
Amazon RDS (Aurora)
AWS Lambda
KCL Apps
Amazon
EMR
Amazon
Redshift
Amazon Machine
Learning
Collect Process Analyze
Store
Data Collection
and Storage
Data
Processing
Event
Processing
Data
Analysis
Data Answers
Analytical pipeline on AWS
70. Lets rewind to the 90s…. Familiar with this?
https://en.wikipedia.org/wiki/Data_warehouse#/media/File:Data_warehouse_overview.JPG
71. Fast-forward to the present day – Data Lakes
Amazon S3
Application data
Server logs
Internet APIs
Custom Apps
Amazon EMR Amazon RDS
Data Mart
Amazon Redshift
Dashboards
Amazon Machine Learning
72. Amazon
S3
Amazon
Redshift
Amazon Machine
Learning Amazon
EC2
Amazon
EMR
users
Internet
corporate data center
Redshift used to
enrich/transform the
data set to make it
suitable for acting as a
ML data source.
An ML model is created with
Redshift as the data source
EC2 used as a web
server to host a
website to act as a
frontend for AML end
point
Use EMR to process
unstructured/semi-structured data
and store it back as objects on S3.
S3 acts as a scalable
object store for all forms
of data. It is used as a
data lake.
Amazon
S3
Amazon
QuickSight
Amazon
RDS users
A batch prediction can be generated using AML and the
result file stored back in S3. An RDS schema acts as a
source for Amazon QuickSight that generates BI repots on
prediction data.
DB Schemas
CSV Files
Unstructured files
A reference architecture to build smart
applications on AWS
73. Real world problem – Hospital Readmissions
• Hospital Readmission Reduction
Program (HRRP) part of the Affordable
Care Act.
• CMS is required to reduce payments to
hospitals with excess readmissions.
• Not all readmissions can be prevented
as some of them are a part of an
overall care plan for the patient.
• Facilities with high readmission rates
had their Medicare payment cut by 1%
in 2013 which rose to 2% in 2014.
74. Machine Learning
Wouldn’t it be great to proactively predict
patient’s risk of readmission based on some
generic features?
Patient
Demographics
Patient History
Admission
Attributes
Other features
Patient
High Risk Patient
Low Risk Patient
Moderate Risk
Patient
76. The data set
The accuracy of ML models become better when more data is used to train it. This is a very limited dataset to build a
comprehensive ML model but this methodology can be replicated with larger data sets as well.
https://archive.ics.uci.edu/ml/datasets/Diabetes+130-US+hospitals+for+years+1999-2008
Public Data Set from UCI
consists of 101,766 rows and represents 10 years of clinical care records
130 US hospitals and integrated delivery networks
includes over 50 features (attributes) representing Diabetes patient and hospital outcomes.
77. Ingesting Data Into S3 - Staging
Table Name Table Type
admission_source.csv Master
admission_type.csv Master
discharge_dispoition.cs
v
Master
Diabetic_data.csv Transaction
aws s3 cp /tmp/foo/ s3://bucket/ --recursive
79. Data Load and Standardization
COPY<Redshift_Table_Name> FROM's3://<file_path.csv>' CREDENTIALS
'aws_access_key_id=<>;aws_secret_access_key=<>' DELIMETER',' IGNOREHEADER 1;
Data Load
• Update NULL values
• Change attributes values which do not comply with standard patterns. Ex: SSN =
XXX-XX-XXXX
• Complete geographical data where possible
• Add timeline values if possible
• Group granular attributes in sets. Ex: Ages 0 to 20 as young, 20 to 40 as Adult
and so on.
Data Standardization
80. Introducing Amazon ML
Easy to use, managed machine learning
service built for developers
Robust, powerful machine learning
technology based on Amazon’s internal
systems
Create models using your data already
stored in the AWS cloud
Deploy models to production in seconds
81. Create AML Model with Redshift as the source
CreateDataSourceFromRedshift API
Console
82. Real-time predictions
Synchronous, low-latency, high-throughput prediction generation
Request through service API or server or mobile SDKs
Best for interaction applications that deal with individual data records
>>> import boto
>>> ml = boto.connect_machinelearning()
>>> ml.predict(
ml_model_id=’my_model',
predict_endpoint=’example_endpoint’,
record={’key1':’value1’, ’key2':’value2’})
{
'Prediction': {
'predictedValue': 13.284348,
'details': {
'Algorithm': 'SGD',
'PredictiveModelType': 'REGRESSION’
}
}
}
83. Real-time Predictions Using AML
Create a real-time endpoint using the console of the CreateRealTimeEndpoint
API. Once enabled, the model can be queried in real time using the end point
Target Attribute for the Binary Classification Model : Readmission_Result
84. Application website hosted on S3
var machinelearning = new AWS.MachineLearning({apiVersion:
'2014-12-12'});
var params = {
MLModelId: ‘<AML Model ID>',
PredictEndpoint: ‘<AML Model Real Time End Point>',
Record: <Selected Attributes record set>
};
var request = machinelearning.predict(params);
Application calls the Predict() API using necessary parameters
Website hosting feature of S3 allows us to host websites without any web servers
and takes away the complexities of scaling hardware based on traffic routed to your
application.
85. Thank You.. Any Questions?
Before we end, here’s a look at the application
http://predictreadmission.s3-website-us-west-2.amazonaws.com
107. What is IoT?
The internet of things (IoT) is the network of physical objects—devices,
vehicles, buildings and other items—embedded with electronics, software,
sensors, and network connectivity that enables these objects to collect and
exchange data.
https://en.wikipedia.org/wiki/Internet_of_things
Why AWS IoT?
AWS IoT can support billions of devices and trillions of messages, and can
process and route those messages to AWS endpoints and to other devices
reliably and securely. With AWS IoT, your applications can keep track of and
communicate with all your devices, all the time, even when they aren’t
connected.
108. Grove IoT Kit from Seeed Studio
http://www.seeedstudio.com/wiki/images/d/d0/Aws_kit_edison.JPG
109. Use-Case: Medication Status
Scenario:
Button is pressed by a technician to dispense medication
Requirements:
• Simple example (one of many ways)
• Data stored in queriable repository
• Notification via SMS if medication is not distributed for a day
• Accessible from Amazon Echo/Alexa
AWS
111. Elephant in the room
http://nos.twnsnd.co/post/104252656546/elephants-tea-party-robur-tea-room-24-march
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Amazon
SNS
Alexa
AWS IoT
HIPAA Eligible Not HIPAA Eligible
112. What does AWS IoT Consist of?
Device Gateway
The managed backbone of communication between
connected devices and the cloud which supports
the pub/sub messaging pattern, enabling scalable, low-
latency, and low-overhead communication.
IoT Rule Engine
The AWS IoT Rules Engine enables continuous processing
of inbound data from devices connected to the AWS IoT
service in a SQL-like syntax.
113. What doe AWS IoT Consist of? (Part 2)
Device Registry
Allows you to organize and track devices using a logical
handle.
Device Shadow
Used to store and retrieve current state information for a
thing whether it is connected to the internet or not.
114. HTTPS, WebSockets and MQTTS
Supported Protocols
HTTPS, Websockets, Secure MQTT
What is MQTT?
A lightweight pub/sub protocol, designed to minimize network bandwidth and device
resource requirements. MQTT supports TLS for encryption.
MQTTS vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overhead
Source: http://stephendnicholas.com/archives/1217
115. Installing the SDKs
Install jsupm_grove and AWS IoT SDK
$ npm install jsupm_grove@0.4.0
$ npm install aws-iot-device-sdk
118. Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the key pair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key
127. Creating Kinesis Role and Stream
$ aws kinesis create-stream –-stream-name medication_status_stream –-shard-count 2
Amazon
Kinesis
• Streams are made of Shards
• Each Shard ingests data up to 1MB/sec,
and up to 1000 TPS
• Each Shard emits up to 2 MB/sec
• All data is stored for 24 hours – 7 days
• Scale Kinesis streams by splitting or
merging Shards
• Replay data inside of 24Hr -7days
Window
128. Define IoT Kinesis Policy and Role
IoT
rule
IoT Kinesis Policy
IoT Kinesis Trust Policy
129. Add IoT Kinesis Policy and Role
$ aws iam create-policy --policy-name lambda_medication_status_kinesis_policy --policy-
document file://kinesis.policy.js
{
"Policy": {
…
"Arn": "arn:aws:iam::789539825478:policy/lambda-medication-status-kinesis-policy",
}
$ aws iam create-role --role-name medication_status_kinesis_role --assume-role-policy-
document file://lambda_medication_iot_trust.policy.js
"Role": {
...
"Arn": "arn:aws:iam::789539825478:role/medication-status-kinesis-role"
}
}
$ aws iam attach-role-policy --role-name medication_status_kinesis_role --policy-arn
arn:aws:iam::789539825478:policy/lambda_medication_status_kinesis_policy
$
IoT
rule
132. Creating DynamoDB table
$ aws dynamodb create-table --table-name MedicationStatusTable --attribute-definitions
AttributeName=ClientID,AttributeType=S AttributeName=LastSubmittedDate,AttributeType=N --key-schema
AttributeName=ClientID,KeyType=HASH AttributeName=LastSubmittedDate,KeyType=RANGE --
provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=5
{
"TableDescription": {
"TableArn": "arn:aws:dynamodb:us-east-1:789539825478:table/MedicationStatusTable",
...
}
}
Amazon
DynamoDB
Throughput
• Provisioned at the table level
• Write capacity units (WCUs) are measured in 1KB per second
• Read capacity units (RCUs) are measured in 4KB per second
• RCUs measure strictly consistent reads
• Eventually consistent reads cost ½ of constant reads
• Read and write throughput limits are independent
• Increase as necessary, decrease at most 4 times per UTC day
133. Creating Lambda to Load Dynamo
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
136. Deploying the Medication Status Lambda
$ aws lambda create-function --function-name MedicationStatus --runtime python2.7 --
role arn:aws:iam::789539825478:role/medication_status_role --handler
medication_kinesis.lambda_handler --timeout 3 --memory-size 128 --zip-file
fileb://medication_kensis_lambda.zip
{
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatus",
...
}
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Resource Sizing
• AWS Lambda offers 23 "power levels"
• Higher levels offer more memory and more CPU power
• 128MB, lowest CPU power
• 1.5GB, highest CPU power
• Compute price scales with the power level
• Duration ranging from 100ms to 5 minutes