Building & Maintaining HIPAA-Compliant Applications

in AWS

July 11, 2012

+

2

BIOS

LISA O’NEIL

VP of Enterprise

Consulting Control Group

DAVID ROCAMORA

VP of DevOps Cloud Expert

Control Group

TOM STICKLE

Sr. Manager

Solutions Architecture Amazon Web Services

CONTROL GROUP

3 CONTROL GROUP

CONTROL GROUP • Technology & design services company based in NYC

• Full stack of expertise across strategy, engineering, software development, and design

• AWS Consulting Partner that provides architecture, migration, development, and support services

4 CONTROL GROUP

AWS PARTNER ECOSYSTEM

AWS Global Infrastructure Availability Zones

Regions Edge Locations

Foundation Services

Compute Storage Database Networking

Application Platform Services Content

Distribution Messaging Parallel Processing Libraries & SDKs

Management & Administration Administration

Console Identity & Access Deployment Monitoring

Healthcare

Financial Services

Life Sciences

Manufacturing

Retail

Government

Application

Database

Middleware

Operating System

Security

Management

TECHNOLOGY PARTNERS CONSULTING PARTNERS

AMAZON WEB SERVICES

5 CONTROL GROUP

HIPAA SUMMARY

Health Insurance Portability & Accountability Act

Title II - Administrative Simplification

This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

CONTROL GROUP

HIPAA TECH REQUIREMENTS

•  Risk analysis

•  Admin policies & procedures

•  Facility & workstation access controls

•  Software/data access controls

•  Integrity controls

•  Transmission security

•  Audit controls

•  Backup & DR

•  Encryption

6

CONTROL GROUP

BUSINESS ASSOCIATE AGREEMENT & AMAZON •  Business Associate assumes responsibilities of

covered entity

-  Policies and procedures

-  Access controls

-  Reporting

•  AWS is not a Business Associate

7

8 CONTROL GROUP

UNDERSTANDING EXISTING THREATS •  Data collected by HHS for breaches impacting 500

or more individuals

•  Data limitations - timeliness, completeness

•  435 reported incidents to date (as of 7/10/12) impacting 20MM individuals

9 CONTROL GROUP

HIPAA BREACHES % OF INCIDENTS

67% THEFT + LOSS

Hacking/IT Incident

8%

Improper Disposal 5%

Loss 13%

Theft 54%

Unauthorized Access/Disclosure

19%

Other/Unknown 1%

10 CONTROL GROUP

HIPAA BREACHES % OF AFFECTED INDIVIDUALS

85% THEFT + LOSS

Hacking/IT Incident

9%

Improper Disposal 2%

Loss 46%

Theft 39%

Unauthorized Access/Disclosure

4%

Other/Unknown 0%

11 CONTROL GROUP

HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS

92% RELATED TO PHYSICAL HARDWARE/DIGITAL MEDIA

Theft and Loss: Computer/HW

54% Theft and Loss:

Electronic Media 30%

Hacking/IT Incident:

Network Server 8%

Improper Disposal 3%

Unauthorized Access/Disclosure:

Paper/Other 2%

Unauthorized Access/Disclosure:

Digital 2%

Theft and Loss: Paper/Other

1%

Hacking/IT Incident:

Computer/Other 0%

Other 0%

12 CONTROL GROUP

HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL

* INCOMPLETE DATA 0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

2009* 2010 2011 2012*

Loss

Theft

Unauthorized Access/Disclosure

Improper Disposal

Hacking/IT Incident

Other/Unknown

WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES

CONTROL GROUP 13

CONTROL GROUP

AWS PLATFORM

AWS Global Infrastructure Availability Zones

Regions Edge Locations

Foundation Services

Compute Storage Database Networking

Application Platform Services

Content Distribution Messaging Parallel Processing Libraries & SDKs

Management & Administration

Administration Console Identity & Access Deployment Monitoring

Your Applications

14

CONTROL GROUP

CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE

Physical Interfaces

Customer 1 Customer 2 Customer n …

…Virtual Interfaces

Firewall

Customer 1 Security Groups

Customer 2 Security Groups

Customer n Security Groups

Hypervisor

15

CONTROL GROUP

CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING

16

CONTROL GROUP

AWS REGIONS & AVAILABILITY ZONES

Customer Decides Where Applications and Data Reside

17

CONTROL GROUP

IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery

• No need to embed secrets

EC2 Instance

Group Admins

Group Developers

Group Test

Bob

Susan

Account .

Brad

Jim

Mark

Kevin

DevApp1

DevApp2

Cathy

Allen

TestApp1

TestApp2

18

CONTROL GROUP

HOW CONTROL GROUP USES AWS FOR HIPAA APPS

Dev

INFRASTRUCTURE AS CODE

•  Versionable

•  Testable

•  Auditable

App Code App

Code <?php  

Infrastructure Template & App Code

QA Production

19

AUDIT

•  Examine existing apps, infrastructure, and process

•  Provide recommendations for recommended changes

•  Business Associate Agreement (BAA)

UPDATE

•  Provide dev and devops support to update existing apps and code base

•  Create a testable AWS infrastructure template that is versioned with app code

DEPLOY, TEST, UPDATE... REPEAT

•  Deploy the application in AWS

•  Test for functionality, security, and load

•  Continue to improve the application and its infrastructure

CONTROL GROUP

APPROACH

Audit

Update

Deploy Test

Update

20

CONTROL GROUP

CASE STUDY: PRONIA

Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients.

•  The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS.

•  With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.

21

AUDIT

•  Identified changes required to encrypt data stored in database

•  Determined who required access to app

•  Business Associate Agreement (BAA)

UPDATE

•  Updated application code to add encryption capabilities to model

•  AWS infrastructure template created using Python, Puppet, and a custom AMI

DEPLOY, TEST, UPDATE... REPEAT

•  Pronia now uses template to create new environments for hospitals using AWS

•  Testing environments are created whenever a bug needs to be isolated or new features need to be tested

RESULTS

•  Pronia cut their trial sales cycle down from 3 months to 24 hours

CONTROL GROUP

THE APPROACH

22

CONTROL GROUP

CONCLUSION •  AWS provides building blocks to create secure and

HIPAA-compliant systems

•  AWS enables customers to improve security via predictable deployments for HIPAA compliant apps

•  Control Group can partner as a Business Associate under a BAA

•  Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.

23

Q & A

For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil lisa.oneil@controlgroup.com 212-343-2525 x 192

CONTROLGROUP.COM

24

THANK YOU

+

David Rocamora, david.rocamora@controlgroup.com

Lisa O’Neil, lisa.oneil@controlgroup.com

Tom Stickle, tstickle@amazon.com