Building & Maintaining HIPAA-Compliant Applications in AWS July 11, 2012 +
Building & Maintaining HIPAA-Compliant Applications
in AWS
July 11, 2012
+
2
BIOS
LISA O’NEIL
VP of Enterprise
Consulting Control Group
DAVID ROCAMORA
VP of DevOps Cloud Expert
Control Group
TOM STICKLE
Sr. Manager
Solutions Architecture Amazon Web Services
CONTROL GROUP
3 CONTROL GROUP
CONTROL GROUP • Technology & design services company based in NYC
• Full stack of expertise across strategy, engineering, software development, and design
• AWS Consulting Partner that provides architecture, migration, development, and support services
4 CONTROL GROUP
AWS PARTNER ECOSYSTEM
AWS Global Infrastructure Availability Zones
Regions Edge Locations
Foundation Services
Compute Storage Database Networking
Application Platform Services Content
Distribution Messaging Parallel Processing Libraries & SDKs
Management & Administration Administration
Console Identity & Access Deployment Monitoring
Healthcare
Financial Services
Life Sciences
Manufacturing
Retail
Government
Application
Database
Middleware
Operating System
Security
Management
TECHNOLOGY PARTNERS CONSULTING PARTNERS
AMAZON WEB SERVICES
5 CONTROL GROUP
HIPAA SUMMARY
Health Insurance Portability & Accountability Act
Title II - Administrative Simplification
This provision addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
CONTROL GROUP
HIPAA TECH REQUIREMENTS
• Risk analysis
• Admin policies & procedures
• Facility & workstation access controls
• Software/data access controls
• Integrity controls
• Transmission security
• Audit controls
• Backup & DR
• Encryption
6
CONTROL GROUP
BUSINESS ASSOCIATE AGREEMENT & AMAZON • Business Associate assumes responsibilities of
covered entity
- Policies and procedures
- Access controls
- Reporting
• AWS is not a Business Associate
7
8 CONTROL GROUP
UNDERSTANDING EXISTING THREATS • Data collected by HHS for breaches impacting 500
or more individuals
• Data limitations - timeliness, completeness
• 435 reported incidents to date (as of 7/10/12) impacting 20MM individuals
9 CONTROL GROUP
HIPAA BREACHES % OF INCIDENTS
67% THEFT + LOSS
Hacking/IT Incident
8%
Improper Disposal 5%
Loss 13%
Theft 54%
Unauthorized Access/Disclosure
19%
Other/Unknown 1%
10 CONTROL GROUP
HIPAA BREACHES % OF AFFECTED INDIVIDUALS
85% THEFT + LOSS
Hacking/IT Incident
9%
Improper Disposal 2%
Loss 46%
Theft 39%
Unauthorized Access/Disclosure
4%
Other/Unknown 0%
11 CONTROL GROUP
HIPAA BREACHES BY TYPE/ASSET; % OF AFFECTED INDIVIDUALS
92% RELATED TO PHYSICAL HARDWARE/DIGITAL MEDIA
Theft and Loss: Computer/HW
54% Theft and Loss:
Electronic Media 30%
Hacking/IT Incident:
Network Server 8%
Improper Disposal 3%
Unauthorized Access/Disclosure:
Paper/Other 2%
Unauthorized Access/Disclosure:
Digital 2%
Theft and Loss: Paper/Other
1%
Hacking/IT Incident:
Computer/Other 0%
Other 0%
12 CONTROL GROUP
HIPAA BREACHES BY YEAR; % OF AFFECTED INDIVIDUAL
* INCOMPLETE DATA 0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
2009* 2010 2011 2012*
Loss
Theft
Unauthorized Access/Disclosure
Improper Disposal
Hacking/IT Incident
Other/Unknown
WHY AWS IS A GREAT OPTION FOR HEALTHCARE COMPANIES
CONTROL GROUP 13
CONTROL GROUP
AWS PLATFORM
AWS Global Infrastructure Availability Zones
Regions Edge Locations
Foundation Services
Compute Storage Database Networking
Application Platform Services
Content Distribution Messaging Parallel Processing Libraries & SDKs
Management & Administration
Administration Console Identity & Access Deployment Monitoring
Your Applications
14
CONTROL GROUP
CUSTOMERS HAVE COMPLETE CONTROL OVER APPLICATION INFRASTRUCTURE
Physical Interfaces
Customer 1 Customer 2 Customer n …
…Virtual Interfaces
Firewall
Customer 1 Security Groups
Customer 2 Security Groups
Customer n Security Groups
Hypervisor
15
CONTROL GROUP
CUSTOMERS HAVE COMPLETE CONTROL OVER VIRTUAL NETWORKING
16
CONTROL GROUP
AWS REGIONS & AVAILABILITY ZONES
Customer Decides Where Applications and Data Reside
17
CONTROL GROUP
IDENTITY & ACCESS MANAGEMENT ROLES • Secure credential delivery
• No need to embed secrets
EC2 Instance
Group Admins
Group Developers
Group Test
Bob
Susan
Account .
Brad
Jim
Mark
Kevin
DevApp1
DevApp2
Cathy
Allen
TestApp1
TestApp2
18
CONTROL GROUP
HOW CONTROL GROUP USES AWS FOR HIPAA APPS
Dev
INFRASTRUCTURE AS CODE
• Versionable
• Testable
• Auditable
App Code App
Code <?php
Infrastructure Template & App Code
QA Production
19
AUDIT
• Examine existing apps, infrastructure, and process
• Provide recommendations for recommended changes
• Business Associate Agreement (BAA)
UPDATE
• Provide dev and devops support to update existing apps and code base
• Create a testable AWS infrastructure template that is versioned with app code
DEPLOY, TEST, UPDATE... REPEAT
• Deploy the application in AWS
• Test for functionality, security, and load
• Continue to improve the application and its infrastructure
CONTROL GROUP
APPROACH
Audit
Update
Deploy Test
Update
20
CONTROL GROUP
CASE STUDY: PRONIA
Pronia Medical Systems provides the GlucoCare Intensive Glycemic Control System that helps hospitals and care facilities manage hyperglycemia in critically ill patients.
• The process of deploying and configuring trial infrastructure for each prospective client took anywhere from 1 to 3 months before migrating to AWS.
• With their GlucoCare trial infrastructure in AWS, Pronia cut their sales cycle down to 24 hours.
21
AUDIT
• Identified changes required to encrypt data stored in database
• Determined who required access to app
• Business Associate Agreement (BAA)
UPDATE
• Updated application code to add encryption capabilities to model
• AWS infrastructure template created using Python, Puppet, and a custom AMI
DEPLOY, TEST, UPDATE... REPEAT
• Pronia now uses template to create new environments for hospitals using AWS
• Testing environments are created whenever a bug needs to be isolated or new features need to be tested
RESULTS
• Pronia cut their trial sales cycle down from 3 months to 24 hours
CONTROL GROUP
THE APPROACH
22
CONTROL GROUP
CONCLUSION • AWS provides building blocks to create secure and
HIPAA-compliant systems
• AWS enables customers to improve security via predictable deployments for HIPAA compliant apps
• Control Group can partner as a Business Associate under a BAA
• Control Group is an experienced partner that can help healthcare organizations build and maintain applications securely in AWS.
23
Q & A
For more information on building & maintaining healthcare applications in AWS: Lisa O’Neil [email protected] 212-343-2525 x 192
CONTROLGROUP.COM
24
THANK YOU
+
David Rocamora, [email protected]
Lisa O’Neil, [email protected]
Tom Stickle, [email protected]