Coronavirus has upended life as we know it. Fortunately, healthcare providers are plowing through it all and bringing to us what we need the most. Their unimaginable personal sacrifices are saving us day and night from some unimaginable individual consequences. This blog post must begin with a big thanks to all healthcare providers. You Rock!
About 3 months ago, I had the good luck of starting work with Strategic Government Solutions of Ohio. Strategic Government Solutions offers a Software as a Service Solution to US State and local Government agencies as well as to healthcare providers such as hospitals. I was blown away when they showed me how they plan to help citizens as well as government agencies. Digital Health is a massive up and coming business opportunity that truly serves the public in an impactful way. Strategic Government Solutions had the client and they had the solution. The only thing they needed was an architecture and operations team that can design a secure solution and operate it day to day. It being a healthcare solution, HIPAA Compliance was at the center of it all. This, to me, sounded like a win-win relation in the offing. That is how FastUp got started in a fruitful partnership with Strategic Government Solutions. In the following few paragraphs, I want to share what we did and how it works.
Requirements and Constraints
The scope of engagement was architecture and operations. This means, the Requirements and Constraints were mainly non-functional in nature. We began discussions with a deep review of HIPAA requirements and laid down the fundamental requirements around security and business processes. Amazon Web Services has already published a “HIPAA Quickstart” that can assist with this discussion. One of the key assets that drives architecture is the “Security Controls Matrix”. This security controls matrix drives AWS Product selection for each security requirement from the HIPAA regulation.
Next, we discussed how to secure DevOps processes so that configuration changes were controlled and audited.
Finally, we discussed the AWS Products that we would use to provide the most cost-effective, secure, reliable and performant application.
The key concern with networking in HIPAA is to protect all data and API from direct access. FastUp already provides Secure Networks as a template. This secure network template creates 3 regions within the AWS VPC. One for Load Balancers and other AWS Managed Resources that must be exposed to the Public Internet. Another for Application Servers that must not be exposed to the Internet but must need access to the Internet for application requirements. Third for Databases that must not be exposed to public Internet and must not have access to Internet. FastUp Network templates additionally provide for Secured VPN access if needed.
For client side application delivery, we chose Cloudfront CDN that brokered all traffic and cached some traffic from client to Load Balancer and back.
We chose AWS Elasticbeanstalk for the application platform. The primary reason for choosing this product is the “managed updates” feature. When configured correctly, Amazon manages the underlying EC2 instances for you. This means that every quarter or sooner, AWS updates the AMI of the EC2 instances with latest security patches and application servers. This is great because this takes care of one of the responsibilities under HIPAA.
FastUp designed a highly available AWS RDS Postgres Database with the PostGIS extension enabled. The key design consideration was to allow for a multi-master and multi-region architecture in future. To do this we must be able to utilize native Postgres tooling or use a combination of DMS and Kinesis to be able to replicate multi-region.
We chose AWS Web Application Firewall with AWS Managed rules for the application firewall region. AWS WAF allows us to monitor traffic and take live remedial action when unintended traffic is detected.
The AWS Organization was split between a “Dev” AWS Account and a “Prod” AWS Account. Using AWS CodePipelines and CodeBuild, we designed a process by which developers published their code in the Dev Account and upon testing that code was promoted to the Prod environment for automatic deployment. This pipeline additionally deployed all SQL DDL, DML changes, AWS Cognito user creation, Lambda function updates (for batch functions).
For user store, we chose AWS Cognito User Pools with self-sign up disabled. New users are created as and when required using the Cognito Import funtionality.
The final piece of the puzzle was to design an Operations Process that allowed FastUp Staff to monitor and remedy incidents as they came up. For this, we use Cloudwatch alarms that notify the FastUp System. The FastUp system is capable of automatically triaging an incoming incident, detecting its severity and assigning it to a specific individual within FastUp. All remedial action on EC2 instances is conducted using Automated AWS SSM (System Service Manager) Documents and other actions are completed using a custom built solution that allows FastUp staff to propose a change, have it reviewed and then schedule it for action during a client specified Maintenance Window.
As I wrote above, Healthcare service providers are making unimaginable sacrifices to protect us from unimaginable consequences. The world is not in a great place today due to COVID19. FastUp prides itself on being an advanced user of the AWS Platform and this is the least we can do to make the world a better place.