In the AWS Healthcare Days presentation you’ll learn best practices for architecting cloud-based applications for the healthcare industry with a deep technical overview and demos. Topics to be covered in this presentation include building a healthcare analytics pipeline in the cloud, HIPAA-compliant storage and archiving, and Using infrastructure-as-code to automate your security and compliance policies. You will also see how cloud security partner, Clear DATA, is helping healthcare providers leverage services like AWS Config and AWS CloudTrail, as well as, system level tooling to maintain the security and compliance of applications and environments through automation.
6. What I Hear…Often
“I think in 5 years, all providers will want to get out of the data center
business” - National Provider CIO
“I want my team to focus on innovation, not plumbing” – SaaS CTO
“We need competitive advantage - really fast” – Payer CTO
“We want to help providers take on risk – they need HIE and
analytics.” – Chief Analytics Officer, Payer
7. Agility
After moving to the cloud, Forbes found 60 per cent of
business leaders say they have reduced their IT
maintenance requirements, allowing them to focus more
on strategy and innovation, with 59 per cent seeing
increased business agility.
8. Community
Physicians
Participating
Practices and
Physicians
Quality Measures
Population management
Increased care coordination
Business model becomes more
focused on wellness
Financial Alignment
Shared risk/shared rewards
Cost reduction incentives
Shift from encounter-focus to
patient-focus
Clinical Integration Shared Services
Data
Acquisition
Clinical Data
Repository
Extract clinical data
Extract claims data
Data
Integration
Patient EMPI
Provider EMPI
Data Standardization
Quality Metrics
Analytics and
Reports
Health Team
Communications
Physician
communication
Provider-patient
Provider-provider
Technology aspects are critical underpinnings to success
Clinician Knowledge
Find actionable activities (gaps)
Decision support
Enhance communications with
patients and other providers
Clinical
Integration
Solutions
Overview
Hospitals
Inpatient clinical
quality metrics
Payer
s
Physician-Led
Entities
Governing body
(Participating
Practices and
Physicians)
Payer
negotiations
Distribute
shared savings
Clinical quality
Reports
Participating
Community
Physician clinical
data
Coordinated
Care
Collaboration
11. Embracing DevSecOps while improving your
compliance and security agility and posture
Chris McCurdy
Healthcare and Life Sciences Specialist AWS
12. Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to assist
• Example Compliance Workflows
13. Big Company, Big Challenges
Thousands of
Systems
Complex IT Ops
Limited Financial
Impact
Cloud Patterns and
Acceleration
Automated IT Cost Transparency
Current State of Enterprise IT Cloud Strategy Offers Agility
15. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements and metrics
Building, coding and configuration
Ensuring quality; acceptance, regression testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application and infrastructure
Release coordination, promotion, scheduling, rollback and recovery
16. DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Manual Hacking
17. Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help
the business make decisions…
18. DevSecOps: Security as Code
Establishing these principles…
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
19. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
21. Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence
22. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Customers
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall
Customer content
Client-side encryption implementation, Server-side encryption,
Network Traffic Protection
A Word on Security
Security
in the
cloud
Security
of the
cloud
23. Example: Simplified Claims Workflow
Validation
/ Edit
System
(EC2)
Insight
System
(EMR)
Inbound
Claim
Archive
(Glacier)
Inbound
Claim Store
(S3)
Claim History
(Redshift)
1
Claims
Adjudication
System
(EC2)
Data Lake
(S3)6
Insights
2 3 4
55
5
7
HIPAA Eligible
Architecture
Consult with compliance and security organizations before implementing
25. General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
Consult with compliance and security organizations before implementing
• Decouple PHI data from the processing
or orchestration
• Do not check PHI data into your source
or artifact repositories
• Use indirection when orchestrating PHI
flow
• Separate PHI and non-PHI containing
logical boundries
• Monitor the flow of PHI
26. Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2
Amazon
EMR
Amazon
S3
PHI Eligible VPC
Amazon
EC2
Non-PHI VPC
AWS Directory
Service
AWS
Device Farm
PHI
Consult with compliance and security organizations before implementing
28. Example: Simplified Claims Workflow
Validation /
Edit System
(EC2)
Insight
System
(EMR)
Inbound
Claim
Archive
(Glacier)
Inbound
Claim Store
(S3)
Claim
History
(Redshift)
Claims
Adjudication
System
(EC2)
Data
Lake
(S3)
Insights
Consult with compliance and security organizations before implementing
Non-PHI
Insights AWS
Lambda
Amazon
SES
Non-PHI
Insights
Email to
Business
Users
SQS
SQS
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
PHI Insights
Non-PHI Insights
29. Compliance Example Workflow (using DevSecOps)
CloudFormation
templateSecurity /
Compliance Admin
1
Define
AWS Service Catalog
2
Publish
CloudFormation
stack
Healthcare
Developers
4
Browse and Launch
AWS CloudTrail Amazon S3
11
Monitors
Logs all API calls
AWS CloudWatchalarm
8
Monitors
10
Initiates
12
Notifies
AWS Config
Track changes
3
Git push
6
AWS CodeCommit
5
Provisions
9
7
Consult with compliance and security organizations before implementing
31. The Vision
• Self Service
• Rapid Provisioning
• Capacity Management
• Full Stack Availability
Enable Agility
• AD Integration
• Golden AMIs
• Enterprise Logging
• Backup and Retention
• Firewall and Security Rule
Ensure Policy
• Monitoring and Alerts
• VM Scheduling
• Encryption
• Software Configuration Management
Accelerate Best Practices
32. What they did…
Assurance Monitors
Compliance Database
Console
Billing Roll up
Administrative
Services
Access Control with
AD Integration
User Help
HPC
Workspaces
Big Data
33. Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence
36. Data
Warehousin
g
Databases
Object and
File Storage
Managed Big
Data Platform
AWS Data Pipeline
Data management ecosystem Analytical tooling ecosystem
Machine
Learning
Analysi
s
Data Ingestion
Storag
e
Archiving
Structured Unstructured Streaming
Data
Visualization
Typical Analytics Workflow
37. Retrospective Analysis & Reporting
Amazon S3
Amazon
DynamoDB
Amazon RDS
Ingest Store Process Visualize
Amazon Mobile
Analytics
Amazon
EC2
AWS
Import/Export
Amazon EMR
Amazon Redshift
Amazon
Lambda
Amazon
QuickSight
38. Three Essential Services for Analytics on AWS
Amazon S3 Amazon
Redshift
Amazon
Elastic
MapReduce
(EMR)
All three are HIPAA eligible services
40. Transferring data into Amazon S3
AWS Import/ Export
AWS Direct Connect
Internet
Amazon S3
Data Lake
AWS Region
Institutional Data
Center
Amazon
Analytics
Services
Availability Zone
41. Aggregate all of your data in Amazon S3 Data
Lake
EMR Kinesis
Redshift DynamoDB RDS
Data Pipeline
Spark StreamingCassandra Storm
Amazon S3
43. When is Amazon Redshift the Right Choice for Healthcare Analytics?
Institutional metrics
Utilize massive datasets with existing SQL skill sets
Queries that involve heavy aggregation such as financial reporting
Clinically actionable gene mutation research
Combine gene variant data with phenotypes and run GWAS/PWAS
analysis using SQL queries
Large population public health studies
Find trends over millions of CMS claims in seconds
44. Amazon Redshift Architecture
Leader Node
SQL endpoint
Stores metadata
Coordinates query execution
Compute Nodes
Local, columnar storage
Execute queries in parallel
Load, backup, restore via S3
Parallel load from DynamoDB or SSH
HW optimized for data processing
DW1: HDD; scale from 2TB to 1.6PB
DW2: SSD; scale from 160GB to 256TB
10 GigE
(HPC)
Ingestion
Backup
Restore
JDBC/ODBC
45. Copy Data Into Redshift From S3
COPY <table_name> from 's3://<bucket_name>/<file_name>' CREDENTIALS
'aws_access_key_id=<access_key_ID>; aws_secret_access_key=<secret_access_key_id>' DELIMETER ','
IGNOREHEADER 1;
Table_name: Redshift Table Name
Bucket_name: S3 bucket name
File_name: CSV file name in S3 bucket
Access_key_if, secret_access_key_id: AWS security credentials
46. Hadoop 1.x & 2.x / HDFS clusters
Easy to use; fully managed
Support for EC2 Spot Instances
S3, DynamoDB, Redshift
& Kinesis Integration
Amazon
Elastic
MapReduce
(EMR)
47. Process – Amazon EMR
• Hadoop - An open-source framework for parallel
processing huge amounts of data on a cluster of
machines
• Amazon EMR - Fully managed Hadoop cluster with
direct integration into Amazon S3 and burstable
capacity
48. Aggregate the
results from all
nodes and know
what each user did
Process – Amazon EMR Use Case
Large amount of
click logs of user
actions in Amazon
S3 bucket
(e.g TBs)
Amazon EMR cluster
splitting logs into
small pieces working
in parallel
49. Process – Amazon EMR
• Amazon EMR supports all common Hadoop Frameworks
such as:
• Spark, Pig, Presto, Hive
• etc.
• Decouples storage from compute
• Allows independent scaling
• Direct Integration with DynamoDB and S3
Amazon S3Amazon
DynamoDB
Amazon EMR
51. S3, Redshift & EMR forms the backbone of most
analytical workflows on AWS.
When used with other AWS services,
this is how the final architecture would look like …......
59. 60PROPRIETARY & CONFIDENTIAL
Traditional Platforms
• Platforms normally sit between your
application and tools to translated API
calls into AWS functions.
• This creates vendor lock in, but
obscures AWS value and reduces agility
• Vendors must integrate new services
quickly to give customers access to AWS
features
Customer Applications & Tools
Vendor Platform & Custom API’s
DB on instance
instance with AMI
72. 73PROPRIETARY & CONFIDENTIAL
• First of it’s kind in the
industry – service based
real-time HIPAA compliance
dashboard
• At a glance system status
plus trending over time
• Detailed history available for
attestation during audits
Continuous security and compliance
monitoring mapped directly to
HIPAA guidelines delivered across
cloud and private environments via
interactive dashboard and individual
asset scorecards.
Security & Compliance Dashboard
73. 74PROPRIETARY & CONFIDENTIAL
Cloud Platform BAA Coverage
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
AWS Foundation Services
Compute Storage Database Networking
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Platform
Customer Data
Applications Identity & Access Management
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
AWS Foundation Services
Compute Storage Database Networking
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Customer Data
ClearDATA
Platform
Applications Identity & Access Management
Amazon Web Services Infrastructure ClearDATA Cloud Platform
75. Data Storage for the Long Haul
Compliance and Archive
Erik Durand
Amazon Web Services
76. Amazon EFS
File
Amazon EBS
Amazon EC2
Instance Store
Block
Amazon S3 Amazon Glacier
Object
Data Transfer
AWS Direct
Connect
AWS
Snowball
ISV Connectors Amazon
Kinesis
Firehose
S3 Transfer
Acceleration
Storage
Gateway
Storage is a platform
77. Patient data – Philips Healthcare
• HealthSuite digital platform powered by AWS
• 15 petabytes of patient data
• Archived for decades (beyond the lifetime of patients)
• Uses AWS HIPAA eligible services in the BAA
78. Public sector – King County
• Most populous county in Washington state
• Replace tape solution for backup from 17 agencies
• Meet compliance requirement
• Saved $1MM in first year, no more tape refresh or
management churn
79. Archive:
Data retained for the long term,
for compliance or potential
future reference
Data archiving needs are growing everywhere
• Media assets, 4K, 8K
• Health care / life sciences
• Financial services
• Regulated industries
• Oil and gas / geospatial
• Digital preservation
• Long-term backups
• Logs
80. Traditional archiving approaches
• Storage arrays / disk arrays
• Tape silos / tape libraries
• Tape drives (LTO-X / DLT / etc.)
• Virtual tape libraries (VTLs)
• Tape out / vaulting
• Specialized software and personnel
81. How can AWS help with your archival?
Metered usage:
Pay as you go
No capital investment
No commitment
No risky capacity planning
Avoid risks of physical
media handling
Control your
geographic locality for
performance and
compliance
83. Object Storage Options
S3 Standard
Active data Archive dataInfrequently accessed data
S3 Standard - Infrequent
Access
Amazon Glacier
Milliseconds 3-5 hoursMilliseconds
$0.03/GB/mo $0.007/GB/mo$0.0125/GB/mo
84. A Closer Look: S3-IA and Amazon Glacier
S3 - IA
• Same durability and throughput as S3 Standard
• Instant access
• $0.01/GB on each data retrieval
Amazon Glacier
• Same 11 9s durability as S3 Standard
• 3-5 hour data retrieval latency
• Suitable for cold archive such as offsite tapes
S3 Standard - Infrequent
Access
Amazon Glacier
85. - Transition Standard to Standard-IA
- Transition Standard-IA to Amazon Glacier
- Expiration lifecycle policy
- Versioning support
Data lifecycle management
T T+3 days T+5 days T+ 15 days T + 25 days T + 30 days T + 60 days T + 90 days T + 150 days T + 250 days T + 365 days
Data access frequency over time
93. Amazon Glacier Vault Lock allows you to easily
set compliance controls on individual vaults and enforce them via a
lockable policy
Time-based retention
MFA authentication
Controls govern all
records in a Vault
Immutable policy
Two-step locking
Compliance storage with Vault Lock
94. Vault Lock for compliance storage
• Non-overwrite, non-erasable records
• Time-based retention with “ArchiveAgeInDays” control
• Policy lockdown (strong governance)
• Legal hold with vault-level tags
• Configure optional designated third-party access and grant
temporary access
95. Amazon Glacier received a third-party assessment
from Cohasset Associates on how Amazon Glacier
with Vault Lock can be used to meet the requirements
of SEC Rule 17a-4(f) and CFTC 1.31(b)-(c).
96. Example control: 1 year record retention
• Deny delete archive operation
• From anybody (root, administrators, users, business partners)
• When ArchiveAgeInDays is <= 365 days
Archive age computed from the time an archive lands in a vault
98. Vault Lock: Two-step locking
• InitiateVaultLock
– Effectuates a retention policy for testing (in-progress state)
– Returns a unique lock ID (expires after 24 hours)
• AbortVaultLock
– Deletes an in-progress policy
– Ability to modify a policy before locking it down
• CompleteVaultLock
– Locks down the vault with the appropriate lock ID
– Vault Lock cannot be aborted afterwards
99. Legal hold with vault-level tags
• Set up a legal hold tag
– Configure a vault-level tag “LegalHold”
– Set initial value to “False”
• Add compliance control for legal hold in a Vault Lock policy
– Deny delete archive operation
– From anybody (root, administrators, users, business partners)
– When LegalHold tag = “True”
• Place/lift legal hold by updating the tag value
119. Audit logging with AWS CloudTrail
• Amaozn S3 and Amazon Glacier can log
API calls for audit via CloudTrail
• Enable CloudTrail in the AWS console and
designate your log bucket
• S3 logs bucket-level activities; object
activities supported via event notification
• Amazon Glacier logs all APIs calls for
vault and archives
120. Access policy for a storage container
• Control access to a storage container in a single location
– S3 bucket or Amazon Glacier vault access policy
– Grant/revoke access to internal business units/teams
– “Marketing_Vault” has a distinct access policy from “DevOps_Vault”
• Easily manage cross-account access for your business partner
– Simply add a section for your business partner in the same policy
– Cross-account activities (API calls) also show up in CloudTrail logs
121. Amazon S3 event notifications
Events
SNS topic
SQS
queue
Lambda
function
• Notification when objects are
created via PUT, POST, Copy, or
Multipart Upload, DELETE
• Filtering on prefixes and suffixes
for all types of notifications
122. Request specific notifications
Request notifications on specific
PUT APIs
Request notifications on specific
DELETE APIs
s3:ObjectCreated:*
s3:ObjectCreated:Put
s3:ObjectCreated:Post
s3:ObjectCreated:Copy
s3:ObjectCreated:CompleteMultipartUpload
s3:ObjectRemoved:*
s3:ObjectRemoved:Delete
s3:ObjectRemoved:DeleteMarkerCreated
124. Remote replicas managed
by separate AWS accounts
Secure
Distribute data to regional
customers
Lower Latency
Store hundreds of
miles apart
Compliance
Amazon S3 cross-region replication
Automated, fast, and reliable asynchronous replication of data across AWS regions
125. • Usual charges for
storage, requests, and
inter-region data transfer
for the replicated copy of
data
• Replicate into Standard-IA
or Amazon Glacier
Cost
HEAD operation on a source
object to determine replication
status
• Replicated objects will not be
re-replicated
• Use Amazon S3 COPY to
replicate existing objects
Replication status
DELETE without object
version ID
• Marker replicated
DELETE specific object
version ID
• Marker NOT replicated
Delete operation
Cross-region replication: Details
Object ACL updates are
replicated
• Objects with Amazon-
managed encryption key
replicated
• AWS KMS encryption not
replicated
Access control
126. Versioning with cross-region replication
A
B
Vid1- v2
Vid1- v1
Key: A/vid1 Key: B/vid1
Vid1- v2
Vid1- v1
Vid1- v3
Vid1- v3
Vid1- v4
Vid1- v4
A
128. AWS Import/Export Snowball
• Accelerate PBs with AWS-
provided appliances
• 80 TB model, global availability
AWS Storage Gateway
• Instant hybrid cloud
• Up to 120 MB/s cloud upload rate
(4x improvement), and
Data ingestion into AWS storage services
Amazon Kinesis Firehose
• Ingest data streams directly into
AWS data stores
AWS Direct Connect
• COLO to AWS
ISV Connectors
• CommVault
• VERITAS
• etcetera
Amazon S3 Transfer Acceleration
• Move data up to 300% faster
using AWS’s private network
129. What is AWS Snowball? Petabyte scale data transport
E-ink shipping
label
Ruggedized
case
“8.5G Impact”
All data encrypted
end-to-end
50TB or 80 TB
10G network
Rain & dust
resistant
Tamper-resistant
case & electronics
131. Introducing Amazon S3 transfer acceleration
S3 Bucket
AWS Edge
Location
Uploader
Optimized
Throughput!
Typically 50%–400% faster
Change your endpoint, not your code
54 global edge locations
No firewall exceptions
No client software required
133. AWS Snowball S3 transfer acceleration
When do I use what?
Large, infrequent uploads
Tens of TBs of upload from a
centralized location
7–10 day tolerance
Recurring, frequent uploads
GBs or TBs of upload from distributed
locations
Long geographic distances
134. Q&A
Learn more at: http://aws.amazon.com/s3/
http://aws.amazon.com/glacier/
http://aws.amazon.com/importexport/
eddurand@amazon.com