Maintaining a HIPAA Compliant Architecture in AWS

Business Context:

The patient data on the platform is collected from medical institutes around North America. As the company deals directly with the sensitive personal health information (PHI) of patients, their cloud infrastructure must comply with the Health Insurance Portability and Accountability Act (HIPAA) and all the latest security guidelines defined under it.

‍

The customer was looking for a technology partner that could help them set up a continuous delivery pipeline that fully complies with HIPAA security guidelines. Velotio’s proven expertise in DevOps services as well as building HIPAA-compliant architectures made it easier to choose them over other vendors.

How Velotio Helped?

Velotio’s team of experienced Solution Architects designed and implemented a fault-tolerant architecture that fully complied with all HIPAA requirements and ensured safe processing of patient data on the analytics platform.

‍

The DevOps experts helped build an automated delivery pipeline with clear segregation of duty policies. The discovery mechanism was built to configure the overall stack, automate DNS management, relevant secrets management, et al. The pipeline also enabled integration with the customer’s release process, making it faster for the development team to iterate and push frequent releases, while the operations team took responsibility for the final validation and updation to the production environment.

The team isolated all the services inside the network, but ensured a secure connection with the customer's production data center. This facilitated the data loading and ingestion and enabled single sign-on with other web application services used by the customer.  

The platform can now easily handle high volumes of data and scale to meet the demands of a Hadoop-based ingestive service, such as higher processing speed and low latency data replication.

The team combined multiple solutions to achieve this:

-  I/O and compute intensive instances running on dedicated hardware were put closer in placement groups

‍

- Enhanced networking and provisioned IOPS were used to handle the high query load on the PostgreSQL data warehouse

‍

- Instance types were optimized to manage bandwidth needs required by Tableau and the application’s servers to perform analytics operations and data modeling  

Improving the infrastructure had a snowball effect in other aspects of technology as well. The customer could now take advantage of several tools and managed services (like IAM, VPC, S3, CloudFormation, AutoScaling, ELB and Route53) that improved their deployment automation and reduced operational costs.

‍

The team combined Chef with AWS tools to implement complete automation and utilized the DevOps expertise to build a powerful continuous delivery pipeline, which is now used by both Development and Operations teams.  

‍

After building the continuous delivery pipeline, Velotio’s team worked with the customer’s in-house team to automate bootstrapping and resource provisioning by combining Chef-based provisioning with AWS CloudFormation. This helped us build a fully-automated infrastructure that is managed as a code and can be used to build additional sandbox, staging or pre-production environments, or to rebuild the main production environment in the event of a disaster or in the event that moving to another AWS region is needed.

Result

• Implemented self-healing, fault-tolerant services like site-to-site and host-to-host VPN or NAT gateways across multiple Availability Zones.  

• Implemented an exclusive, fully-managed DNS that supports reverse host lookup using Route 53. This is shared across VPN to ensure easy access to integrated services. 

• Implemented one-way connectivity to shared resources outside the network to deploy packages and cookbooks easily from the production network. 

• Configured the software safely by managing the secrets and other credentials required by the Chef cookbooks without exposing them to any external production environment. 

• Ensured that the discovery mechanism can classify parameters to handle application configuration across multiple environments.   

• Ensured appropriate in-transit encryption across all devices to provide a reliable and secure delivery of SSL key stores and keys etc. to all nodes. 
  

‍