Having overseen building a healthcare technology company in AWS from scratch, it gives me pleasure in sharing a few best practices for architects and cloud practitioners. These practices should help you to adopt the cloud for building healthcare systems.
Best Practice 1: Understand the Vertical
Healthcare is one of the most heavily regulated verticals in the United States. Your choice of technologies and architecture are driven by security and compliance.
All the major cloud providers in the United States including Amazon Web Services (AWS), Google Cloud Platform(GCP) and Microsoft Azure have support for building systems supporting healthcare.
AWS provides support for the following areas of healthcare:
Providers and Insurers
Google Cloud has support for Genomics as part of their Big Data offerings.
Google also has support for healthcare via their G-Suite.
Microsoft Azure has support for healthcare via Office 365 and Health Analytics.
All three major cloud providers have prominent healthcare establishments as customers.
Best Practice 2: Understand the Difference Between PHI and PII
Typically in the financial, e-commerce, or cybersecurity companies, the acronym PII is used a lot. It refers to Personally Identifiable Information. But in the healthcare landscape, PHI is prominently used. It refers to Protected Health Information.
Examples of PHI include:
Social Security Number
Drivers License Number
Medical Record Numbers
If you are building a healthcare technology company in the cloud, it is very critical to understand what information of your patients constitutes PHI.
Best Practice 3: Know the Compliance Laws of the Land
When you operate in the United States and healthcare is your domain, then you may have to be compliant with one or more of the following laws based on the type of health data and processes you use:
FDA CFR 21
If you deal with PHI of any kind, then you have to absolutely ensure that you stay compliant of these laws.
Best Practice 4: Choose an Appropriate Cloud Provider for Your Health Tech Company
All the three major cloud providers in the United States namely Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) have a HIPAA compliance program.
Your cloud provider's HIPAA compliance page will include information on HIPAA compliant services, FAQ, contact, etc.
Best Practice 5: Sign the HIPAA BAA With Your Cloud Provider
Before you start handling PHI information in the cloud, you should sign a Business Associate Agreement (BAA) with the cloud provider and every other vendor who touches the PHI.
AWS, GCP, and Microsoft Azure sign a HIPAA BAA with their customers.
If one of your vendors is unable to sign a HIPAA BAA with you, then you cannot let that vendor touch PHI on your behalf. This is one of the sticking points in choices of technologies at your disposal.
Best Practice 6: Understand the HIPAA Compliant Services Provided by Your Cloud Provider
Every cloud provider while signing the HIPAA BAA will stipulate a subset of their services that are covered in the BAA. You are required to build systems on these services, if they touch PHI.
You are free to use any of the other services in the cloud for non-PHI interactions.
Because only a subset of cloud services are approved as part of your HIPAA BAA, it becomes extra critical for you to design and architect your cloud technology system for PHI and non-PHI workflows.
For AWS, the following services are approved for HIPAA via the BAA you sign.
Amazon Elastic Block Store (EBS)
Amazon Elastic Compute Cloud (EC2)
Amazon Elastic Map Reduce (EMR)
Amazon Relational Database Service (RDS) using MySQL or Oracle Engines.
Amazon Simple Storage Service (S3) excluding use of Amazon S3 Transfer Acceleration
Amazon Elastic Load Balancing (ELB)
The Google Cloud Platform BAA will cover the use of the following services:
Microsoft Azure Cloud has the following services covered under the HIPAA BAA that it signs:
Azure: API Management, App Service (API Apps, Mobile Apps, and Web Apps), Automation, Azure Active Directory, Backup, Batch, BizTalk Services, Cloud Services, DocumentDB, Event Hubs, Express Route, HDInsight, Key Vault, Load Balancer, Log Analytics, Machine Learning, Media Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Portal, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, Storage Premium, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, and Virtual Network.
Azure Government: Azure Active Directory, Cloud Services, SQL Database, Storage, Traffic Manager, Virtual Machines, and Virtual Network.
- Microsoft Commercial Support: Premier and On Premises for Azure, Dynamics CRM Online, Intune, and for Medium Business and Enterprise customers of Office 365.
- Microsoft Dynamics CRM Online and Dynamics CRM Online Government.
- Microsoft Intune.
- Microsoft Office 365 and Office 365 U.S. Government.
- Microsoft Power BI: The cloud service portion of Power BI offered as a standalone service or as included in an Office 365 branded plan or suite, but excluding data catalog functionality.
- Visual Studio Team Services.
Best Practice 7: Understand Key Management and Encryption Services Provided in the Cloud
Under HIPAA, all PHI should be encrypted at rest and in transit. Toward this, it is critical to understand the Key Management Systems and Encryption services provided by your cloud provider.
In this best practice, we will take a look at AWS Encryption capabilities.
AWS has a robust Key Management Service as part of its Identity and Access Management service.
When you encrypt any data, protecting the Data Key is extremely critical. The data key is used to encrypt as well as decrypt the data. In AWS, you can use a Key Encrypting Key (KEK) or a Master Key to encrypt the data key. The Master Key can be stored in AWS Cloud Hardware Security Modules (HSM) or the AWS KMS. The encrypted data key is stored along with the encrypted data.
AWS provides an SDK that allows you to deal with the AWS KMS to retrieve and store master keys during the encryption process. Also, the AWS command line tools are KMS aware and handle both server side encryption as well as client side encryption.
Amazon Relational Database Services (RDS) provides opportunities to run a Relational Database at scale in the cloud. For HIPAA, only the MySQL and Oracle engines are supported. AWS allows your RDS to be encrypted using a master key stored in the AWS KMS. The RDS connections should be accessed using SSL thereby ensuring security during transit.
Amazon Simple Storage Service (S3) is used for a secure, scalable and highly available object storage in the cloud. By default, S3 communications are over SSL in transit and encrypted by default.
Amazon Elastic Block Storage (EBS) allows you to create storage volumes that can be attached to EC2 instances. The EBS volumes can provide file system access to the EC2 instances. EBS volumes can be encrypted at rest using AWS provided keys or customer-managed keys in the AWS KMS.
Best Practice 8: Understand Identity and Access Management System in the cloud
As part of your cloud based technology system, you will need to manage identities and roles for your applications and services. You should look at the IAM services provided by your cloud provider.
AWS and GCP provide a robust identity and access management system (IAM). Microsoft Azure extends its Active Directory functionality for IAM to the cloud via Azure Active Directory.
The IAM system is needed when you want to create users for your cloud infrastructure. You can assign roles and groups to the users.
If the cloud provided IAM is not scalable, all the 3 major cloud providers (AWS,GCP and Azure) provide Single Sign On into your enterprise hosted on-premises IAM.