Taashee logo full white
Customer Success Story

HIPAA Compliant DevSecOps Implementation in Software Services

Taashee assisted an Insurance IT firm in migrating to a customized HIPAA compliant AWS infrastructure using cost-effective tools and AWS native services

Overview

Taashee Linux Services recently helped one of its overseas clients, one of the largest insurance-focused IT services firms in North America, implement a customized HIPAA compliant AWS infrastructure. The client was previously using an enterprise-grade solution to ensure HIPAA compliance in their AWS environment, but they wanted to migrate to a more customized solution based on AWS’ in-built resources and other open source solutions without affecting their day-to-day cloud activities.

Hippa Overview

About the Client

Our client, is a software & solutions firm focusing on the Insurance, Banking and Healthcare industries. Headquartered in New Jersey, our client is amongst the top 10 insurance-focused IT services firms in North America in terms of number of customers.

Client
Optime Logistics
Industry
IT Consulting Services
Services
Design, Development, Implementation of Tech based Solutions

Client Environment and Challenges

The client had their applications hosted on AWS EKS which was integrated with Jenkins and GitHub for CI/CD processes. The tools which were being used in the existing environment have been listed below:

DATICA: DATICA was used to deploy AWS resources in the cloud infrastructure while continually adhering to the HIPAA Compliance Framework.

Jenkins: An open source automation server, Jenkins helped the client automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.

GitHub: GitHub was used for distributed version control and source code management.

EKS: Amazon Elastic Kubernetes Service (Amazon EKS), which is a managed container service, was used to run and scale Kubernetes applications in the cloud or on-premises.

Solutions

CR: Amazon ECR, which is a fully managed container registry offering high-performance hosting, was being used to reliably deploy application images and artifacts within the environment.

RDS: Amazon Relational Database Service (RDS) was being used to set up, operate, and scale databases in the cloud.

The client’s existing architecture was as shown below.

Client Existence Architecture

The major challenge being faced by the client, was that DATICA is an enterprise tool and their paid DATICA support was about to lapse. The client wanted to design and deploy a HIPAA Compliant environment using AWS native services and tools to replace DATICA, without affecting their day-to-day cloud activities or compliance.

This is where Taashee’s expertise at creating customized alternative solutions to expensive enterprise-grade products came in handy.

Our Solution

Taashee’s AWS experts and open source technology SMEs approached the challenge at hand with a holistic view, so that an appropriate solution could be accomplished with minimal changes to the existing workflow. This meant harnessing existing tools within already deployed technologies and keeping the number of new tools introduced within the environment at a bare minimum.

Architecture and Tools Used
Working towards that objective, Taashee came up with the following solution architecture.

Architecture and Tools Used

Besides retaining Jenkins, GitHub, Amazon EKS, ECR and RDS from the previous architecture, we introduced the following new tools into the environment:

  • CloudFormation for provisioning the infrastructure in AWS
  • Velero for Kubernetes backup
  • DMS for RDS migration

Our Approach to keep the environment HIPAA compliant

A. Provisioning HIPAA Compliant environment in AWS

We worked with AWS to zero in on the configuration below to keep the client
environment HIPAA compliant:

i. VPC Configurations: Three virtual private clouds (VPCs), management, production, and development were configured with subnets, according to AWS best practices, to provide the client with their own virtual network on AWS.

VPC Name VPC Type Components
Management VPC
Public and Private
  • An internet gateway, which serves as a highly available centralized point of egress for internet traffic.
  • Public subnets that include managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
  • Private subnets for deploying your security and infrastructure controls.
  • Flow logs for auditing.

Production VPC

Private

  • Private subnets for deploying your production workloads.
  • Flow logs for auditing.
Development VPC
Private
  • Private subnets for deploying your development workloads.
  • Flow logs for auditing.

ii. AWS Transit Gateway: AWS Transit Gateway was configured for VPC-to-VPC communication and customer connectivity.

iii. Logging and Audit Controls:

  • Amazon CloudWatch was configured for metric monitoring, threshold alarms
  • AWS Config was configured with the conformance pack for HIPAA, in order to map HIPAA controls to AWS configuration items. This service delivers flow logs to an S3 bucket
  • AWS CloudTrail was configured for AWS access logging

All these services deliver flow logs to an Amazon S3 bucket

iv. Customer Connectivity: AWS Site-to-Site VPN was configured to connect directly with the AWS Transit Gateway

v. Access Control and Alerting:

  • Amazon Simple Notification Service (Amazon SNS) was configured for sending email alerts from alarms
  • AWS Identity and Access Management (IAM) was configured for access control and authorization

vi. AWS Elastic Kubernetes Services (EKS): EKS was configured to manage and host client applications

vii. AWS Elastic Container Registry (ECR): ECR was used for storing application container images

viii. AWS Relational Database Services (RDS): RDS was used as an application database

ix. EC2:

Instance Name Usage
Bastion
Bastion was used for administration

Jenkins

Jenkins was used to manage CI/CD operations

B. HIPAA Compliant Migration Approach

  • RDS, EC2, S3 and other identified resources were migrated using snapshots
  • Velero was used to migrate the EKS cluster configuration
  • Migrating existing Jenkins instances from the old environment to the new environment was done using snapshots and changing the CI/CD pipeline to point to the new repo and registry

C. HIPAA Compliant Testing Approach

A HIPAA-compliant approach was set up for all testing purposes which followed the method depicted below:

HIPAA Compliant Testing Approach

D. HIPAA Compliant Policy Checklist

i. Authentication and Authorization Policy

  • IAM service to provide access to specific services
  • Enabling MFA to access AWS accounts
  • Granting least privileges
  • Rotating credentials regularly

ii. Encryption and Protection Policy

  • KMS was configured to enables control of the encryption key which can be integrated with several services like S3, SQS, EBS, RDS, Elastic Cache, Lamba, EC2 image builder, SNS, SES, etc. to protect data at rest and transit
  • CloudHSM hardware was configured to provide the use of custom encryption keys using FIPS 140 -2 level 3 validated HSM

iii. Auditing

  • Auditing and monitoring were addressed in the cloud architecture as technical safeguards. Any storage, processing or transmission of ePHI information was logged in the system to track the usage of data.

Services Provided

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

Technology Stack

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

This is the heading

Results & Benefits

The client benefits stemmed majorly from having complete control over the HIPAA compliance scenario of their AWS cloud without the need to rely on expensive third-party tools like DATICA.

Some other benefits brought forth by this project were:

  • Application teams in the VPCs could now keep their services isolated inside their VPC until they were configured by the Transit Gateway service and access was given to external parties.
  • With the centrally managed internet VPCs, it became simpler to perform security audits on inbound internet access.
  • Network access between all VPCs could be controlled by a single networking approach using the Transit Gateway
  • Moreover, implementing AWS secrets manager in the environment meant that fine-grained resource access could be configured to the secret level and secret access could be monitored using CloudWatch
Download Case Study (PDF)

    Our Unique Features

    Taashee’s technical team helps organizations that require increased developer productivity, higher quality applications, and lower maintenance costs. Taashee programmers specialize in multiple technologies with add-on features and advanced support. The biggest advantage for customers approaching Taashee is that they do not need to approach multiple vendors to implement different technologies.

    Hippa Unique

    Client Testimonial

    We are impressed with the solution Taashee’s engineers came up with to replace DATICA in our HIPAA compliance scenario. Their implementation speeds were also laudable considering we were on a tight schedule since our DATICA support was about to expire.
    IT Project Manager
    Datica

    Related Case Studies