Customer Success Story

HIPAA Compliant DevSecOps Implementation in Software Services

Taashee assisted an Insurance IT firm in migrating to a customized HIPAA compliant AWS infrastructure using cost-effective tools and AWS native services

Download

Overview

Taashee Linux Services recently helped one of its overseas clients, one of the largest insurance-focused IT services firms in North America, implement a customized HIPAA compliant AWS infrastructure. The client was previously using an enterprise-grade solution to ensure HIPAA compliance in their AWS environment, but they wanted to migrate to a more customized solution based on AWS’ in-built resources and other open source solutions without affecting their day-to-day cloud activities.

About the Client

Our client, is a software & solutions firm focusing on the Insurance, Banking and Healthcare industries. Headquartered in New Jersey, our client is amongst the top 10 insurance-focused IT services firms in North America in terms of number of customers.

Client

Optime Logistics

Industry

IT Consulting Services

Services

Design, Development, Implementation of Tech based Solutions

Explore

Visit Website

Client Environment and Challenges

The client had their applications hosted on AWS EKS which was integrated with Jenkins and GitHub for CI/CD processes. The tools which were being used in the existing environment have been listed below:

DATICA: DATICA was used to deploy AWS resources in the cloud infrastructure while continually adhering to the HIPAA Compliance Framework.

Jenkins: An open source automation server, Jenkins helped the client automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.

GitHub: GitHub was used for distributed version control and source code management.

EKS: Amazon Elastic Kubernetes Service (Amazon EKS), which is a managed container service, was used to run and scale Kubernetes applications in the cloud or on-premises.

CR: Amazon ECR, which is a fully managed container registry offering high-performance hosting, was being used to reliably deploy application images and artifacts within the environment.

RDS: Amazon Relational Database Service (RDS) was being used to set up, operate, and scale databases in the cloud.

The client’s existing architecture was as shown below.

The major challenge being faced by the client, was that DATICA is an enterprise tool and their paid DATICA support was about to lapse. The client wanted to design and deploy a HIPAA Compliant environment using AWS native services and tools to replace DATICA, without affecting their day-to-day cloud activities or compliance.

This is where Taashee’s expertise at creating customized alternative solutions to expensive enterprise-grade products came in handy.

Our Solution

Taashee’s AWS experts and open source technology SMEs approached the challenge at hand with a holistic view, so that an appropriate solution could be accomplished with minimal changes to the existing workflow. This meant harnessing existing tools within already deployed technologies and keeping the number of new tools introduced within the environment at a bare minimum.

Architecture and Tools Used
Working towards that objective, Taashee came up with the following solution architecture.

Besides retaining Jenkins, GitHub, Amazon EKS, ECR and RDS from the previous architecture, we introduced the following new tools into the environment:

CloudFormation for provisioning the infrastructure in AWS
Velero for Kubernetes backup
DMS for RDS migration

Our Approach to keep the environment HIPAA compliant

A. Provisioning HIPAA Compliant environment in AWS

We worked with AWS to zero in on the configuration below to keep the client
environment HIPAA compliant:

i. VPC Configurations: Three virtual private clouds (VPCs), management, production, and development were configured with subnets, according to AWS best practices, to provide the client with their own virtual network on AWS.

VPC Name	VPC Type	Components
Management VPC	Public and Private	An internet gateway, which serves as a highly available centralized point of egress for internet traffic. Public subnets that include managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets. Private subnets for deploying your security and infrastructure controls. Flow logs for auditing.
Production VPC	Private	Private subnets for deploying your production workloads. Flow logs for auditing.
Development VPC	Private	Private subnets for deploying your development workloads. Flow logs for auditing.

ii. AWS Transit Gateway: AWS Transit Gateway was configured for VPC-to-VPC communication and customer connectivity.

iii. Logging and Audit Controls:

Amazon CloudWatch was configured for metric monitoring, threshold alarms
AWS Config was configured with the conformance pack for HIPAA, in order to map HIPAA controls to AWS configuration items. This service delivers flow logs to an S3 bucket
AWS CloudTrail was configured for AWS access logging

All these services deliver flow logs to an Amazon S3 bucket

iv. Customer Connectivity: AWS Site-to-Site VPN was configured to connect directly with the AWS Transit Gateway

v. Access Control and Alerting:

Amazon Simple Notification Service (Amazon SNS) was configured for sending email alerts from alarms
AWS Identity and Access Management (IAM) was configured for access control and authorization

vi. AWS Elastic Kubernetes Services (EKS): EKS was configured to manage and host client applications

vii. AWS Elastic Container Registry (ECR): ECR was used for storing application container images

viii. AWS Relational Database Services (RDS): RDS was used as an application database

ix. EC2:

Instance Name	Usage
Bastion	Bastion was used for administration
Jenkins	Jenkins was used to manage CI/CD operations

B. HIPAA Compliant Migration Approach

RDS, EC2, S3 and other identified resources were migrated using snapshots
Velero was used to migrate the EKS cluster configuration
Migrating existing Jenkins instances from the old environment to the new environment was done using snapshots and changing the CI/CD pipeline to point to the new repo and registry

C. HIPAA Compliant Testing Approach

A HIPAA-compliant approach was set up for all testing purposes which followed the method depicted below:

D. HIPAA Compliant Policy Checklist

i. Authentication and Authorization Policy

IAM service to provide access to specific services
Enabling MFA to access AWS accounts
Granting least privileges
Rotating credentials regularly

ii. Encryption and Protection Policy

KMS was configured to enables control of the encryption key which can be integrated with several services like S3, SQS, EBS, RDS, Elastic Cache, Lamba, EC2 image builder, SNS, SES, etc. to protect data at rest and transit
CloudHSM hardware was configured to provide the use of custom encryption keys using FIPS 140 -2 level 3 validated HSM

iii. Auditing

Auditing and monitoring were addressed in the cloud architecture as technical safeguards. Any storage, processing or transmission of ePHI information was logged in the system to track the usage of data.

Services Provided

This is the heading

Technology Stack

This is the heading

Results & Benefits

The client benefits stemmed majorly from having complete control over the HIPAA compliance scenario of their AWS cloud without the need to rely on expensive third-party tools like DATICA.

Some other benefits brought forth by this project were:

Application teams in the VPCs could now keep their services isolated inside their VPC until they were configured by the Transit Gateway service and access was given to external parties.
With the centrally managed internet VPCs, it became simpler to perform security audits on inbound internet access.
Network access between all VPCs could be controlled by a single networking approach using the Transit Gateway
Moreover, implementing AWS secrets manager in the environment meant that fine-grained resource access could be configured to the secret level and secret access could be monitored using CloudWatch

Download Case Study (PDF)

Our Unique Features

Taashee’s technical team helps organizations that require increased developer productivity, higher quality applications, and lower maintenance costs. Taashee programmers specialize in multiple technologies with add-on features and advanced support. The biggest advantage for customers approaching Taashee is that they do not need to approach multiple vendors to implement different technologies.

Client Testimonial

We are impressed with the solution Taashee’s engineers came up with to replace DATICA in our HIPAA compliance scenario. Their implementation speeds were also laudable considering we were on a tight schedule since our DATICA support was about to expire.

IT Project Manager

Datica

Related Case Studies

Implementing a DevSecOps Pipeline in the Healthcare Sector

Taashee helps a multinational healthcare giant create an end-to-end AWS DevSecOps CI/CD pipeline with open-source SCA, SAST and DAST tools.

Learn More

VMware-based Security and Access Control for the Entertainment Sector

Taashee's VMware technical team delivers comprehensive VMware Solutions including VMware ESXi, vCenter and vSAN for reputed Media and Entertainment firms.

Learn More

Red Hat Satellite Implementation in The Petroleum Sector

Taashee's Red Hat technical team resolved virtualization, auditing, interoperability, and subscription management issues for an Indian energy sector client.

Learn More

Head Quarters

101, Workafella, Western Aqua, Whitefields, HITEC City, Kondapur, Hyderabad, Telangana 500081

Get directions 🡥

Quick Contact

+91-915-4910-504
info@taashee.com

Opening Hours

Mon – Fri: 9.30 am – 6.30 pm
Sat – Sun: Closed

Subscribe to our Monthly Newsletter

Taashee Linux Services Private Limited is a leading open-source technology company with a global footprint specializing in technology integration, application transformation, custom IT solutions that are woven intricately around path-breaking concepts.

HIPAA Compliant DevSecOps Implementation in Software Services

Overview

About the Client

Client Environment and Challenges

Our Solution

Services Provided

Technology Stack

Results & Benefits

Download Case Study (PDF)

Our Unique Features

Client Testimonial

Related Case Studies

Implementing a DevSecOps Pipeline in the Healthcare Sector

VMware-based Security and Access Control for the Entertainment Sector

Red Hat Satellite Implementation in The Petroleum Sector

Head Quarters

Quick Contact

Opening Hours

Subscribe to our Monthly Newsletter

Company

Solutions

Resources

We're Hiring