Taashee helps a multinational healthcare giant create an end-to-end AWS DevSecOps CI/CD pipeline with open-source SCA, SAST and DAST tools.Learn More
Taashee Linux Services recently helped one of its overseas clients, one of the largest insurance-focused IT services firms in North America, implement a customized HIPAA compliant AWS infrastructure. The client was previously using an enterprise-grade solution to ensure HIPAA compliance in their AWS environment, but they wanted to migrate to a more customized solution based on AWS’ in-built resources and other open source solutions without affecting their day-to-day cloud activities.
Our client, is a software & solutions firm focusing on the Insurance, Banking and Healthcare industries. Headquartered in New Jersey, our client is amongst the top 10 insurance-focused IT services firms in North America in terms of number of customers.
The client had their applications hosted on AWS EKS which was integrated with Jenkins and GitHub for CI/CD processes. The tools which were being used in the existing environment have been listed below:
DATICA: DATICA was used to deploy AWS resources in the cloud infrastructure while continually adhering to the HIPAA Compliance Framework.
Jenkins: An open source automation server, Jenkins helped the client automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.
GitHub: GitHub was used for distributed version control and source code management.
EKS: Amazon Elastic Kubernetes Service (Amazon EKS), which is a managed container service, was used to run and scale Kubernetes applications in the cloud or on-premises.
CR: Amazon ECR, which is a fully managed container registry offering high-performance hosting, was being used to reliably deploy application images and artifacts within the environment.
RDS: Amazon Relational Database Service (RDS) was being used to set up, operate, and scale databases in the cloud.
The client’s existing architecture was as shown below.
The major challenge being faced by the client, was that DATICA is an enterprise tool and their paid DATICA support was about to lapse. The client wanted to design and deploy a HIPAA Compliant environment using AWS native services and tools to replace DATICA, without affecting their day-to-day cloud activities or compliance.
This is where Taashee’s expertise at creating customized alternative solutions to expensive enterprise-grade products came in handy.
Taashee’s AWS experts and open source technology SMEs approached the challenge at hand with a holistic view, so that an appropriate solution could be accomplished with minimal changes to the existing workflow. This meant harnessing existing tools within already deployed technologies and keeping the number of new tools introduced within the environment at a bare minimum.
Architecture and Tools Used
Working towards that objective, Taashee came up with the following solution architecture.
Besides retaining Jenkins, GitHub, Amazon EKS, ECR and RDS from the previous architecture, we introduced the following new tools into the environment:
Our Approach to keep the environment HIPAA compliant
A. Provisioning HIPAA Compliant environment in AWS
We worked with AWS to zero in on the configuration below to keep the client
environment HIPAA compliant:
i. VPC Configurations: Three virtual private clouds (VPCs), management, production, and development were configured with subnets, according to AWS best practices, to provide the client with their own virtual network on AWS.
|VPC Name||VPC Type||Components|
Public and Private
ii. AWS Transit Gateway: AWS Transit Gateway was configured for VPC-to-VPC communication and customer connectivity.
iii. Logging and Audit Controls:
All these services deliver flow logs to an Amazon S3 bucket
iv. Customer Connectivity: AWS Site-to-Site VPN was configured to connect directly with the AWS Transit Gateway
v. Access Control and Alerting:
vi. AWS Elastic Kubernetes Services (EKS): EKS was configured to manage and host client applications
vii. AWS Elastic Container Registry (ECR): ECR was used for storing application container images
viii. AWS Relational Database Services (RDS): RDS was used as an application database
Bastion was used for administration
Jenkins was used to manage CI/CD operations
B. HIPAA Compliant Migration Approach
C. HIPAA Compliant Testing Approach
A HIPAA-compliant approach was set up for all testing purposes which followed the method depicted below:
D. HIPAA Compliant Policy Checklist
i. Authentication and Authorization Policy
ii. Encryption and Protection Policy
The client benefits stemmed majorly from having complete control over the HIPAA compliance scenario of their AWS cloud without the need to rely on expensive third-party tools like DATICA.
Some other benefits brought forth by this project were:
Taashee’s technical team helps organizations that require increased developer productivity, higher quality applications, and lower maintenance costs. Taashee programmers specialize in multiple technologies with add-on features and advanced support. The biggest advantage for customers approaching Taashee is that they do not need to approach multiple vendors to implement different technologies.