Implementing a HIPAA solution presents challenges from day one. Not only are you saddled with seemingly insurmountable regulatory challenges, you also take on the stewardship of people's most deeply personal information. The AWS platform simplifies deployment of HIPAA applications by offering a rich set of dynamic scalability, developer services, high availability options, and strong security. Hosting a HIPAA application on the public cloud may seem pretty scary, but Ideomed solved some of this architecture's most vexing challenges by building a major health portal and deploying it on AWS. Come hear Ideomed CEO Keith Brophy and solution architect Gerry Miller talk first-hand about the challenges and solutions, including CloudHSM encryption, multi-AZ failover, dynamic scaling, and more!

1. Implementing Bulletproof HIPAA Solutions on AWS
Gerry Miller, CTO - Cloudticity
Keith Brophy, CEO – Ideomed
Mark Welscott, Director – Spectrum Health
November 15, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

5. Convergence of technology, storage,
connectivity, medical advances

7. Mark Welscott, Director – Spectrum Health

9. Keith Brophy, CEO - Ideomed

15. Gerry Miller, CTO - Cloudticity

16. The Three Big Problems We Solved

17. The Three Big Problems We Solved

18. The Three Big Problems We Solved

19. Architecture Overview

22. VPC Security Layers
Internet
Corporate
VPN
Firewall
Amazon
Routing
Rules
Corporate
Internal
Firewall
Windows
Firewall
Corp server auth and ACLs across all internal datacenters

23. Solution Specifics

24. CloudHSM Configuration

25. Encryption of Data at Rest

26. Securing Database via TDE
Amazon CloudHSM

27. SQL
...
sp_configure ‘show advanced options’, 1 ;
GO
RECONFIGURE ;
GO
sp_configure ‘EKM provider enabled’, 1 ;
GO
RECONFIGURE ;
GO
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = “C:PROGRAM FILESLunaSAEKMLunaEKM.DLL” ;
GO
...

28. Securing Sensitive Info from Devs

29. Custom Protected Config Provider
...
public override XmlNode Encrypt(XmlNode node)
{
var encryptedData = "";
var stringToEncrypt = node.OuterXml;
for (var i = 1; stringToEncrypt.Length > 0; i++)
{
var encryptTheseBytes = stringToEncrypt.Substring(0,
Math.Min(MaxBlockSize, stringToEncrypt.Length));
var encryptedBytes = EncryptString(encryptTheseBytes);
encryptedData += "<Block" + i + ">"
+ encryptedBytes + "</Block" + i + ">";
stringToEncrypt = (stringToEncrypt.Length > MaxBlockSize) ?
...

30. Unencrypted Configuration
<secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-DocumentTransform" xdt:Transform="Replace">
<add key=”ClientSecret" value=”xgR2%%f" />
<add key="MessageAttachmentsKey"
value=”D7sdlj0GGjhadjkj77sd8jlaj9aihaf0993j=" />
<add key="MessageAttachmentsIV" value=”hhGJfl87JJhhsl+8sj==" />
</secureAppSettings>

31. Encrypted Configuration
<secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-Document”
configProtectionProvider="LunaSAProtectedConfigurationProvider"
xdt:Transform="Replace">
<EncryptedData>
<Block1>Gsk2WVr8b9R6gN49c11RTzlHtOSL2QsGX3vGXVIqGYCuBKQh=</Block1>
<Block2>Hhhj9Ljjd90jJjhf99shjoljjlJUIUYRJjj87fHHgdkri77a=</Block2>
<Block3>HHDG99jsjJJDLKL99LKJhoijsdfiOIH847jJHYETQKmfkgiU=</Block3>
<Block4>88HHJjfhk9773HhfyUirKIOPjustUhf886djNNjfoe9Hjdfk=</Block4>
</EncryptedData>
</secureAppSettings>

32. Process Automation & Governance

33. Automated Build & Deployments

34. AWS CloudFormation Manages Environments

36. Things We Learned

38. Please give us your feedback on this
presentation
SEC306
As a thank you, we will select prize
winners daily for completed surveys!