Achieving Compliance Through DevOps with REAN Cloud
Aaron Friedman is a Healthcare & Life Sciences Partner Solutions Architect with Amazon Web Services
When I survey our Healthcare and Life Sciences Partners, one of the common competencies I see is a great foundation in DevOps best practices. By building software in an automated and traceable manner, you are able to more easily determine the “Who, What, Where, and When” of any activity performed in the environment. This determination is a cornerstone for any compliant (HIPAA, GxP, etc.) environment.
REAN Cloud (“REAN”), an AWS Partner Network (APN) Premier Consulting and AWS MSP Partner who is also an AWS Public Sector Partner. The company holds a number of AWS Competencies, including DevOps, Healthcare, Financial Services, Migration, and Government. REAN is a cloud-native firm with deep experience in supporting enterprise IT infrastructures and implementing continuous integration, continuous delivery pipelines. The team routinely implements complex and highly scalable architectures for workloads in highly regulated industries such as Healthcare and Life Sciences, Financial Services, and Government. DevOps principles are core to REAN’s philosophy, and the solutions they develop are bundled with advanced security features to help address clients’ compliance needs ranging from HIPAA and HITRUST through FedRAMP and PCI.
Every solution that REAN builds on top of the AWS Cloud has security and compliance as its top priority. Healthcare and Life Sciences are highly regulated industries and many of its workloads are subject to regulatory requirements such as HIPAA and GxP. There are several common themes that must be addressed in every regulated workload including:
- Logging, Monitoring, and Continuous Compliance
- Documentation and Non-Technical Controls
- Administrative Environment Access and Separation of Duties
In this blog post, I’ll discuss these concepts and discuss how REAN approaches each of these focus areas on the AWS Cloud. Let’s dive a little deeper.
Logging, Monitoring and Continuous Compliance
Tracking how your environment changes over time, and who accesses it, is central to meeting many different regulatory requirements. In order to paint the full picture of what is occurring in your environment, you store application logs, operating system logs and other environment specific logs and performance data. AWS services such as AWS CloudTrail, Amazon CloudWatch, and AWS Config produce and store critical information about your environment that should be organized and retained for potential use during troubleshooting activities or compliance audits. With the AWS Cloud, you can use these services to capture, organize and verify the logs and information that describes the cloud environment itself.
REAN Cloud addresses the challenge of managing all of this log information by leveraging a DevOps Accelerator that they have created called REAN Radar.
Radar ingests logs from many different sources, configures meaningful dashboards of information relevant to the environment being managed, and evaluates that information in the context of well-respected security and compliance frameworks such as Center for Internet Security (CIS) benchmarks. REAN Managed Services uses Radar dashboards to monitor for configuration drift, changes to sensitive data access, misconfigured infrastructure, broken ingest pipes, and numerous other environment specific metrics and measures.
Radar adapts as the environment grows and shrinks – new systems are automatically added to scope as the pipelines are grown, and old components are removed when no longer needed. Radar dashboards can be configured to suit a wide variety of customer requests and are well suited for providing “at-a-glance” visibility for management or governance committees. For example, a dashboard can be created to monitor in real time who has access to a particular set of data – this is very useful for HIPAA environments where monitoring access to protected health information (PHI) is critical.
Documentation and Non-Technical Controls
Documentation and Non-Technical Controls are an important part of the overall compliance story for a system. AWS provides a variety of compliance resources that our HCLS partners can use while addressing regulated workloads. With our Shared Responsibility Model, AWS manages the security of the cloud while customers and APN Partners, such as REAN, manage security in the cloud. For example, REAN, as an APN Partner, and REAN customers might decide to refer to AWS controls (such as for hardware management and physical environment security) and other audits and attestations that AWS has achieved for different services (such as SOC 2 (Type 2) or FedRAMP). AWS Artifact provides on-demand access to many of these audit artifacts, which APN Partners can use in their own system documentation.
REAN Cloud helps customers achieve system compliance by supporting a wide range of activities including the creation of a Cloud Security and Compliance strategy for an entire organization to manual document creation to meet specific compliance needs. In addition, REAN has helped their customers navigate HITRUST audits.
One of REAN’s goals is to apply the same automation principles to the (often manual) documentation creation process by applying a Pipeline-based approach to system and data center deployments. REAN leadership believes that system documentation packages can be automated alongside the environment itself. REAN accelerators are being used to improve speed of delivery and consistency for these important artifacts that demonstrate control of an environment.
As an example, REAN Managed Services uses REAN AssessIT and document accelerators every month to produce security assessment reports for every managed environment. These reports examine over 40 important security best practices and are generated automatically and tailored for each customer to focus on areas that are relevant to their business.
For customers requiring extensive environment documentation packages (such as GxP compliance) REAN is developing a pipeline to tie an entirely automated documentation generation to the automated creation of the environments. Again, REAN continues to develop new technology to maximize the value of documentation and applies a consistent disciplined approach to environment management while striving to minimize the human cycles required to produce such outcomes.
Administrative Environment Access and Separation of Duties
A major piece of any compliance story is the ability to demonstrate control of an environment. Authentication and authorization are central to this process, allowing a user to access the specific data they need. An area of concern for auditors is administrative access in an environment due to the broad permissions generally associated with this role. By using AWS native services such as Amazon VPC, AWS Identity and Access Management (IAM), and Amazon WorkSpaces, REAN helps customers build segregated and secure application environments of any size and scale required while still allowing REAN Managed Services or other Application Support Personnel to keep the environment running and provide support for any incidents that may occur.
REAN embraces the concept of “Control Accounts” when designing healthcare and life sciences application environments. A Control Account is used as a common area for hosting shared services and administrative tools that run against the “Managed Accounts”. Here is a simple example:
In this diagram, the Control Account is used to manage:
- Jenkins and all pipeline deployments into the Dev and Prod accounts
- Nessus vulnerability scans into the other accounts
- REAN Radar
- WorkSpaces for administrative access into the other environments. As REAN manages environments with PHI, WorkSpaces (which is not listed as HIPAA-eligible) is not used to remediate specific situations that involve PHI.
AWS features such as VPC Peering and IAM Cross-Account Roles make this approach possible and allow REAN to focus on hardening the application hosting environments (such as Dev and Prod) to allow only the absolute minimum required permissions and network communication. Governance and oversight can then focus on the Control account to ensure that the applications and services there that are used to support the other environments are locked down and only granted to the required team members.
Benefit to Customers
Ultimately, the benefits that REAN provides with their DevOps principles only apply if there is tangible benefit to their customers. REAN has helped customers across a wide range of regulated industries including Financial Services, Healthcare & Life Sciences, and Government & Education achieve their desired regulatory and technology transformation outcomes on the AWS Cloud.
One such example is how REAN helped Aledade meet their HIPAA goals for their platform. In addition to architecting a solution on the AWS Cloud in accordance with best practices, REAN served as Aledade’s compliance guide. According to Chris Cope, previously the DevOps Lead at Aledade, “REAN Cloud’s staff was a huge help navigating HIPAA/HITECH compliance best practices on approved cloud services. They also had extraordinary attention to detail on security matters and are leaders at defining best practices on AWS.”
In November of 2016, The American Heart Association and AWS announced the launch of the “AHA Precision Medicine Platform”, “a global, secure cloud-based data marketplace that will help revolutionize how researchers and clinicians come together as one community to access and analyze rich and diverse data to accelerate solutions for cardiovascular diseases — the No. 1 cause of death worldwide.”
REAN Cloud, in partnership with AWS Professional Services, worked with AHA leadership to develop and implement the platform on AWS. REAN Engineers have implemented pipeline-driven automated deployments of the entire AHA Precision Medicine Platform and continue to show how security and compliance can move as fast as the development team.
The AHA Precision Medicine Platform leverages REAN Radar dashboards to monitor the environment, the Control Account approach to shared services and administrative access, and the team has established an effective weekly communication plan with AHA leadership to drive priorities. AHA and REAN work jointly to establish proofs of concept, minimal viable solutions, and test these solutions with a series of beta-testers. REAN recently published a case study on AHA that you can read here.
Data sensitivity is central to regulated workloads, and we often focus on how we process, store, and transmit that data. Yet the surrounding components, such as logging and access control, are just as important when building a compliant solution. REAN Cloud and their healthcare and life sciences customers achieve an end to end solution with REAN Cloud’s top of the line in-cloud security and management tools combined with the power of the multi-dimensional strengths of AWS.
If you are interested in learning about how REAN Cloud can support your healthcare and life sciences related workloads to meet your security and compliance requirements, please email them at firstname.lastname@example.org.
If you’re interested in learning more about how AWS can add agility and innovation to your healthcare and life sciences solutions be sure to check out our Cloud Computing in Healthcare page. Also, don’t forget to learn more about both our Healthcare and Life Sciences Competency Partners and how they can help differentiate your business.
Will you be at HIMSS? Be sure to stop by our booth #6969! We’d love to meet with you.
Please leave any questions and comments below.