AWS Partner Network (APN) Blog
Bringing Business Intelligence to Healthcare Organizations with Tableau on AWS
By Aaron Friedman, Healthcare & Life Sciences Partner Solutions Architect at AWS
By Vaidy Krishnan, Senior Product Manager at Tableau
No matter what industry you’re in, data is transforming the way you do business. Healthcare organizations across the globe are using advanced analytics to harness the value of their data assets, whether to improve internal operations, enable precision medicine, or unlock the full value within electronic health records.
Core to this endeavor is simplifying how healthcare organizations see and understand their data, and many of them are using Tableau Software to gain new insights into their treasure trove of data. Tableau, an AWS Partner Network (APN) Advanced Technology Partner with AWS Competencies in both Data & Analytics and Mobile, is focused on giving customers the ability to analyze data in a way that’s fast, easy, and useful.
Healthcare customers, such as the Inova Translational Medicine Institute, are using Tableau on Amazon Web Services (AWS) to transform how they get value from their data sets. Given the sensitivity of health data, security is paramount to many of Tableau’s customers. In addition to implementing technical controls, such as encryption in-transit, healthcare organizations needing to align to regulatory frameworks like HIPAA would have to manually incorporate how Tableau Server fits into their compliance protocols.
AWS Quick Start: Tableau Server on AWS for Healthcare
At Tableau Conference 2018, we announced a new AWS Quick Start: Tableau Server on AWS for Healthcare. This lets customers quickly deploy Tableau Server on AWS in a manner that is preconfigured with common security and compliance controls, such as encryption at-rest and in-transit, and support their compliance objectives out of the box.
The Quick Start comes with a jointly authored security controls reference describing how different parts of the HIPAA Security and Privacy Rules apply to AWS and Tableau, as well as the specific implementation in this Quick Start, in accordance with the AWS Shared Responsibility Model.
In this post, we will highlight several key security features of this Quick Start and how healthcare organizations can quickly and easily set up Tableau Server on AWS.
Please note: This Quick Start will not, by itself, make you HIPAA-compliant. The information contained in this Quick Start package is not exhaustive, and must be reviewed, evaluated, assessed, and approved by you in connection with your organization’s particular security features, tools, and configurations.
Building Security into the Deployment
This Quick Start gives you the ability to launch Tableau Server in either a new Amazon Virtual Private Cloud (VPC) or an existing VPC.
Figure 1 – This Quick Start helps you deploy a Tableau Server standalone environment on the AWS Cloud.
Several security measures within the Quick Start help Tableau customers deploy single-node Tableau Server in their AWS environment and align with their responsibilities to the AWS Business Associates Addendum and HIPAA in general.
Encryption At-Rest
Tableau Server is deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances backed by Amazon Elastic Block Storage (Amazon EBS) volumes. Each Amazon EBS volume is encrypted at-rest using envelope encryption with AWS Key Management Service (KMS). We accomplish this encryption with an AWS Step Functions state machine.
Each Tableau Server deployment, which can be either Linux- or Windows-based, is built from a base Amazon Machine Image (AMI). These AMIs have unencrypted root volumes, meaning we need to create base AMIs with encrypted Amazon EBS.
The simple solution to doing this is using Amazon EC2 CopyImage, which allows you to take an unencrypted AMI and create an encrypted copy. CopyImage requires you to own the AMI, which means for AMIs that are either Windows-based or from AWS Marketplace (e.g. CentOS), you must first create a copy of the base AMI that your account owns.
The steps for the state machine are as follows:
- Determine the AMI source. If the source is from Windows or AWS Marketplace, go to step 2. If not (Amazon Linux and Ubuntu), go to step 6.
- Spin up a t2.nano instance with the desired OS.
- Once the Amazon EC2 instance is running, stop the instance.
- Create an AMI from the stopped instance.
- Terminate the Amazon EC2 instance.
- From either the base AMI or the one created in step 4, create a new AMI with an encrypted root volume. This volume is then used for configuring Tableau Server.
- Many of these steps use the Job Status Poller framework to submit the job and then use Describe API calls to check the status of the job.
Figure 2 – Job Status Poller state machine.
Encryption In-Transit
Covered entities under HIPAA are required to have a Business Associates Addendum (BAA) with AWS for the analysis of Protected Health Information (PHI). The AWS BAA mandates that all PHI on AWS be encrypted at-rest and also in-transit.
To remain consistent with the AWS BAA, PHI is first encrypted from the internet to the Application Load Balancer with an SSL certificate stored in AWS Certificate Manager, and then from the Load Balancer to Tableau Server using a self-signed certificate generated by OpenSSL.
To learn more about encryption in-transit with Tableau, please see their documentation for Windows and Linux.
Logging and Configuration Management
AWS Config is often a key component to how healthcare organizations visualize their AWS environment. You can take your policies, translate them into technical controls, and then build AWS Config Rules that map to those policies.
In this Quick Start, we create several AWS Config Rules to demonstrate how you can monitor a Tableau Server environment. These rules are scoped to a specific tag so that you can monitor Tableau resources separately from your other resources.
Here’s what it looks like after the Quick Start deployment has finished. All AWS Config Rules should show as compliant.
Figure 3 – AWS Config Rules deployed by this Quick Start
While outside the scope of this Quick Start, you could build additional AWS Config Rules, such as checking configuration files on Tableau Server using a combination of AWS Lambda and AWS Systems Manager. You can also use additional tagging policies to group additional resources if you wish to broaden the scope of your checks with AWS Config.
Enabling Self-Service Visual Analytics with Tableau
With the current shift from volume-based care to value-based, healthcare organizations have additional financial imperatives to optimize their operations and ensure patients get the right treatment earlier on in their regimen.
Below are two of the many ways HCOs can leverage Tableau to gain new insights into their data sets. Both of these examples have been provided by the team at Tableau.
Example 1: Diving into the Opioid Crisis
Opioid addiction is one of the biggest public health crises today. The National Institute of Drug Abuse estimates that over 115 people die every day from opioid addiction, and this epidemic costs over $78.5 billion USD. One of the key causes of this epidemic is the over-prescription of opioid medications, often due to pain management.
As shown in Figure 4, with Tableau you can quickly dive into the details of the epidemic by rapidly interacting with your data sets to understand the severity of opioid overdose compared to other drugs (top right), what specialties are most responsible for prescribing opioids (bottom middle), and dive into the specific physicians prescribing opioids at both high volume and high percentage (bottom left).
For more information about the opioid use case, please see this Tableau blog post.
.
Figure 4 – Tableau visualization of the opioid crisis.
Example 2: Understanding Reimbursement
Reimbursement rates are an important metric for healthcare providers. Ensuring that physicians and procedures are driving the desired health outcomes is important for the financial solvency of a healthcare organization.
The dashboard in Figure 5 gives provider organizations the ability to do just that. With Tableau, you’re able to visualize the average charge per patient and analyze the reimbursement rate based on attending physician and medical procedure, and adjust how your organization operates to improve outcome-based reimbursement rates.
Figure 5 – Tableau visualization of reimbursement.
Getting Started
Like with any AWS Quick Start, getting started is easy. Just navigate to the Tableau Server on AWS for Healthcare Quick Start page and follow the directions to deploy Tableau Server.
Be sure to review the deployment guide and security controls reference to understand how this deployment can support your healthcare compliance objectives.
We look forward to seeing how healthcare organizations use this Quick Start to analyze their health data sets.
Additional Resources
- View the architecture and details
- See the deployment guide for step-by-step instructions
- View the security controls reference
- Download the AWS CloudFormation templates that automate the deployment
.
Tableau Software – APN Partner Spotlight
Tableau is an AWS Competency Partner. They make it fast and easy to create beautiful analytics from virtually any source of data. Tableau is a natural fit for organizations that are looking to deploy with lightning speed.
Contact Tableau | Customer Success | Buy on Marketplace
*Already worked with Tableau? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.