How the AWS Cloud Cuts HITRUST Cost, Complexity, and Timelines
By Gerry Miller, Founder and CEO at Cloudticity
As more healthcare information is managed and stored in the cloud, organizations are discovering the critical importance of HITRUST certification. Though it isn’t mandatory, many providers and payers won’t work with vendors that aren’t certified, giving a competitive advantage to organizations that attain it.
Though conforming to HITRUST guidelines provides benefits, the certification process is anything but easy.
Long and costly, the journey to HITRUST certification can distract teams from other responsibilities and goals. But choosing the right partner can accelerate the process by up to 50 percent, reducing your overall investments of money and internal resources.
This post will:
- Define HITRUST certification and explain how it helps healthcare providers, payers, and technology companies stay on top of HIPAA regulations.
- Outline how using Amazon Web Services (AWS) simplifies and streamlines the HITRUST certification process.
- Present a use case of how leveraging AWS enabled a smooth timeline to HITRUST certification and continued innovation.
Cloudticity is an AWS Partner Network (APN) Advanced Consulting Partner and Managed Services Provider (MSP). We are HITRUST certified and have AWS Competencies in DevOps and Healthcare, and several AWS Service Delivery designations.
The Challenges of HITRUST
The HITRUST certification process is complex and requires deep expertise and experience.
The path to certification is especially difficult for organizations that attempt to handle it in-house. The process often incurs steep costs, including:
- Time: The certification process, if not guided by experienced HITRUST experts, can take up to two years.
- Resources: Substantial internal resources must be devoted to the process, distracting your team and diverting energy from innovation and growth.
- Price and budget: While becoming HITRUST certified is certainly an investment, it can provide a valuable ROI. However, that investment can balloon when inexperienced teams are charged with leading the process.
How AWS Accelerates HITRUST Certification
To be clear, there are no shortcuts to HITRUST certification. The high bar enforced by the rigorous requirements are what make it valuable to organizations and the industry at-large. However, the cloud provides ways to accelerate the certification process while reducing complexity and cost.
Moving to AWS allows you to use code to automate infrastructure management and immediately satisfy specific controls tied to HITRUST certification. Automation isn’t an option in a physical data center environment, where issues have to be addressed manually.
The move to AWS requires a knowledgeable guide who knows the platform. The right partner can drastically reduce the cost, complexity, and timelines associated with HITRUST certification. Working with an expert partner both accelerates the certification process and enables you to continue to focus on innovation and growth while tackling it.
AWS and Automation
One of the biggest challenges to achieving HITRUST certification is that a company can’t just prove it has satisfied controls at a certain point in time. Rather, you need to demonstrate that your organization has put the tools in place for maintaining continued compliance.
This ongoing requirement makes automated solutions crucial to today’s digital healthcare environments. And the benefits of automating compliance on AWS go beyond compliance. Cloudticity helps companies reduce their costs, allocate resources better, and recover more quickly from problems.
Traditional MSPs tend to view their business as a headcount challenge, maintaining a large staff to answer helpdesk tickets, monitor dashboards on screens, and manually execute customer requests and remediate problems. From the beginning, our team at Cloudticity approached managed services as a software problem, and we made the decision early on to automate every aspect of the business.
This level of automation is impossible in a traditional data center. Servers are physical devices that have to be requisitioned, unloaded from trucks, unboxed, burned in, and racked. AWS, however, provides the ability to perform tasks via API, presenting the opportunity for companies like Cloudticity to replace large teams of technicians with software.
As a result, security and compliance—including HIPAA compliance—is drastically increased, because while humans make mistakes executing tasks, computers do not. Runbooks are executed with precision, every single time.
Cloudticity and the Future of Healthcare
Cloudticity was one of the first companies to demonstrate it was possible to manage protected health information (PHI) in the cloud, and we continue to innovate within the digital healthcare space.
Cloudticity not only has deep ties to the AWS community, we’re also in direct contact with HITRUST itself. Cloudticity is among a select group of companies that participate in HITRUST committees, making it uniquely positioned to influence the future of digital healthcare compliance.
Cloudticity leverages the full range of AWS’ HITRUST-certified services to move customers beyond the certification process and towards the next steps in their development.
Customer Use Case: MiHIN
The Michigan Health Information Network Shared Services (MiHIN) is a state-designated entity working to improve healthcare quality, efficiency, and patient safety. By sharing electronic health information statewide, MiHIN helps reduce costs for patients, providers, and payers.
With more than 12 million patient health information messages passing through MiHIN’s network each week, the company’s co-located data centers couldn’t scale to keep pace with the growing amounts of data.
MiHIN also sought to reduce costs. Its data centers required considerable expenditures and continued maintenance, and an expanding stakeholder base demanded new levels of flexibility. The rigidity of the hardware also meant the organization couldn’t respond to customer requests to launch new services and features, hampering MiHIN’s capacity for innovation and responsiveness.
By moving its exchange from physical data centers to the AWS Cloud, MiHIN addressed its need for scalability, cost savings, and flexibility while also adopting tools that enabled more security and agility in managing patient information.
While MiHIN had the healthcare experience and expertise to manage governance, risk, and compliance, it didn’t know where to start in choosing a partner to assist with its migration to the cloud. Without the right cloud provider, managing and deploying compliant infrastructure would involve a long and costly process.
Cloudticity quickly set itself apart thanks with expertise in coding, migrating, and managing HIPAA-compliant solutions on AWS. With Cloudticity, MiHIN was able to achieve both HITRUST and EHNAC certification on AWS.
One of the ways Cloudticity helps MiHIN stay secure on AWS is through the use of predefined assets and templates deployed through AWS Service Catalog. This allows, for example, MiHIN to use Cloudticity-hardened Amazon Machine Images (AMI), vetted against CIS profiles I and II.
Of course, building and deploying AMIs is a fully automated process, using Amazon Simple Notification Service (SNS), Amazon Elastic Compute Cloud (Amazon EC2), and AWS Lambda to execute remediations suggested in CSVs, and AWS Service Catalog to access the updated AMIs.
Figure 1 – Automatically building hardened AMIs.
Cloudticity Oxygen provides more than 1,000 compliance checks, mapped to HITRUST controls and specific HIPAA regulations, using several AWS technologies such as AWS CloudTrail, Amazon GuardDuty, Amazon CloudWatch, VPC Flow Logs, and custom AWS Config Rules implemented with AWS Lambda.
One of the key differentiators that Cloudticity introduced, based on the philosophy of “automate everything,” is that most compliance issues can be remediated via automation.
For example, unencrypted objects in Amazon Simple Storage Service (Amazon S3) buckets are automatically encrypted, stale encryption keys can be automatically rotated, and unencrypted Amazon Elastic Block Store (Amazon EBS) volumes can be automatically encrypted during predefined maintenance windows.
Compliance issues can also be surfaced to dashboards for customer visibility, but the goal is to achieve as close to 100 percent auto-remediation as possible.
As of our last count, Cloudticity has achieved 94 percent remediation by automation. Most tickets are automatically opened by Oxygen, as it detects compliance problems, auto-remediated, and automatically closed.
Figure 2 – The Cloudticity compliance dashboard.
For the most part, this happens almost instantaneously: 84 percent of Cloudticity’s helpdesk tickets are resolved within eight hours, even though our helpdesk system receives more than 10 times as many tickets than the average company of Cloudticity’s size. This is primarily due to the number of issues that are detected and resolved via automation.
Figure 3 – Cloudticity’s helpdesk statistics.
Cloudticity has also built the Oxygen Unified Logging Platform, which gives customers like MiHIN similar functionality to commercial log management solutions they may have used previously.
Figure 4 – Cloudticity’s unified logging solution.
The first step of MiHIN’s partnership with Cloudticity involved the construction of compliant infrastructure configurations. Cloudticity Oxygen provided a rich catalog of fully automated and preconfigured resources that matched the patterns of requests that MiHIN experienced before migration.
By making the switch, MiHIN’s resources are now preconfigured to be secure and HIPAA compliant, ensuring consistency and predictability. Moreover, by leveraging Cloudticity’s suite of tools to address a wide range of compliance controls, MiHIN is able to take greater control of its data and got a substantial head start on its journey to HITRUST certification.
By partnering with Cloudticity in its migration to the cloud, MiHIN gained a wealth of solutions and support, all of which operate with compliance and security in mind. Automating the principles of DevSecOps on AWS, we brought traceability and auditability to every step of the customer’s new system.
MiHIN shut down its co-located data centers after moving to AWS, immediately cutting costs by eliminating the expense of maintaining them. This move also freed up money that had previously been trapped in software licenses and management tools. With an updated business model, MiHIN found itself with more control over its costs.
The move also released MiHIN’s infrastructure team from the responsibilities of traditional data center management, giving back close to 30 FTE hours per week. Because the organization’s IT staff no longer spends time managing and maintaining all that hardware, it can fully concentrate on business growth.
AWS services play directly into this growth by offering secure testing environments for building and deploying unique use cases. By scaling controls across use cases, MiHIN’s security and deployment teams have upped their productivity by more than 10 percent.
From an operations standpoint, MiHIN can more easily recover from potential outages. What used to take three hours now takes just five minutes, thanks to the ability to access data from multiple AWS Availability Zones. Since the AWS cost model is primarily pay-per-use, overhead costs are more predictable and more affordable.
With new functions in place and its HITRUST certification secured, MiHIN created a new division in its organization—Advanced Cloud Services—and two entirely new sister companies.
One of these companies, The Interoperability Institute, is dedicated to increasing interoperability across different spaces and systems by creating technical communities through mentorships and internships. The Interoperability Land (IOL) testing universe that makes this possible is deployed directly on AWS.
Moving forward, MiHIN is better prepared to scale its services to the growing healthcare space. Its Active Care Relationship Service (ACRS), which enables care coordinating and improved patient matching, will use Amazon Neptune to model and query up to 40 times more relationships than is possible with the current solution based on relational database technology.
By partnering with AWS and Cloudticity, MiHIN achieved both EHNAC and HITRUST compliance, lowered costs, improved reliability, and expanded its business into areas previously unimaginable without the agility and automatability of AWS.
We have established that achieving HITRUST certification brings significant benefits, including improved security posture, reduced risk of cyberattacks, and competitive advantages in a sea of managed services providers.
However, these benefits come at a cost—the journey toward HITRUST certification can be arduous, expensive, and may require you to divert customer-facing resources toward internal processes.
HITRUST requires ongoing processes, policies, and procedures that enable strong security and ensure continuous security, even in the face of evolving cyber risks and regulatory requirements. AWS helps in this endeavor by providing a fully automatable platform that can be managed using code, with full repeatability, auditability, and traceability.
The Cloudticity Oxygen platform adds more than 200 HITRUST- and HIPAA-specific controls to accelerate the HITRUST journey, reduce complexity, and stay current as the security landscape continues to change.
With AWS and the right partner, the HITRUST certification process doesn’t need to be a drain on time and resources. In fact, it’s an opportunity to develop a more secure, compliant, and efficient platform, setting your business apart and putting your mind at ease.
To accelerate your journey to HITRUST certification, schedule a consultation with a HITRUST CSF expert today. You can also check out Cloudticity’s on-demand webinar to learn more about the risks and rewards involved for your business.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Cloudticity – APN Partner Spotlight
Cloudticity is an AWS Competency Partner and manages HITRUST-compliant environments for customers on AWS. Cloudticity Oxygen is a custom managed services, compliance, and security platform that employs virtually every available AWS service.
*Already worked with Cloudticity? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.