AWS for Industries

Introducing Landing Zone Accelerator for Healthcare

Today, Amazon Web Services (AWS) announced the availability of Landing Zone Accelerator (LZA) for Healthcare.

The LZA for Healthcare is an industry-specific deployment of the Landing Zone Accelerator on AWS solution architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment. The LZA is built to support customers with highly-regulated workloads and complex compliance requirements.

Supporting security standards alignment with global compliance frameworks

The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud. Healthcare customers can benefit from the LZA for Healthcare as the security controls implemented are aligned with several prominent international frameworks, including:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Cloud Computing Compliance Controls Catalog (C5)
  • National Cyber Security Centre (NCSC)
  • Esquema Nacional de Seguridad (ENS) High
  • International Organization for Standardization (ISO) 27001 and ISO 27002

The LZA for Healthcare can help reduce the effort and complexity in supporting your healthcare compliance efforts. In the rapidly evolving healthcare industry, organizations are increasingly realizing the benefits of cloud-based solutions, like those offered by AWS, to help them operate more efficiently and drive innovation. However, a key question that may arise is, “How do we run sensitive workloads in AWS?”

The answer to this question requires consideration of multiple factors, such as geographic location, regulatory requirements, or organization goals. Leveraging a multi-account strategy sets the stage for improved security posture and growth. This is referred to as an AWS landing zone. Individual AWS accounts enable resource independence and isolation through natural security, access, and billing boundaries for AWS resources.

For example, users outside of your account do not have access to your resources by default. By using a landing zone as a foundation, you can deploy your mission-critical application workloads and solutions across a centrally-governed multi-account environment. Further detail can be found in the Organizing your AWS Environment Using Multiple Accounts whitepaper.

The LZA for Healthcare builds upon this guidance to quickly deploy a solution foundation in AWS designed to be secure, resilient, scalable, and automated. This foundation can accelerate your readiness for a cloud compliance program, including:

  • Default accounts
  • Account structure
  • Core networking infrastructure
  • Security configurations for logging, monitoring, and notification
  • Encryption

The LZA helps establish platform readiness with security, compliance, and operational capabilities. It is important to note that the LZA solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.

You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to make sure that you comply with all requirements. This solution does not help you comply with the non-technical administrative requirements.

For additional information, please reference the Landing Zone Accelerator on AWS – Implementation Guide.

The Landing Zone Accelerator for Healthcare architecture

The following architecture offers an overview of the AWS landing zone deployed using the LZA for Healthcare.

Figure 1 - The LZA for Healthcare architectureFigure 1 – The LZA for Healthcare architecture

The LZA for Healthcare is a set of configuration files focused on further meeting the needs of healthcare affiliated organizations. The LZA for Healthcare leverages AWS best practices established through the experience of customers from regulated industries.

It then incorporates healthcare specific configurations, such as the detective guardrails defined in the Operational Best Practices for HIPAA Security conformance pack. These are implemented using the AWS Config service which records configuration changes to AWS resources and provides notification when those resources are not in compliance with your baseline.

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub standards, specifically the AWS Foundational Security Best Practices and the CIS AWS Foundations Benchmark, are configured and deployed as part of the LZA for Healthcare. AWS Security Hub and AWS Config have been enabled for healthcare customers leveraging centralized account delegation and providing a single set of optimized guardrails.

The LZA for Healthcare uses AWS CloudTrail for centralized logging and configurable log retention to help you meet security and compliance needs related to accessing and auditing sensitive data and resources. Centralized networking with inspection, AWS Organizations service control policies, and backup policies are provided as examples of how to establish controls when deploying workloads in your cloud environment.

For the protection of sensitive data, AWS Key Management Service (AWS KMS) is used to encrypt data at rest. Additionally, the LZA solution is covered by Developer through Enterprise AWS Support Plans should you need assistance.

Get started with the AWS Landing Zone Accelerator for Healthcare

To get started, follow the procedures outlined in the Landing Zone Accelerator on AWS – Implementation Guide. It is recommended to begin with a new AWS payer account without existing resources deployed.

For customers that are subject to HIPAA, a Business Associate Addendum with AWS is required before placing protected health information (PHI) in your AWS environment. The LZA for Healthcare configuration files are available in the public GitHub repo.

The LZA for Healthcare leverages AWS expertise enabling regulated customers to set up their AWS environments in days instead of weeks in an optimized and secure configuration. By reducing the undifferentiated heavy lifting of establishing a regulated cloud environment, organizations have the opportunity to focus on innovative solutions that provide the greatest value to the customers they serve.

To learn more about how AWS works with healthcare organizations globally visit If you have questions, reach out to your AWS account team or send an inquiry to the AWS Public Sector Sales Team.

Donny Wilson

Donny Wilson

Donny Wilson is the Global Security and Compliance Senior Solutions Architect for World Wide Public Sector at Amazon Web Service (AWS). He leads the Security and Compliance Community of Practice and advises healthcare customers in the areas of security and compliance, threat detection and response, and building resilient architectures. Donny has over 25 years of experience in healthcare and enterprise IT. Donny holds a Bachelor’s degree in Computer Science from East Tennessee State University. In addition, he is an AWS Certified Solutions Architect Professional and a Certified Information Systems Security Professional (CISSP).

Cate Ciccolone

Cate Ciccolone

Cate Ciccolone is a seasoned healthcare executive with a passion for and expertise in cybersecurity & compliance with practical experience across the education, finance, healthcare and manufacturing industries. Cate serves as a Security Consultant for Amazon Web Services (AWS) where she provides technical and advisory consulting services to global healthcare organizations to help them secure their regulated workloads, minimize risk and meet compliance goals. Cate is a member of the Security and Compliance Community of Practice. Cate’s education and practical experience spans cybersecurity engineering, electronic health record architecture and clinical application security. Furthermore, Cate is an AWS Certified Solutions Architect and holds several certifications including EC-Council Certified Incident Handler (E|CIH).

Parthiban Dhayalan

Parthiban Dhayalan

Parthiban Dhayalan is a Senior Solutions Architect for World Wide Public Sector at Amazon Web Service (AWS). He is an active member of the Healthcare and Life Sciences Technical Field Community and the Security & Compliance Community of Practice. Parthiban advises healthcare customers with deploying critical workloads establishing best practices for security and compliance. He has over 15 years of IT experience and graduated with a Master's degree in Software Engineering. Parthiban is passionate about developing solutions on behalf of customer and helping public sector customers in their cloud journey with the technical and business impact cloud computing.