Network considerations for healthcare workloads on AWS

Healthcare organizations are shifting more of their workloads to the cloud. These workloads, including medical imaging, present unique challenges due to their complexity, size, and requirements. Learn how to architect for success by addressing network considerations that exist when designing connectivity between the provider network and Amazon Web Services (AWS).

Architecture

Healthcare solutions create unique network challenges. These challenges include, but are not limited to:

• Sizing the network connectivity appropriately for throughput, latency, and performance
• Ensuring network connectivity remains highly available and fault tolerant in the event of component failures
• Securely protecting data in transit with encryption to remain HIPAA compliant
• Deploying additional AWS Software Partner solutions, and connecting with them

Considerations for Performance

The primary consideration for designing performant network connectivity is to understand the throughput and latency requirements, and then size your connectivity appropriately. This can be surveyed in a number of ways, but many software vendors will often provide guidelines on these requirements for their solution. Take time to evaluate all of the workflows that will be needed, and consider any near-term growth needs.

For certain solutions, connectivity over the internet may suffice. If choosing this option, be sure to evaluate the size of your internet connection. Connecting to AWS can be either directly to public endpoints or through a virtual private network (VPN) tunnel using AWS Site-to-Site VPN. Each AWS VPN connection can support up to 1.25 Gbps directly to a single Virtual Private Gateway. If more bandwidth is required to a single Amazon Virtual Private Cloud (Amazon VPC) then you can take advantage of Transit Gateway to combine multiple tunnels in parallel.

Figure 1 – Virtual Private Gateway with Multiple VPCs and VPN connection

Sometimes internet connections do not provide sufficient bandwidth, latency, or consistency for your workloads. To achieve reduced latency and the most consistent throughput, consider using an AWS Direct Connect (Direct Connect) instead. The data traversing a Direct Connect never flows over the public internet. Direct Connect creates connections across the shortest path between you and your Amazon VPC, which results in the lowest latency and most consistent bandwidth. Dedicated connections come in 1 Gbps, 10 Gbps, and 100 Gbps sizes. For these reasons, Direct Connect dedicated connections are the best option for mission-critical patient-facing workloads.

Figure 2 – AWS Direct Connect with Private Network Connections Between Your Office and an AWS Region

Why does this matter?

Healthcare applications send large amounts of data across the network regarding patient health records, interfaces, and even high-resolution images. A network topology must be able to support the high bandwidth and sensitive latency requirements of these solutions.

If a pipeline were to become congested or start to show high latency, it could impact clinical care.

Considerations for High Availability

Remove any single points of failure when designing your solution. In your network design, there should always be at least two independent routes of connectivity.

If using the public internet, ensure that your internet connections are sufficiently sized and redundant to accommodate the loss of a single pipeline, hardware device, site, or datacenter. When adding an AWS Site-to-Site VPN solution, create two tunnels which terminate in different Availability Zones within the destination region. You can read more in the resilience section of the AWS Site-to-Site VPN documentation.

With AWS Direct Connect, we have guidance surrounding our Direct Connect Resiliency Recommendations. Depending on your requirements, the configuration and number of Direct Connect connections will vary. The highest reliability is achieved by separate connections terminating on separate devices in more than one location. This configuration offers customers maximum resilience to failure. As shown in Figure 3, such a topology provides resilience to device failure, connectivity failure, and complete location failure.

Figure 3 – AWS Direct Connect in a Maximum Resilience Configuration

As an alternative to running redundant Direct Connect connections, some organizations choose to build a single AWS Direct Connect and then utilize an AWS Site-to-Site VPN as a backup to that Direct Connect connection. This means that during normal use, you will achieve your required performance. However, during an outage you will fall back to an AWS VPN/internet connection and will be limited to the performance of that connection.

Considerations need to be made to understand the user experience during a failure event. To ensure sufficient capacity for the most critical use-cases (like emergency care) you may choose to restrict other workflows until the outage is resolved.

Why does this matter?

There is usually an SLA that is supplied by a provider organization’s IT service team to the broader organization. This includes defining the Recover Time Objective (RTO) and Recover Point Object (RPO) for various services and solutions. Longer RTO’s result in clinicians having to retreat to alternate business continuity systems if they exist, or even paper charting. Longer RPO’s result in lost data that needs to be recreated or re-entered (or is just lost).

Patient’s also suffer as staff struggle to follow downtime procedures and validate the status of systems while in an impaired state. To measure the true impact, this study measured the total cost of datacenter outages (including healthcare industries) which averages almost $9,000 per minute.

Considerations for Security

At AWS, security is top priority. We have a number of solutions to securely connect you to AWS, no-matter which solution or service you use to do so.

Securing connections to AWS is accomplished by using encryption to protect the data in transit. For internet routed traffic, this is often in the form of transport layer security (TLS) encryption using certificates to securely send data to public endpoints on a per connection basis. Another common method is to use an Internet Protocol Security (IPSec) VPN tunnel. This is the technology used to secure an AWS Site-to-Site VPN and provides the added benefit of encrypting all traffic between the VPN devices persistently and providing access to private networks.

If  you need the low latency and consistent network experience of an AWS Direct Connect combined with the security of an end-to-end IPSec VPN tunnel, you can configure AWS Site-to-Site VPN over AWS Direct Connect to get the best of both worlds.

Figure 4 – AWS Site-to-Site VPN Over AWS Direct Connect

In Figure 4, we can see that the AWS VPN helps to encrypt the traffic on its way to your AWS VPC’s Virtual Private Gateway as depicted by the red dashed line.

With this model, you are still limited to the 1.25 Gbps maximum. If more bandwidth is required, we have two options. The first model involves Scaling VPN throughput using AWS Transit Gateway similar to how we showed in the performance section. This allows you to combine multiple AWS VPN connections in parallel to scale horizontally, which will effectively increase your total bandwidth.

The second method achieves encryption of your traffic using MACsec security (IEEE 802.1AE). MACsec security delivering a native, near line-rate, and point-to-point encryption for 10 Gbps and 100 Gbps links. With MACsec, you can eliminate VPN connections on top of your AWS Direct Connect links to encrypt the traffic. To learn more, check out this post on Adding MACsec security to AWS Direct Connect connections.

Why does this matter?

There are many reasons why security is a top priority. Here are some of the reasons why it is important to institute these recommendations:

• HIPAA compliance requires that protected health information (PHI) be encrypted in transit. Encrypt the path to AWS using either AWS Site-to-Site VPN or MACsec security and also encrypt the individual connections end-to-end using TLS. This addresses encryption at multiple layers for compliance eligibility.
• It prevents attackers from making use of exfiltrated network data, which may also help prevent attackers from pivoting further into an environment.
• It’s a best practice.

Considerations for connecting to an AWS Healthcare Partner Solution

There are many methods by which a software vendor may provide access to their solution; but these are the most common.

Customer Hosted

In this configuration, the partner solution is deployed within a VPC owned by the provider organization. This provides you additional control over the deployment specifics of the solution and the network topology, as well as having the data reside in only your account. However, it does shift some of the responsibility to operate and maintain the solution. Many software partners will offer their own support to help with these responsibilities, but it is ultimately your responsibility to make sure it remains healthy, up-to-date, and HIPAA compliant.

From a networking perspective, an AWS Transit Gateway is often the solution to provide connectivity between the vendor’s solution VPC, your VPCs, and your on-premises network due to its support for transitive connectivity. This feature allows you to connect all of your Amazon VPCs and your on-premises networks through a central hub.

Partner Hosted

Partner Hosted deployments are similar to customer hosted, except that they reside in an account owned by the partner. This benefits healthcare customers in offloading some of the management, security, and compliance of the components that reside in the partner’s environment. You should still discuss ownership and the shared responsibility model with your vendor to ensure roles and responsibilities are clear. For transitive routable network connectivity, utilize an AWS Transit Gateway. However, this time, the customer creates a Transit Gateway and then shares that AWS Transit Gateway with the partner. This allows the partner to connect their VPC to your AWS Transit Gateway. AWS Transit Gateway documentation outlines the steps for this process.

Software as a Service

Many partners will offer their solution as a Software as a Service (SaaS) offering. Of the deployment methods mentioned, this offloads the most to the partner. It’s still important to discuss roles and responsibilities with the partner.

Connectivity to a SaaS provider can happen in a number of ways. Commonly, vendors will have one or more public endpoints. This is the case for SaaS solutions that you access via a browser over the public internet.

As SaaS solutions are becoming more popular, we are seeing more partners choose to offer access to their endpoints using AWS PrivateLink. With AWS PrivateLink, the software solution is presented to the customer with a set of VPC endpoints that are seamlessly exposed within the customer VPC. This eliminates the requirement to send data over the public internet, providing the benefit of having private connectivity.

Figure 5 – Exposing Partner Services Via VPC Endpoints

Why does this matter?

There is no single right way to connect with a partner. You will need to understand the different ways a partner may offer their solution. It is important that you understand each deployment model’s connectivity, ownership, and responsibility differences.

Clean-Up

All numbers, limits, and quotas are accurate as of the publishing of this blog.

There may be other considerations or deployment models not listed here.

Conclusion

It is important to decide how to prepare your network to support a wide range of requirements for connectivity. AWS services like AWS Direct Connect and AWS Site-to-Site VPN can be used to create a high-performing, resilient, and secure network. There are also many options for deploying a partner solution.

Connect with one of our AWS Partner Healthcare Solutions or visit Medical Imaging on AWS for more information. If you are interested in knowing more about AWS Direct Connect read the Getting Started page. For additional support, consider engaging with our AWS Healthcare Partners.

Further Reading

• Learn about Scaling VPN throughput using AWS Transit Gateway
• Learn how to Add MACsec security to AWS Direct Connect connections
• You can read more in our post about SaaS integrations with PrivateLink
• Read about how healthcare organizations are moving more mission critical workloads to the cloud in Industry Snapshot: Cloud Security in Healthcare
• Read about the Cost of Data Center Outages