Building compliant healthcare solutions using Landing Zone Accelerator

The rise of cloud computing has brought many benefits to healthcare businesses, such as increased flexibility, scalability, and accessibility. However, with these benefits come challenges to meet regulatory and compliance requirements surrounding data privacy and security. Further, these requirements are complex because they vary both geographically and regionally, increasing the time to release and maintain a solution that meets both the technical and administrative controls necessary to adhere to the standards. As customers move more data to the cloud, it becomes increasingly important to take necessary precautions and measures to prevent sensitive information from unauthorized access or use. In addition, there are a multitude of regulations and compliance requirements to meet, adding another layer of complexity to the already intricate web of data privacy controls.

Organizations need builders who are not only well-versed in software design and well-architected security and privacy best practices but also have the ability to interpret complex regulatory compliance frameworks like HIPAA and GDPR. Further, regulatory bodies like the Food and Drug Administration (FDA), the National Institute of Standards and Technology (NIST), the Medical Device Directive (MDD), and the International Medical Device Technology Forum (IMDRF) have published guidance for cybersecurity that has a comprehensive set of security and privacy controls that organizations need to implement and maintain over the lifecycle of their products based on its applicability. One of the onerous and time-consuming tasks for builders is to interpret and map these requirements before implementing them, which can affect their release cycle.

In this post, we explore the complexities of data privacy and controls on Amazon Web Services (AWS), examine how creating a landing zone within which to contain such data is important, and highlight the differences between creating a landing zone from scratch compared with using the AWS Landing Zone Accelerator (LZA) for Healthcare. To aid explanation, we use a simple healthcare workload as an example. We also explain how LZA for Healthcare codifies HIPAA controls and AWS Security Best Practices to accelerate the creation of an environment to run protective health information workloads in AWS.

Steps for manual set up of a landing zone on AWS

A landing zone is an AWS solution that enables organizations to set up a secure and scalable multi-account AWS environment. The creation of a landing zone involves several steps, and the specifics may vary depending on the organization’s needs and requirements. The following steps show a general overview of how a typical landing zone is created on AWS:

1. Define your landing zone requirements – Before creating your landing zone, you need to define your requirements, including the number of accounts you need, the network architecture, security controls, and compliance requirements.
2. Prepare your AWS accounts – Prepare your AWS accounts by creating the necessary accounts and configuring the required settings.
3. Create an AWS Control Tower landing zone – AWS Control Tower simplifies the process of creating a landing zone by providing a set of pre-built templates, guardrails, and workflows that you can use to create a secure and scalable AWS environment. You can use AWS Control Tower to create a landing zone that includes multiple AWS accounts, a shared Amazon Virtual Private Cloud (Amazon VPC), and AWS Identity and Access Management (IAM) roles and policies that govern access to AWS resources.
4. Set up your networking – Set up your network architecture by defining your VPCs, subnets, and routing tables. You can use AWS Transit Gateway to simplify your network architecture and improve your network’s scalability and security.
5. Configure your security controls – Configure your security controls by setting up IAM roles and policies, network security groups, and other security features such as AWS WAF, AWS Shield, and AWS Config.
6. Deploy your applications – Deploy your applications to your landing zone using AWS CloudFormation or other deployment tools. Make sure to follow AWS best practices for deploying your applications in a secure and scalable manner.
7. Monitor and manage your landing zone – Monitor and manage your landing zone using AWS services such as AWS CloudTrail, AWS Config, and Amazon CloudWatch. Set up alerts and notifications to proactively detect and respond to security and compliance issues.

Overall, creating a landing zone on AWS requires careful planning and attention to detail. By following AWS best practices and using AWS services, you can create a secure and scalable multi-account AWS environment that meets your organization’s needs and requirements.

In order to simplify the creation of a landing zone that meets all the requirements for HIPAA regulations, you can take advantage of the LZA for Healthcare, which allows you to create a fully customizable account structure that meets your needs.

The AWS Landing Zone Accelerator (LZA) for Healthcare

The LZA for Healthcare is an industry-specific deployment of the Landing Zone Accelerator on AWS solution architected to align with AWS best practices and in conformance with multiple global compliance frameworks. When used in coordination with services such as AWS Control Tower and Landing Zone Accelerator, LZA for Healthcare provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment.

The LZA for Healthcare helps establish platform readiness with security, compliance, and operational capabilities.

Note: The LZA solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.

Figure 1. Architectural overview of the AWS landing zone deployed using the LZA for Healthcare that is describe in this blog. The major components of the LZA are an AWS CloudFormation template, configuration files, AWS CodePipeline, and AWS Cloud Development Kit

The LZA for Healthcare is a set of configuration files focused on further meeting the needs of healthcare-affiliated organizations. The LZA for Healthcare uses AWS best practices established through the experience of customers from regulated industries.

What makes the LZA for Healthcare so impactful for healthcare customers is that it incorporates healthcare-specific configurations, such as the detective guardrails defined in the Operational Best Practices for HIPAA Security conformance pack. These are implemented using AWS Config, which records configuration changes to AWS resources and provides a notification when those resources are not in compliance with your baseline. With these configurations included in the LZA for Healthcare, customers can focus further on their business needs and build upon what is already included in this deployment. LZA for Healthcare supports organizations in maintaining compliance and security needs while still offering the flexibility of being able to manually add or remove specific configurations depending on the organization’s needs.

LZA for Healthcare, by default, meets the requirements of several technical controls of global compliant frameworks and accelerates the compliance readiness of your applications. By implementing these technical controls, LZA for Healthcare provides the undifferentiated heavy lifting that complements your application security needs. AWS provides coverage, out of the box, for various compliance frameworks, including HIPAA, IS0 27002, NCSC, ENS, C5, HDS, and FSC. Customers are still responsible for checking for accuracy and validating this compliance coverage before releasing their products, in accordance with the AWS Shared Responsibility Model.

Example of a simple data ingestion pipeline architecture

We will use a simple healthcare workflow and show how the architecture fits into the LZA for Healthcare account structure. The following diagram showcases a simple workflow to store and process patient data and render the information to the end user (that is, healthcare providers). Refer to this workshop for more details on this architecture and implementation.

Figure 2. An example of a data ingestion pipeline architecture as it would be deployed in the LZA. The main components are AWS HealthLake, Amazon S3 buckets, AWS Lake Formation, Amazon Athena, and Amazon QuickSight.

The bulk patient data is ingested into AWS HealthLake for analysis with FHIR (R4). Another Amazon Simple Storage Service (Amazon S3) bucket contains supporting health-related data that provides additional information needed for the analysis. Both data from AWS HealthLake and the Amazon S3 bucket are pushed to AWS Lake Formation and can be used for analysis for further insights. Amazon Athena allows for the data to be analyzed using simple SQL queries. Amazon QuickSight creates an interactive dashboard for end users to easily understand the patient data and take action.

The following section describes how this architecture can be deployed in the accounts created by LZA for Healthcare.

Deploying the ingestion pipeline to the LZA for Healthcare account structure

Figure 3. The account structure in an LZA for Healthcare environment. This illustration displays a sample deployment of AWS services in accounts provisioned by LZA.

The root organizational unit (OU) contains AWS services and related data that hold important information related to managing the organization. These include AWS Control Tower, AWS Organizations, and AWS IAM Identity Center.

The security OU contains AWS accounts related broadly to security functionality and uses two accounts, audit and log archive, to securely store operational data for central logging and auditing access to the environment.

An infrastructure OU houses the network and shared services accounts. A central network account houses and manages core network infrastructure for your organization, such as Amazon VPCs. The shared services account is a commonly used pattern for organizations with resources other than core network infrastructure that the organization needs to share.

The additional workloads, as shown in Figure 3 can be deployed in isolated environments that provide more control over security needs. The AWS services used in the healthcare workflow, such as Amazon S3, AWS HealthLake, or AWS Lake Formation, are deployed in the production account. The health information system (HIS) OU represents the logical construct where workloads that contain sensitive data, such as critical business or personal health information (PHI) reside. Multiple workload accounts can be enrolled and provisioned in a multi-account environment with additional infrastructure through the configuration files.

OU structure design is not a one-time effort. As a company increases cloud adoption and migrates additional workloads into the LZA for Healthcare, its OU design (and implicitly its concept of policies) will also naturally evolve.

Summary

In summary, the LZA for Healthcare offers significant benefits to healthcare organizations seeking to accelerate their cloud journey. By following AWS best practices and using pre-built configuration templates, LZA for Healthcare enables organizations to establish a secure, scalable, and compliant cloud infrastructure in a matter of days rather than weeks. This not only speeds up cloud adoption but also reduces costs and improves operational efficiency, enabling healthcare organizations to focus on delivering high-quality patient care. Overall, the AWS LZA for Healthcare is a powerful tool for healthcare organizations looking to unlock the full potential of the cloud and transform the way they deliver healthcare services.

Resources and further reading

• Introducing Landing Zone Accelerator for Healthcare on AWS
• Landing Zone Accelerator on AWS Implementation Guide
• Landing Zone Accelerator for Healthcare on AWS (GitHub)
• AWS Security Reference Architecture
• Organizing Your AWS Environment Using Multiple Accounts