Streamlining digital transformation in German healthcare with AWS

Healthcare organizations worldwide are leveraging Amazon Web Services (AWS) and partner solutions to modernize, transform, and innovate their businesses. Ensuring the availability and security of critical applications is paramount.

For example, two renowned German medical facilities, Fachklinikum Mainschleife and Max Grundig Klinik, needed to modernize their IT infrastructure to comply with stringent regulatory requirements outlined in the country’s Law for Accelerating the Digitalization of Healthcare (DigiG). Reliable and compliant service offerings from AWS enabled the medical facilities to provide reliable access to essential systems.

Fachklinikum Mainschleife manages around 30 critical applications, including electronic health records (EHRs), health information systems (HIS), picture archiving and communication systems (PACS), and practice management systems. Max Grundig Klinik oversees approximately 40 mission-critical applications, encompassing EHRs, HIS, PACS, and DHRs.

Both institutions faced the discontinuation of existing outsourcing contracts and required a seamless transition to a new IT operating model. Fachklinikum Mainschleife had a pressing 12-month deadline due to their outsourcer terminating the contracted services. Additionally, the global hardware shortage in 2022 exacerbated the challenges to meet the tight deadline.

Within the project, Fachklinikum Mainschleife seized the opportunity to modernize application layers by repurchasing or building modern alternatives, allowing it to retire its legacy Citrix infrastructure. To address their digitization needs and the lack of required internal resources, Fachklinikum Mainschleife partnered in 2022 with Kite Consult and Oberender AG. Kite Consult played a crucial role throughout the project, delivering the cloud landing zone, providing transition infrastructure, and offering managed services, including application management and ongoing operational support in compliance with the DigiG.

Oberender AG, a management consultancy firm, collaborated with Fachklinikum Mainschleife, leading process reorganization efforts. Notably, Rolf Grube, managing consultant for healthcare digitalization at Oberender AG, took on the complete organizational change management role for Fachklinikum Mainschleife, ensuring a smooth transition into a cloud-based operational model.

“In this innovative and highly challenging project, carefully choosing amongst the available AWS services, we were able to create an operational environment, which represents an exception in terms of flexibility, cost-effectiveness, and security in the German healthcare sector,” said Grube.

Max Grundig Klinik aimed to renew their entire IT landscape. Their existing partner provided infrastructure services but lacked expertise in healthcare application management, which is crucial for digitization efforts in their regulated segment. To ensure appropriate processes and full compliance, they partnered in late 2023 with Kite Consult to drive the transformation and migration project, including replacing their end-of-life SAP-based patient health record (PHR) system and modernizing their legacy Citrix infrastructure.

In this post, we will delve into the architectural approach Kite Consult and our customers adopted to meet the stringent compliance requirements of healthcare organizations and ensure resilient and efficient cloud operations utilizing AWS offerings. Healthcare institutions must adhere to rigorous regulations and standards to safeguard sensitive patient data, maintain business continuity, and provide uninterrupted access to critical systems. The architectural design (shown in Figure 1) prioritized robust security measures, high availability, and scalability to address these crucial needs while taking advantage of the flexibility and scalability of AWS Cloud services. Additionally, the solution incorporated robust governance and control mechanisms to ensure compliance with healthcare regulations.

Architecture

Figure 1. Architectural diagram of AWS Organizations for governance and control.

In close collaboration with Fachklinikum Mainschleife and Max Grundig Klinik, Kite Consult designed a landing zone architecture that used several AWS services to address the critical requirements of ensuring compliance with stringent regulations and maintaining robust security measures in the healthcare industry. This architecture enables the customers to meet their governance and control objectives while adhering to industry-specific standards and regulations.

Customer managed keys, managed by AWS Key Management Service (AWS KMS), play a crucial role in enabling centralized compliance with encryption requirements. AWS KMS allows Fachklinikum Mainschleife and Max Grundig Klinik to manage and control the encryption keys that protect their sensitive data, such as patient records and medical imaging. This level of control over encryption keys is essential for healthcare organizations to maintain data sovereignty and comply with regulations like the German C5 standard and DigiG.

AWS Config is employed to enable the customers to meet and oversee compliance needs efficiently. AWS Config continuously monitors and records resource configurations, allowing for comprehensive auditing and compliance verification. It helps to mitigate risks by surfacing non-compliant states, ensuring that the infrastructure adheres to the stringent security and privacy requirements of the healthcare industry.

AWS Organizations facilitates governance and control across multiple AWS accounts. By leveraging service control policies (SCPs), inherited controls, and multi-account structures, Kite Consult implemented consistent and enforceable guardrails across the entire organization of both customers. This approach ensures that customer teams can work freely within their defined boundaries while maintaining the necessary level of control and oversight, preventing unauthorized or noncompliant changes to the infrastructure.

Kite Consult opted for a custom landing zone approach to address the specific needs and requirements of the healthcare industry. This decision was driven by the need for tailored controls and governance measures that go beyond the standard best practices. By relying on a dedicated service team at Kite Consult, the custom landing zone ensures the implementation of industry-specific controls and governance measures without sacrificing agility or flexibility in the deployment and management of healthcare applications and services.

Securing cloud operations: Safeguarding infrastructure and applications

Ensuring robust security and compliance is critical in the healthcare industry to safeguard sensitive patient data, protect patient privacy, and maintain business continuity. Kite Consult selected a combination of diverse AWS service offerings (shown in Figure 2) to implement security measures across all layers of the infrastructure for Fachklinikum Mainschleife and Max Grundig Klinik, adhering to stringent industry regulations and best practices.

Figure 2. Architectural diagram of the security management solution described in this post.

At the network and infrastructure level, Amazon GuardDuty provides intelligent threat detection and continuous monitoring. It analyzes data sources like AWS CloudTrail logs, VPC Flow Logs, and DNS logs to detect anomalies and suspicious activities, such as unauthorized access attempts, compromised instances, or data exfiltration. This proactive threat detection protects sensitive patient data and maintains system integrity.

Amazon Inspector assesses the security posture of applications and infrastructure, identifying vulnerabilities and providing remediation recommendations. It performs automated security assessments, including network accessibility checks, compliance checks against best practices, and vulnerability scans. Proactively identifying and addressing vulnerabilities reduces the risk of data breaches and ensures compliance with regulations like HIPAA and GDPR.

For system-level security, AWS Systems Manager Patch Manager streamlines the process of keeping systems up-to-date with the latest security patches and software updates, minimizing the risk of exploitable vulnerabilities. Patch Manager automates the deployment of patches and updates, reducing operational burden and ensuring timely mitigation of known vulnerabilities, which can compromise patient data and disrupt critical operations.

At the application layer, AWS WAF safeguards web applications from common web exploits and bots, providing an additional layer of protection for patient-facing applications and services. AWS WAF inspects incoming web traffic and blocks malicious requests, such as SQL injection attacks, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks, ensuring compliance with strict data privacy regulations.

AWS Security Hub consolidates security findings from multiple AWS services and partner solutions, providing a comprehensive view of the organization’s security posture and facilitating compliance with industry standards and regulations. AWS Security Hub integrates with services like Amazon GuardDuty, Amazon Inspector, and AWS Config, enabling centralized monitoring and management of security risks, automated compliance checks, and report generation for auditing purposes.

This comprehensive suite of AWS security services helped Kite Consult to ensure Fachklinikum Mainschleife and Max Grundig Klinik could proactively manage security risks across their entire infrastructure, maintain compliance with regulatory requirements, and safeguard sensitive patient data and their mission-critical applications.

Network architecture: Enabling reliable access and separation of concerns across layers

Network architecture plays a crucial role in enabling reliable access and ensuring the separation of concerns across layers, aligning with the stringent requirements of the healthcare industry.

At the core of the network architecture (shown in Figure 3) lies the Amazon Virtual Private Cloud (Amazon VPC), providing a logically isolated and secure environment for deploying resources. VPCs enable network segmentation, allowing healthcare organizations to separate different application environments, such as production and development, or segregate sensitive data from less critical resources. This logical isolation is crucial for maintaining data privacy and reducing the attack surface.

Figure 3. Network topology with connected VPCs and external network connectivity.

AWS Transit Gateway facilitates network isolation and seamless integration with the Telematik infrastructure, a critical component of the German healthcare system’s secure communication network. The Telematik infrastructure is a nationwide network that enables secure communication and data exchange between healthcare providers, ensuring the confidentiality and integrity of sensitive patient information.

The AWS Network Firewall acts as a central egress and ingress point, ensuring comprehensive security and compliance. It enables the implementation of DNS-based policies for traffic, allowing granular control over network communications. This level of control is essential for healthcare organizations to enforce strict security policies and prevent unauthorized access or data exfiltration.

AWS Client VPN is employed to provide secure remote access. This allows doctors, practices, and external environments to connect securely and seamlessly using their managed Active Directory (AD) credentials, ensuring they are included within the secure network of the clinic. Remote access is a critical requirement for healthcare organizations, enabling healthcare professionals to access patient data and systems from various locations while maintaining strict security and compliance standards centrally.

For larger external connectivity requirements, AWS Site-to-Site VPN connections are established, enabling secure and reliable communication between healthcare organizations and their external partners or locations. This secure connectivity is essential for data sharing and collaboration with external entities, such as research institutions or other healthcare providers, while ensuring the protection of sensitive patient data.

Application infrastructure: Modernizing and operating reliable healthcare applications on AWS

Kite Consult helped Fachklinikum Mainschleife use various AWS services to build a resilient, secure, and high-performing environment tailored to the healthcare industry’s needs.

After establishing the landing zone and ensuring the required security level, AWS Application Migration Service facilitated transitioning applications from the on-premises infrastructure to the AWS Cloud, minimizing downtime and ensuring business continuity.

Application Migration Service provided tools and capabilities to streamline the migration process. It enabled the creation of server migration plans, replication of on-premises servers to AWS, and the capture of the entire server configuration, including operating system, system state, and data, ensuring consistent and reliable migration.

The service orchestrated the cutover process, synchronizing final changes and launching migrated servers in the AWS environment.

Application Migration Service helped Kite Consulting to run the migration with maximum flexibility and customization, due to its advanced features like automatic instance configuration and configuring migrated instances based on predefined settings, ensuring compliance with organizational policies and best practices.

Figure 4. Application architecture on an AWS service level.

Amazon Elastic Compute Cloud (Amazon EC2) instances, powered by AWS Nitro System, provide a secure and high performance computing environment for the customer’s critical healthcare workloads. AWS Nitro System enables EC2 instances to meet stringent regulatory compliance requirements while ensuring isolation and protection against potential threats.

Credentials needed for the application layer are persisted through the AWS Systems Manager Parameter Store, a service that facilitated secure, hierarchical storage for sensitive configuration information and credentials, such as database passwords and API keys. AWS Systems Manager Parameter Store utilizes AWS KMS for encryption, ensuring that credentials are protected.

Elastic Load Balancing (ELB) distributes incoming traffic across multiple EC2 instances, ensuring high availability and fault tolerance for Fachklinikum Mainschleife’s healthcare applications. ELB automatically detects unhealthy instances and reroutes traffic to healthy ones, minimizing downtime.

Amazon FSx for Windows File Server provides a fully managed, scalable, and high-performance file storage solution. It enables efficient archival and retrieval of X-ray data and home directories for the Fachklinikum Mainschleife, streamlining data management processes.

Amazon Relational Database Service (Amazon RDS) provides managed database instances for SQL Server, MariaDB, and Amazon Aurora PostgreSQL-Compatible Edition, ensuring reliable and scalable data storage solutions. Amazon RDS automates database management tasks, such as backups, software patching, and failover, reducing operational overhead and ensuring high availability. For the PACS system, Kite Consult chose Amazon RDS with MariaDB.

Together, these AWS services form a resilient, highly available, and secure infrastructure for critical healthcare workloads.

Fhirworks, a solution for EHRs, was built on a serverless architecture using multiple AWS services (shown in Figure 5). The core functionality was implemented using AWS Lambda, a serverless compute service that executes code without provisioning or managing servers, allowing Fhirworks to scale automatically based on incoming traffic.

Figure 5. Application architecture of the Fhirworks solution.

For data storage, Fhirworks utilizes Amazon DynamoDB, a fully managed NoSQL database service, to store and retrieve patient data with low latency and high performance. Amazon OpenSearch Service, a distributed search and analytics engine, enables fast and efficient search capabilities across the stored health records.

Fhirworks integrates with Amazon Cognito for secure access and authentication. Amazon Cognito handles user authentication, authorization, and user profile management, providing a secure and compliant way to control access to sensitive patient data.

The API layer was built using Amazon API Gateway, a fully managed service that simplifies API creation, deployment, and management. API Gateway acts as the entry point for client applications, routing requests to the appropriate Lambda functions and enforcing access controls through Amazon Cognito.

This serverless architecture allows for efficient management and retrieval of sensitive patient data while adhering to industry standards and regulations.

Also, this architecture enables Fachklinikum Mainschleife to fully utilize a pay-per-use pricing model, reducing operational costs and allowing Fhirworks to scale seamlessly. This modern and scalable approach is aligned with the healthcare industry’s stringent requirements for data security, compliance, and cost-effectiveness.

Next steps

As healthcare organizations continue to embrace digital transformation, the modernization of their application infrastructure remains an ongoing journey. Building upon the robust foundation established with AWS services, Kite Consult envisions further advancements to enhance reliability, scalability, and data-driven insights. Two key services that hold significant potential for the next phase of modernization are Amazon Elastic Container Service (Amazon ECS) with AWS Fargate and AWS HealthLake.

Amazon ECS with AWS Fargate presents an opportunity to transition from traditional Amazon EC2 instances to a serverless container deployment model. This approach would enable healthcare applications to benefit from automatic scaling, improved resource utilization, and reduced operational overhead. By using AWS Fargate, organizations can focus on building and deploying their applications without needing to manage underlying infrastructure, resulting in increased agility and faster time-to-market for new features and services.

Furthermore, the integration of AWS HealthLake could unlock unprecedented value from the vast amounts of healthcare data generated by various systems and applications. HealthLake is a HIPAA-eligible service designed to ingest, store, and analyze data from different sources, including EHRs, medical devices, and clinical applications. By consolidating and harmonizing this data into a centralized, secure, and compliant data lake, healthcare organizations can gain deeper insights into patient outcomes, identify potential cost savings, and drive innovation in personalized medicine.

Using HealthLake in conjunction with other AWS analytics services, such as Amazon Athena and Amazon QuickSight, would enable healthcare professionals and data scientists to perform advanced analytics, visualize trends, and uncover valuable patterns within the data. This could lead to improved patient care, more informed decision-making, and the development of predictive models for early disease detection and preventive care.

Conclusion

By embracing AWS, Fachklinikum Mainschleife and Max Grundig Klinik gained a future-proof, cost-effective, and compliant cloud platform that enabled them to modernize their applications, transform their operating model, and focus on delivering high-quality healthcare services. The partnership with Kite Consult, coupled with the robust offerings from AWS, provided the customers with the needed domain customizations, expertise, agility, and scalability required to navigate the complexities of the healthcare industry and drive their digital transformation initiatives forward. Kite Consult, with its deep expertise in healthcare and AWS technologies, stands ready to guide organizations through this transformative journey.

Learn more about how healthcare and life science organizations can accelerate innovation with AWS on the AWS for Healthcare and Life Sciences homepage.