How Citus Health Uses AWS to Provide Secure and Real-Time Virtual Patient Care

by Vincent Zheng, AWS Associate Startup Solutions Architect, and Christine Samson, AWS Startup Solutions Architect Manager

Prior to starting Citus Health, Co-Founder and CEO Melissa Kozak spent eight years providing direct care to patients receiving home infusion therapy, in which patients are administered medication intravenously or subcutaneously. Throughout her time as a nurse, she identified a gap in tools available to patients to connect directly with their care providers when they had questions or were experiencing issues. Kozak recalled a moment in which a patient’s IV pump had been beeping all night long; he reached out to an on-call service, where he was transferred three times and then disconnected, resulting in missing his dose. With the help of Citus Health’s Co-Founder Shadid Shah, a thought leader in the digital health care space who had built and deployed multiple electronic health record systems in his career, they were able to bring the idea of patient-centric communication tools and resources to life.

How it works

Citus Health is a digital health transformation startup that enables real-time and secure collaboration between health care teams, partners, and families to provide the best patient experience possible while positively impacting the financial outcome of the care provider. The web and mobile-accessible application provides patients and providers features such as secure two-way communication, centralized nursing notes, documentation, scheduling, and video sessions. Citus Health also allows for third party system integrations where companies can integrate their applications with Citus Health’s microservices running on AWS. For example, specialty pharmaceutical companies can integrate with Citus Health’s platform as a way to send and receive documents and important patient information both from the patients themselves and from health care providers to provide a smoother and easier experience in providing patients with the medications that they need.

How Citus Health utilizes AWS

Citus Health’s application is built using a combination of PHP, NodeJs, Angular, and Ionic which interacts with microservices running in AWS infrastructure through the use of APIs. Their website and microservices are hosted on Amazon Elastic Container Service (Amazon ECS) with the Elastic Compute Cloud (Amazon EC2) launch type. As their application grows, managing the deployment, structure, and scaling of these containers become increasingly complicated. ECS’s container orchestration capabilities aim to simplify configuration options while handling the heavy lifting.

Citus Health utilizes containers for multiple microservices that provide features such as real time messaging, credentialing, and enrollment. Amazon ECS handles the placement of these containers on Amazon EC2 clusters that come pre-installed with Docker. It also simplifies scaling, monitoring, and managing these instances through the AWS management console. Communication between instances these containers reside on and Amazon ECS is done through the ECS Container Agent which also comes pre-installed on the EC2 instances within a cluster. Utilizing the Amazon EC2 launch type provides greater control over details such as the instance family and size that these microservices containers will reside on. Citus Health is able to decide on the instance family, size, and along with other configuration details, allowing them to leverage the benefits of container orchestration, while still maintaining control of specific aspects of infrastructure management that is vital to ensuring their application has the proper resources and capacity that it needs.

Citus Health also utilizes tools such as private subnets, which contain their microservices that handle tasks like credentialing, secure messaging, and enrollment. These API services are placed behind a Network Address Translation (NAT) gateway, which allows for the APIs interact with other AWS resources and the internet while blocking external connections outside of the AWS Cloud. Sitting in a different private subnet are their PostgreSQL databases running on RDS which are used to store data that is generated by their application. Network Access Control Lists (NACLs) are placed in front of all of their subnets to filter out unwanted connections.

Lessons Learned

When Citus Health was first assessing a migration to AWS, they had two major concerns: data sovereignty for compliance with PIPEDA regulations, for one of their customers in Canada and finding the easiest way to migrate from a managed service provider (MSP) Rackspace to AWS. For their data sovereignty concern, Citus Health worked with the account team to determine how to be compliant with PIPEDA. Although the shared responsibility model for compliance and security was not new to Citus Health, they needed more clarification on how PIPEDA specifically works on AWS. They weren’t sure if the HIPAA Business Associate Agreement (BAA) covers PIPEDA, or if either party (Citus Health or AWS) needs to do more in order to be compliant with PIPEDA. Citus Health met with the AWS account team and a compliance specialist to discuss this concern. They learned that the shared responsibility model still applies, that AWS takes care of security and compliance of the cloud while they are responsible for security and compliance in the cloud. They also learned to use AWS Artifact for generating reports related to PIPEDA compliance standards and to get a BAA from AWS. However, they wanted to also know where it states that AWS does not move a customer’s data. Upon collaboration with the account team, a compliance specialist, and Citus Health’s own lawyers that they learned that this is stated in the AWS customer agreement page that they sign.

Citus Health also realized that they need to be cognizant of where the data is going if the data is being sent via SNS to other regions or if the phone containing these messages are taken to a different country. They also need to be able to account for those scenarios and figure out what services to use to ensure their data stays in Canada.

For their migration concern, Rackspace runs on AWS and just manages the infrastructure for their customers. By working with the account team, Citus Health discovered that they don’t need to use the usual ways to migrate their data and servers from Rackspace onto AWS. Since Rackspace runs on AWS, they have an AWS account ID that Rackspace manages for them. By taking the advice of the account team, Citus Health contacted Rackspace directly and asked if the account ownership can be transferred from Rackspace to AWS directly so they wouldn’t need to actually migrate anything between accounts or platforms. Rackspace is able to do this, so for any early stage startup, this can help expedite migrations and alleviate work on the customer side.

Citus & AWS together

Throughout Citus Health’s Journey, the company has learned to utilize a variety of tools and services to best protect both the customers and the businesses they serve; security has to be top of mind at all times. Internally, Citus Health utilizes a separate VPC with a bastion host, which vets and blocks unwanted connections while allowing authorized connections to connect the bastion host. Through the bastion host, their DevOps team and developers can reach the main VPC’s resources through VPC peering. Separation of their resources with two separate VPCs helps isolate their resources and adds an additional layer of protection and separation. Security groups are put in place that act as virtual firewalls for each VPC. Applications can communicate with Citus Health’s microservices through authorized API calls while blocking unwanted connections. NACLs work in conjunction with security groups which adding an additional layer of security. Security groups work at the instance level, preventing connections from reaching the resources within an VPC while NACLs filter connections as they come into the subnets that these resources are placed in. NACLs also allow you to explicitly deny connections while security groups only allow you to implement allow rules. NACLs are also stateless meaning that traffic will be denied unless an allow is explicitly defined. Monitoring tools such as CloudTrail and IAM Analyzer also help in keeping track of who is accessing what resources and allows for Citus Health to keep track of resources and roles that are shared with external entities. All of this has been put in place to protect patients and their information while also ensuring that other health care companies utilizing Citus Health’s services are protected as well.

As Citus Health continues to grow, they need to scale their resources to be able to meet the demands of their customers. After their initial move from being managed by Rackspace to AWS, Citus Health had only set up Amazon EC2 instances along with an Elastic Load Balancer (ELB) to distribute traffic. The capacity that they had spun up was enough to support their current traffic and demand. Citus Health was initially only deployed in the United States and as they started to grow in size they eventually expanded into the Canada region. With this growth came a need to implement autoscaling measures as a way to spin up extra capacity to ensure that their customers continued to receive a smooth and seamless experience. Citus Health also began to leverage Amazon ECS within the Canada region and had broken up their application into microservices as a way to decouple their application and leverage container orchestration.

They also have a multi-AZ setup for their Amazon Relational Database Service (Amazon RDS) instances for disaster recovery. Data is synchronously replicated between the primary instances and if the primary RDS instance fails, Amazon RDS will initiate an automatic failover to a standby instance without any administrative intervention. When it comes to providing patients with a method to communicate with healthcare providers, elasticity ensures a smooth and seamless experience while availability ensures that patients stay connected and have an open line of communication to the resources that they need.

Conclusion

Startups move at a very fast pace and details like security, elasticity, and availability can end up neglected due to wanting to release a product or service as quickly as possible. By utilizing AWS, Citus Health was able to leverage built in tools and services to secure their environment and ensure that their services remain available and resilient. Ensuring that things like security groups, NACLs, load balancers, autoscaling, and multi-AZ setups are properly configured will help keep your application available and secure so that you can best provide your customers with the smoothest experience possible in the long run.