Talking Health and HIPAA Compliance with Wellpepper
This post is part of the Startups on Air series. Startup Evangelist Mackenzie Kosut visits different startups and learns who they are, what they do, and how they use AWS.
Wellpepper is a platform for digital patient treatment plans that helps patients to follow instructions, empowers them to self-manage their healthcare outside the clinic, and connects them to their healthcare providers if they need additional support.
Co-founders Anne Weiler and Mike Van Snellenberg identified the problem of a lack of continuity of care when Anne’s mom contracted a rare autoimmune disease. After six months in the hospital, she was discharged with no instructions and had to wait over a month for a follow-up visit. This lack of continuity of care at such a crucial time was the impetus for Wellpepper.
Wellpepper solves this problem with actionable care plans (having drawn insights from over 250,000 patient actions), that are built from reusable building blocks. Patient instructions are broken down into simple tasks, educational materials, and custom video, which enable patients to record their experiences. Healthcare organizations can track patient results in real-time against their own best practices and protocols.
— AWS startups (@AWSstartups) January 20, 2017
“One of the nice things about using AWS in a HIPAA model is that it’s a shared responsibility model.”
-Mike Van Snellenberg (CTO & Co-Founder)
Wellpepper wraps all of their services within a virtual private cloud (VPC), and use many of the AWS services that are HIPAA-eligible, such as EC2, S3, and EBS. They leverage an ELB elastic load balancer, which handles SSL termination for public traffic. Their app tier, which is written in Node.js, serves dynamic content and runs APIs and application services. Their static web tier houses their content and portals. As far as deployments go, Wellpepper is in the midst of migrating to AWS CodeDeploy and AWS CloudFormation.
“One of the nice things about using AWS in a HIPAA model is, that it’s a shared responsibility model”, exclaimed Mike, who uses it over un-encrypted files in the back-end and manually encrypted files in the static web tier. He went on to explain how easy it is replicate from shared tendency over to dedicated tendency (minus their web tier).
Wellpepper recently underwent a successful HIPAA audit and shared some of the steps they take to secure their environment; In terms of a shared security model, AWS manages from the hypervisor down to the physical facility, and it is on us to build security into our application. Wellpepper utilizes a simple password based authentication and OAUTH.
For those of you who are new to HIPAA compliance, Mike has a few reassuring words: “HIPAA is not as scary as you’d think. It’s just a lot of general, good security practices.” That said, he recommends getting comfortable with HIPAA before diving into a serious project.
There are a lot of good services in AWS that you can leverage that make architecting and scaling your infrastructure easy. For example, when you encrypt your EBS volumes, you’ve technically met your encryption requirements for data at rest. If you need services that currently aren’t HIPAA-eligible, you can still run your own compliant instances on EC2 with encrypted EBS.
Interested in learning more about Wellpepper and staying up to date with their latest endeavors? Follow them on Twitter here.