Strengthening Security Posture While Saving on Inspection Costs Using AWS Security Services with athenahealth

Founded in 1997, athenahealth works with healthcare organizations to provide products that help people across the healthcare industry. The company provides technology, insights, and expertise to help organizations improve clinical and financial results. As part of its mission to provide data-driven insights in a way that protects the privacy and security of people’s data, athenahealth wanted to provide the most secure networking environment possible for its services and resources running on AWS. athenahealth saw an opportunity to focus renewed attention on its VPC infrastructure and continue to meet evolving security needs. In December 2021, the company developed a long-term security strategy: to build a new solution for egress traffic monitoring. At the center of that long-term strategy was the decision to implement it using AWS.

athenahealth had been using AWS services since 2016 to automate its VPC infrastructure. When it launched the project, the company was able to rapidly deploy security changes and add AWS Network Firewall to hundreds of VPCs across 120 accounts within just a few days. “We were drawn to AWS Network Firewall because the managed solution meant that we wouldn’t have to look at scaling solutions or worry that we’d always have enough capacity,” says Mike McGinnis, senior engineering manager for the public cloud team at athenahealth. “Having all that done automatically on AWS was a huge win.”

Instead of deploying AWS Network Firewall across all 120 accounts individually, athenahealth distributed its new policies to all firewalls natively across the organization using AWS Resource Access Manager (AWS RAM), which businesses can use to simply and securely share AWS resources across multiple accounts. As a result, it rolled out the changes efficiently and began routing traffic through its new system quickly. Then, athenahealth began redesigning its security architecture to use a centralized deployment model on AWS.

athenahealth had already been using AWS Transit Gateway, which connects Amazon VPCs, AWS accounts, and on-premises networks to a single gateway. Now, by adopting AWS Network Firewall, athenahealth can automatically inspect any traffic that’s leaving the private network space. And AWS Network Firewall automatically saves all firewall logs to a central location, so teams can see what traffic is being affected. On AWS, athenahealth built a system for monitoring egress traffic that’s cost effective and scalable. By moving to a centralized deployment model on AWS, the company reduced its overall inspection costs by 95 percent. “We used the flexibility of AWS services to iterate on changes quickly and ultimately reach a deployment that reduced our spend significantly,” says Aaron Baer, principal member of the technical staff on the cloud infrastructure engineering team at athenahealth.

Running network security in the cloud also made athenahealth’s infrastructure seamlessly scalable. “By scalable, I mean it’s AWS magic,” says Baer. “We don’t have to think about scalability at all.” On AWS, the company doesn’t have to worry about dynamic resource provisioning because network gateways will automatically scale based on traffic. “Scalability on AWS was a huge benefit, and we were able to implement this with a small team,” says Baer. Just eight people designed and rolled out the new security design with no disruptions. athenahealth secures its data as it moves between the on-premises environment and AWS using AWS Direct Connect, which creates a dedicated network connection to AWS.

“There was always an AWS tool that we could incorporate with minimal interruption,” says McGinnis. The company manages its network infrastructure using AWS CloudFormation, which speeds up cloud provisioning with infrastructure as code. This ability to implement changes using infrastructure as code was a huge benefit. “For being such a highly technical project, it was simple on AWS,” says Baer. “We didn’t have to consider capacity or maintenance.” athenahealth manages firewall rules using an AWS CloudFormation template in its code repository. When athenahealth makes changes, the pipeline automatically introduces them into the firewall. This automation has simplified development. Now, developers can submit a fix for any issue as a pull request in the repository instead of flagging an issue and waiting potentially hours for another team to locate and fix it. “We greatly reduced the operational burden on the engineering teams while still providing the security value that we wanted,” says McGinnis.