FIGmd/EHNAC Case Study
FIGmd provides clinical-data registry, analytics, and data-reporting solutions to medical practices, medical-professional associations, hospitals, and health systems. The company operates and maintains the largest clinical-data registries in the United States, which customers use to measure, improve, and report healthcare outcomes. FIGmd technologies, solutions, and customization capabilities help organizations scale their projects cost effectively.
Our customers need to see evidence of our compliance with HIPAA, FedRAMP, and other critical regulations. Having EHNAC accreditation for our AWS workloads helps us demonstrate that compliance. As a result, our customers can see we’re serious about security and privacy and protecting their sensitive health data."
CEO and Founder, FIGmd
Like other healthcare companies, FIGmd is under increasing pressure to demonstrate risk mitigation for transmitting and storing data. “Our customers want us to have third-party review and accreditation/certification so we can show we’re meeting industry compliance requirements designed to stop security breaches and cyberattacks,” says Sanket Baralay, CEO and founder of FIGmd.
To meet that challenge, FIGmd determined that it needed Electronic Healthcare Network Accreditation Commission (EHNAC) accreditation. EHNAC’s stamp of approval provides objective third-party review of compliance with requirements for the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH,) Affordable Care Act (ACA), and Federal Risk and Authorization Management Program (FedRAMP).
At the same time, FIGmd was preparing to move its software to a cloud environment. “We wanted to move to the cloud to meet our needs around data storage, scalability, and security,” says Baralay, adding that FIGmd needed to ensure EHNAC accreditation was possible in the cloud. “Our customers were concerned about the potential for security vulnerabilities in exchanging and storing healthcare data in the cloud. We needed to find a cloud provider that could work with us on EHNAC accreditation.”
Why Amazon Web Services
In response to the trend of organizations moving to the cloud, EHNAC established a new Cloud-Enabled Accreditation Program (CEAP) so healthcare organizations could receive EHNAC accreditation even after moving to the cloud. CEAP assesses privacy, security, mandated standards, and key organizational functions for organizations running in the cloud. EHNAC announced the program around the same time FIGmd selected Amazon Web Services (AWS) as its cloud provider. “We chose AWS because its security and scalability capabilities were superior to all the other cloud providers in the market,” Baralay says. “EHNAC had announced its support for providers like AWS, so we realized it was the right time to pursue EHNAC accreditation for our new cloud environment.”
As a participant in EHNAC’s Cloud Service Provider Advisory Committee, AWS worked actively with EHNAC to develop CEAP. “We spent time with the AWS team to discuss the AWS controls around FedRAMP and other regulations,” says Lee Barrett, executive director of EHNAC. “AWS has a great set of services that are FedRAMP authorized, and we reviewed those services before refining our program. As we began shifting our efforts from focusing on physical data center audits to focusing on cloud environments, AWS made us confident the cloud would support healthcare organizations’ data exchange under the stringent model we’ve always followed.” The CEAP program requires organizations meet 74 unique criteria before earning accreditation.
In addition to earning its EHNAC CEAP accreditation, FIGmd moved its clinical-data registries to AWS, using Amazon Elastic Compute Cloud (Amazon EC2) instances and storing some customer data in Amazon Simple Storage Service (Amazon S3) buckets. The FIGmd clinical-data registries pull data from different electronic health record systems and give healthcare organizations the ability to report on compliance.
FIGmd also moved some of its most sensitive clinical-data registry information to AWS GovCloud (US), an isolated AWS region specifically designed to host sensitive data and regulated workloads.
Because FIGmd received EHNAC accreditation for workloads on AWS, the company does not need to have data-center inspections and can rely on existing AWS certifications for FedRAMP and other regulations. The organization can now instill a higher level of confidence in customers who are using its clinical-data registries. “Our customers need to see evidence of our compliance with HIPAA, FedRAMP, and other critical regulations. Having EHNAC accreditation for our AWS workloads helps us demonstrate that compliance,” says Baralay. “As a result, our customers can see we’re serious about security and privacy and protecting their sensitive health data.”
EHNAC is also distinguishing itself by offering CEAP. “As more and more organizations move to the cloud and seek to put risk-mitigation strategies in place, we can play an important role in that process,” says Barrett. “We offer the kind of rigorous third-party review and oversight healthcare organizations are looking for, and that provides a greater level of stakeholder confidence.”
For FIGmd, being on the AWS Cloud and receiving EHNAC accreditation will likely enable new business growth. “When we engage in conversations with potential customers, it’s extremely valuable for us to tell them we can host their sensitive data in the AWS GovCloud and that we have EHNAC cloud accreditation,” says Baralay. “That makes our conversations much easier, and ultimately it makes adoption easier for our customers.”
FIGmd provides clinical-data registry, analytics, and data-reporting solutions to medical practices, medical-professional associations, hospitals, and health systems.
AWS Services Used
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud.
AWS GovCloud (US)
Amazon's cloud regions designed to host sensitive data, regulated workloads, and address the most stringent U.S. government security and compliance requirements.
Companies of all sizes across all industries are transforming their businesses every day using AWS. Contact our experts and start your own AWS Cloud journey today.