Increasing the Security and Compliance of Healthcare Data with AWS

Software-as-a-service company UpHill wanted to help hospitals better define and implement patient journeys while emphasizing the security and compliance of its solutions to medical systems that put a premium on the safety of vital healthcare data. The company set out to enhance the patient experience and provider performance in compliance with HIPAA, General Data Protection Regulation (GDPR), and ISO 27001 standards.

UpHill developed its offering, also called UpHill, on a secure foundation entirely on Amazon Web Services (AWS). To reduce its operational burden, the company shared responsibility for security and compliance between itself and AWS. Now that UpHill can demonstrate the compliance of its offering, hospitals feel comfortable using its product. “We know that hospitals have a lot of concerns about GDPR, so we give them a solution that grants confidence in security, data encryption, and data transfer using AWS services,” says Duarte Sequeira, chief operating officer of UpHill.

UpHill has a mission of unifying a fragmented process that disrupts patient and provider experiences. “One of the most challenging things for the patient and the healthcare professional is to know what happens next on the patient journey,” says Sequeira. “If a patient has a surgery, what are the next steps that they’ll take? What exams will they need, and when will their follow-up appointments be?” Hospitals rely on providers to coordinate each step of this journey, which is time consuming and complex. UpHill provides a single source of truth that clarifies information for both patients and providers.

However, the company has to provide a solution that is compliant with GDPR, HIPAA, and ISO 27001 to keep earning client trust. Though UpHill is already helping three of Portugal’s top five hospitals, in addition to many other health institutions in the country, it is still expanding across Europe. “The goal is to be compliant with GDPR and give each hospital confidence in the measures that we’ve put in place,” says Sequeira. Using AWS services, UpHill determines where its client hospitals’ data will be stored, chooses the secured state of both data in transit and data at rest, and manages data access. These capabilities also support UpHill’s HIPAA-compliance efforts. And because AWS has a certification for compliance with ISO 27001, UpHill uses its services to meet that standard too.

UpHill implemented a microservices and event-driven architecture that can scale independently and promotes loose coupling between components of a system, leading to greater agility. It chose Amazon Elastic Container Service (Amazon ECS), a container orchestration service that makes it simple to deploy, manage, and scale containerized applications, to put its new architecture into place. UpHill also uses AWS Fargate, a serverless compute engine for containers, in tandem with Amazon ECS. “Our product has automation features backed by Amazon ECS and AWS Fargate that save providers time by freeing them from scheduling and requesting appointments, exams, and labs,” says Sequeira. UpHill also offers clinical decision support and content-rich medical content that empowers care professionals with the information that they need to plan care pathways.

UpHill wants to deliver seamless communication between hospital systems and its product, so it built its offering on the Fast Healthcare Interoperability Resources standard (HL7 FHIR) for exchanging electronic health records, and also supports HL7 V2 and other formats. UpHill uses several AWS services to communicate, process, and transform FHIR data. It uses Amazon API Gateway, a service to create, monitor, and secure APIs at scale, to support serverless workloads. On the backend, UpHill uses AWS Lambda, a serverless, event-driven compute service to run code without provisioning or managing servers. Finally, it uses Amazon EventBridge, a service for loosely coupled, event-driven architectures. “Interoperability is quite important because when we receive the events that the patient has in the hospital, we can map those with the specific parts of their journey,” says Sequeira. “We bridge between events to make the experience continuous for the patient.”

Security is vital when working with sensitive patient data. In addition to Amazon GuardDuty, an intelligent threat detection service, UpHill implemented AWS WAF, a service that protects against common web exploits and bots that can affect availability and security. When national regulations stipulate that patient data must remain in the country, UpHill chooses the geographical locations in which hospital data is stored. It also uses AWS Artifact, an offering that provides on-demand access to security and compliance reports, to streamline reporting. Additionally, UpHill chose AWS Key Management Service (AWS KMS) to create and control keys to encrypt or digitally sign its data. Using these solutions, UpHill is making good on its commitment to keep patient data secure and compliant.

UpHill wants to make it as simple as possible for hospitals to use its product, so it prioritizes speed and ease of use. It implemented Amazon Cognito, a secure, frictionless customer identity and access management service, to unlock single sign-on for hospitals. “We substantially reduce the time that physicians have to follow up with patients and increase clinical team capacity at a time when health systems lack clinical and healthcare professionals,” says Eduardo Rodrigues, CEO of UpHill. UpHill’s adoption of cloud-native architecture on AWS also accelerates adoption. Though the industry norm calls for an implementation timeline of 6–9 months, UpHill can set up the first patient journey in a new hospital in 2 months.  

To deliver the performance and availability that its clients need, UpHill uses Amazon Aurora, a relational database service built for the cloud. It also uses Amazon DocumentDB (with MongoDB compatibility), a native JSON database that makes it simple to operate critical document workloads at virtually any scale. With this data infrastructure, UpHill seamlessly matches data events from electronic health records with clinical pathways to automate steps for physicians and patients.

For now, UpHill is not developing new products. Instead, the team is focused on improving its patient-facing interfaces without requiring people to download an app to use its services. It’s also enhancing data flow between hospitals and its product. “We are using AWS services to create an easier way for hospitals to map their own local terminologies to the international terminologies that we use,” says Sequeira. “That will accelerate implementation.”

The company is excited to bring its offering to hospitals across Europe. “The technical measures that we have implemented using AWS and our software give hospitals the confidence to use our product,” says Sequeira.