Healthcare Ready for AWS

A managed Amazon Web Services environment optimized for healthcare applications

Healthcare Ready for AWS is a managed service for healthcare organizations that provides an operational Cloud environment with pre-configured compliance and security controls. Protect and scale out your applications using managed configurations including containers, virtual machines, and serverless, backed by a variety of database options - within your AWS account.

Security and Compliance Features Managed by Healthcare Blocks

Your Healthcare Applications and Services
Healthcare Ready for AWS enforces the principle of least privilege (PoLP) for your Amazon Web Services account and enables multi-factor authentication for console and API usage. Access controls can be customized to meet your organization's requirements.
AWS CloudTrail and AWS Config track account activity and changes to services configurations that impact security. Amazon CloudWatch monitors system uptime and resource utilization. Receive alerts via email, including your Slack or Microsoft Teams account.

Amazon RDS provides the latest versions of MySQL, PostgreSQL, and SQL Server. Healthcare Ready for AWS ensures your database services are configured correctly to satisfy HIPAA requirements, including features such as encryption-at-rest, audit trails, and automated failover. Customers can use DocumentDB for MongoDB workloads.

For more complex data lake/warehouse use cases, Healthcare Ready for AWS supports services such as Amazon HealthLake, Amazon Redshift, and more.

Cost-effective file cloud storage is available through Amazon S3. Healthcare Ready for AWS enforces encryption and logging requirements and can configure data replication across geographic regions to meet disaster recovery requirements.

Amazon Elastic Container Service (ECS) on AWS Fargate provides a scalable service layer and avoids the need to manage servers. Healthcare Ready for AWS manages the security, execution roles, and logging configuration, and deploys an application load balancer integrated with the AWS Web Application Firewall. Technical guidance is available for development teams who wish to deploy apps to ECS using CI/CD services like AWS CodePipeline and GitHub Actions. AWS Inspector is configured to scan Docker images for vulnerabilities.

Healthcare Ready for AWS enforces data encryption requirements. Storage volumes attached to containers and virtual machines are encrypted using AES 256-bit keys, provisioned and rotated through the AWS Key Management Service (KMS). Transmission of data between internal services is encrypted using TLS. Public traffic received through load balancers is encrypted all the way to containers and virtual machines per AWS HIPAA requirements.

For healthcare data integration needs, Healthcare Ready for AWS manages the network security configuration and backing services, such as SFTP endpoints.

Healthcare Ready for AWS configures AWS platform features to meet uptime requirements according to your organization's needs. Production environments include systems redundancy across multiple data centers within a single geographic region by default. Multiple region support is also available. The Healthcare Blocks support team also provides assistance with capacity planning and troubleshooting performance issues.
Healthcare Ready for AWS provisions and manages the Web Application Firewall service to analyze traffic in real-time, blocking unwanted bots and intrusion attempts. Amazon GuardDuty is a threat detection service that continuously monitors your AWS account and workloads for malicious activity, and its findings are analyzed and managed by Healthcare Blocks.
Logs are collected from managed AWS services, EC2 virtual machines, and Docker containers and are stored in AWS CloudWatch Logs, providing a rich UI to browse and filter interesting events.
Amazon Linux and Ubuntu EC2 virtual machines are enhanced with security features and include file integrity monitoring, malware detection, automated software security patching by a centralized AWS service, and continuous vulnerability scans.
Your development team can securely access resources in your AWS account from anywhere via a private OpenVPN Access Server that uses AES 256-bit military-grade encryption, multi-factor authentication, and includes access logs.
AWS Infrastructure

Standards and Automatic Compliance Checks

Securityhub screenshot

The configuration of your AWS account and services is based on documented standards and verifiable controls, including

  • AWS Foundational Security Best Practices
  • CIS AWS Foundations Benchmark
  • NIST Cybersecurity Framework (CSF)

Your AWS security posture is continuously assessed and summarized by the AWS Security Hub service. Alerts are displayed in a dashboard and can be sent to communication platforms such as Slack and Microsoft Teams.

In addition, organizations can subscribe to the AWS Audit Manager service, which automatically collects evidence for many of the controls required for compliance with HIPAA, HITRUST CSF, and Service Organization Control 2 (SOC 2).

Healthcare Ready for AWS Pricing (PDF)  

Additional Information

How do I sign up for Healthcare Ready for AWS?
Start a conversation with Healthcare Blocks using our live chat. We'll discuss your needs and provide additional information about getting started. Or send us an email.

What is the best way to estimate my monthly AWS fees?
Healthcare Blocks can produce an estimate that includes the compute and storage services required by your organization, as well as the standard backing services that are necessary to support a bare minimum HIPAA-compliant configuration. Please have your technical lead developer or architect start a live chat to request an estimate.

What are the terms of service and customer responsibilities?
Please review our Healthcare Ready for AWS Services Agreement (PDF), and start a chat if you have any questions.

What are the benefits of using Healthcare Blocks to manage my AWS account?
We have extensive experience with AWS specific to healthcare scenarios and have helped many organizations scale from early-stage concepts to successful platforms.

How to determine which Healthcare Blocks service is a better fit for my organization?
Healthcare Ready for AWS is ideal for teams already working with or willing to invest the time and DevOps resources to learn the Amazon Web Services platform. While Healthcare Ready for AWS helps eliminate some of the technical challenges and implementation tasks, DevOps teams typically take on more responsibilities compared to our Cloud Application Platform experience. The primary benefits for organizations include enhanced transparency into their production systems, faster auditing capabilities, and direct access to the various Web consoles in the AWS platform.

Which AWS regions do you support?
Amazon Web Services us-west-2 (Oregon) and us-east-2 (Ohio).

Who signs the Business Associate Agreement (BAA)?
AWS has its own BAA that your organization would need to execute. To obtain a copy for preview, after creating an AWS account, go to the AWS Artifact service. In addition, Healthcare Blocks will sign a BAA with your organization. We have two different versions, depending on your relationship to us, that you can preview (PDF): covered entity or business associate. An e-signable version will be sent to you upon request.

Do you support the Dokku PaaS in Healthcare Ready for AWS?
Absolutely! We've assisted customers with migrations from our Cloud Application Platform to our newer offering without requiring them to change their production configuration and deployment process.

Can you configure my AWS environment so that my DevOps team cannot access any PHI?
Through a combination of strict access controls in your AWS environment and tasks that your DevOps team would need to implement, this solution is achievable. See our Enhanced Security Architecture for details.