Scalamed: Building a HIPAA compliance environment while migrating from Heroku to AWS

About Scalamed

Scalamed is an Aussie startup that allows patients to receive prescriptions directly from their clinician to their mobile phones.

Taking a patient-centred approach, Scalamed believes the company must empower patients with the right information at their fingerprints to make health personalised for them.

Combining the experience of patients, care-givers, doctors, pharmacists, and geeks in a single solution, Scalamed aims to provide a friendly, personal, intuitive, secure, and caring healthcare solution.

For Dr Tal Rapske, Scalamed Founder, the journey to helping patients manage their health simply, conveniently, and on-the-go starts with medication management. As Rapske explained it, ScalaMed is in-effect a ‘digital prescription inbox’, secured by blockchain technology, which patients can access from their smartphone and share with their treating doctors and pharmacists.

“We identified a gap where a next-generation technology could improve the experience of medication management and increase adherence. By allowing patients to securely store their prescriptions digitally, doing away with paper, we can reduce medication errors, allergy mix-ups, and unnecessary hospitalisations, while giving patients their prescription history and information, and improving the convenience and ease of managing and purchasing one’s prescriptions,” Rapske explained.

The Business Challenge

While uncovering the market’s needs, Scalamed identified that the main concerns and questions about the solution are around security, ease of use, administration burden, and how difficult the system is to use. In response to the security topic, Scalamed has decided to prepare the application to be compliant with HIPAA standards for sensitive patient data protection. 

Another challenge is that Scalamed was scaling up the business globally, was looking to improve the resource-usage, looking to grow more dynamically, remaining light on infrastructure operations, and wanting more control in the long-run. However, as Heroku was the current cloud platform, Scalamed was not able to achieve this due to some Heroku platform limits.

So, Scalamed needed to find a partner that solves both challenges; building a HIPAA compliant environment and preparing the business for future growth. DNX Solutions was engaged to support these challenges using AWS as a cloud solutions provider.

The 5-step Solution

Step 1: Identifying issues, risks, and opportunities

DNX started by assessing the current state of the application infrastructure, delivering a Well-Architected Review Framework where DNX identified risks and opportunities against operational excellence, security, reliability, performance efficiency, and cost optimisation pillars. Also, a HIPAA Best Practices was considered while assessing the workloads.

About 39 items were classified as high risk. Security and reliability were the main focuses for the business, followed by solving performance efficiency. Some of those are identities and permissions management, network resources, networking configuration, security events, design workload service architecture to adapt to and perform better, and data protection.

With a clear understanding of both business and technical needs in-hand, DNX and Scalamed determined that an Application Transformation would be the best path to solve those challenges.

A Transformation journey was defined as a deliverable scope, with security as a main topic to be covered in order to achieve the desired outcome.

Step 2: Enhancing security through DNX.One Well-Architected Foundation

The project started by deploying DNX.One Well-Architected Foundation (aka DNX.One) – an automated platform built with simplicity in-mind, Infrastructure as Code (IaC), open source technologies, and designed for AWS with well-architected principles. It enables the application to thrive while the business can remain focused on customer solutions.

DNX.One is a ready-to-go solution that aims to solve the most common business needs regarding cloud infrastructure as it fits different application architectures (including containers), has flexibility and automation for distinct platforms, and enhances security and management to keep business under control. 

Some high-level security best practices that were leveraged while building Scalamed’s infrastructure were:

• Networking using security best practices for VPC
• Multiple Availability Zone
• Security groups and network Access Control List as an optional layer of security for VPC
• IAM policies to control access
• AWS tools to monitor VPC components and VPC connections such as CloudWatch
• A secure dedicated and isolated subnet for the database which is not accessible to the public internet
• A Centralised CloudTrail to monitor events history
• GuardDuty to provide continuous monitoring of AWS accounts
• AWS Key Management Service (KMS) to create and manage cryptographic keys and control their use across AWS services

While building a HIPAA compliant environment for Scalamed, DNX provided substantial changes on DNX.One which is default for any new customer such as having account-level separation to isolate distinct environments, granular access control for each workload, and list-grants-permission.

Having a separate audit only account was another crucial topic to be covered, enabling the HIPAA audit team to access everything with integrity.

Figure 1- IAM – single sign-on

Figure 2 – Networking

Figure 3: account management and separation

Step 3: Application Transformation Strategy

With minimum infrastructure operations in mind, DNX started the application transformation strategy. A migration from Heroku to AWS while using Elastic Container Service cluster in EC2 instances was proposed as it enhances performance and resource usage. It is important to note that DNX used spot instances for the ECS cluster, focusing on availability while reducing AWS costs.

Upon deployment of DNX.One, we migrated Scalamed deployment to Docker containers using Elastic Container Service (ECS) bringing together both the existing automated tests and database migration scripts to its CI/CD pipeline. 

An internal Application Load Balancer was used to control internal access through Network Access Control List (NACLs) and/or Security Groups.

As a security best practice, environment variables were used while passing secret or sensitive data securely to containers. SSM Parameter was used to store secret keys and variables (values in plaintext), enabling only authorised services to access this and change it when convenient.

An AWS Key Manage Service (AWS KMS) customer master keys (CMKs) was used to encrypt the data at rest.

To enhance security in this phase, the environments were separated into accounts (non-prod and prod), allowing better access control for the Scalamed team to the environments through roles and policies. VPNs were also implemented in each environment (non-prod and prod), so that access to resources such as databases were only carried out through VPN, allowing authenticity, confidentiality, and integrity of data in transit.

Step 4: Build a secure CI/CD Pipelines

We used AWS EC2 instances to run complex CI/CD pipelines using spot instances, optimising steps such as database migration and automated tests running in parallel steps via Gitlab.  Hundreds of pipelines are triggered daily at minimal operational cost. Moreover, this reduced the number of production incidents, increased their current test capacity, and enhanced security while running the pipeline in a private instance, avoiding public or shared instances.

DNX uses its own runners to execute the pipelines. In summary, instances are created in AWS to execute the pipelines without the need to configure SECRETS within the CICD SaaS platforms. Our instances that are created for this purpose already have the specific policies and roles to execute the pipelines only with the necessary permissions, without the need to expose the execution of pipelines inside third-party runners.

AWS stack:

• AWS Identity and Access Management (IAM)
• AWS Key Management Service (AWS KMS)
• Network ACLs + Security Groups 
• AWS Systems Manager
• AWS CloudTrail
• AWS Organisations Service Control Policy
• AWS Secrets Manager
• Amazon CloudWatch 
• AWS CloudWatch Events
• Amazon GuardDuty 
• AWS Certificate Manager (ACM)
• AWS Single Sign-On
• AWS Consolidate Billing

Step 5: Knowledge Transfer

DNX works closely with companies to spread the AWS Well-Architected Framework pillars, bring teams together, and focus on delivery. As part of DNX Transformation Journey, a showcase was delivered at the end of the project in order to upskill the Scalamed’ team regarding what was delivered.

Conclusion

From conception to conclusion, the migration project of Heroku to AWS was completed in approximately one month. Now they have a HIPAA compliant environment as well as Well-Architected. In order to address the first challenge, the critical issues identified on the previous assessment were fixed (under security and reliability pillars) while delivering a resilient, secure, and reliable foundation.

The new Docker+AWS environment implementation allowed Scalamed to improve performance and efficacy as compared to their previous Heroku environment. Their production quality and their ability to release more products frequently have increased. Furthermore, developer and QA productivity has improved significantly. 

Building a HIPAA compliance environment, improving the security of application components, automating security components and CI/CD, and applying AWS cloud-based products have enhanced the environment to seat the customer data. It enables the Scalamed team to focus on delivering Dr Tal Rapske’s passion; to reorient healthcare towards the patient and empower patients with their data seamlessly, while addressing the quadruple aim of health – improved health outcomes, reduced cost, improved patient experience, and reduced paperwork for providers.