Perx Health: Automated global deployments on AWS with HIPAA Best Practices

About Perx Health

Perx Health is pioneering a motivational health community made for everyone.  They are using leading-edge behavioural science, understanding of consumer tactics, and technology to assist and motivate people living with chronic conditions to stick to their treatment plans.  Notably, Perx has already helped to increase engagement with thousands of patients, improved their adherence, and achieved better health outcomes. Their goal is a future where managing a chronic condition can really be simple, exciting, and rewarding.

The Business Challenge

Already running healthcare solutions on AWS, Perx Health aimed to leverage an elaborated multi-region automated deployment strategy in a HIPAA compliant way, requiring a move from higher-level AWS services like Elastic Beanstalk to services with more operational control.  Achieving this target without adding infrastructure operations overhead was crucial to maintain a collaborative, innovative and flexible environment for the development team.  Security of all data was of primary concern to Perx Health and this became a major focus of the solution delivered.   Another challenge was to identify opportunities for cost reduction while running the application in the new environment.

To accomplish these challenges, DNX Solutions was heavily involved in the new architecture solution.  Together, we evolved the platform to container-based orchestration, pushing stateless applications through CI/CD pipelines along with IaC (Infrastructure as code) using Terraform.  We can meet security and compliance standards through management and governance solutions, also take advantage of the AWS shared responsibility model, specially for security and operations topics.

The Solution

We started assessing the existing infrastructure using HIPAA Best Practices and our DevOps Transformation guidelines.  The project started by deploying our DNX Well-Architected AWS foundation, also called DNX.One, which implements operational excellence, security, reliability, performance efficiency, and cost optimisation using Infrastructure as Code, so that applications can thrive, while the business can remain focused on customer solutions.

With minimum infrastructure operations in mind, Elastic Container Service on AWS was the service of choice for the application modernisation strategy. It is important to mention that DNX used spot instances for the ECS cluster, focusing on availability while reducing AWS costs.

As security and privacy were of paramount importance to Perx Health we were able to develop systems to ensure production data was well secured from development workloads and that access was only via a secure VPN to a secure subnet in their VPCs which is not accessible to the public internet.  Additionally, high levels of security best practices were enabled during the Foundation stage, including; A separate audit only account, centralised cloud trail, AWS Config, AWS Guard Duty, and AWS KMS.

Taking the blue-green deployment approach in a multi-region environment, we automated existing database migrations and deployments that were previously manual processes, providing the team confidence to release new features that can be easily tested in a prod-like environment before every deployment.

Perx Health also required an analytics solution to manage its multi-region environment. Using Terraform to manage Infrastructure as Code (IaC) enabled simple provisioning of a Data Warehouse cluster, which was essential to bring automation, security, and information management and control.

Data Overview

CI/CD Pipelines

Previously, deployments were semi-manual where the team would use a 3rd party deployment tool and required short amounts of downtime. At DNX, we used the current hosts CI/CD tool to provide the best pipeline architecture for deploying to multiple environments and regions with maximum flexibility and confidence while ensuring 0 downtime deployments.

As security is a critical topic, DNX has ensured that security controls were considered around the pipeline build-in on DNX.One Foundation. An IAM role is created specifically for CI/CD and we have been making use of it to deploy Perx’s applications. Discover more accessing our GitHub here.

ECR – Docker image scanning

To avoid releasing a docker image with major vulnerabilities, DNX has implemented an image scanning for Perx’s deployments. 

On bitbucket, a step was added prior to deployment. This step will check the ECR report created for that image tag and if it contains critical level vulnerabilities, the deployment of that image will be prevented.

To ensure compliance, each container is scanned for vulnerability using ECR in the pipeline.

Read this article to learn more: AWS ECR — Improving container security by using Docker image scanning

Some of the AWS Services provisioned:

• Amazon Elastic Container Service (ECS)
• Amazon Elastic Container Registry (ECR)
  • Repository policies
  • Image Scanning
• AWS Elastic File System (EFS)
• AWS Systems Manager
• AWS CloudTrail for audit purposes
• Postgres cluster
• Amazon CloudWatch 
• AWS CodeDeploy
• Papertrail
• IAM Roles

Conclusion

Perx Health’s project was highly collaborative and ultimately delivered beyond expectation. With an engaged and helpful development team working together with DNX, we built a resilient, secure, and reliable AWS platform for Perx Health applications. Now the team is able to focus on what they do best, using leading-edge behavioural science, consumer tactics, and technology to help and motivate people living with chronic conditions to better adhere to their treatment plans on a HIPAA compliant platform and automated deployments.  Using spot instances for the Elastic Container Service (ECS) has been generating an average of 50% cost reduction.

With modern and efficient DevOps-oriented practices, Perx Health can test and release new features to the market, faster. Reducing operational constraints on AWS, the new platform is prepared for a global HIPAA compliant strategy.