Upload
amazon-web-services
View
1.013
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Implementing a HIPAA solution presents challenges from day one. Not only are you saddled with seemingly insurmountable regulatory challenges, you also take on the stewardship of people's most deeply personal information. The AWS platform simplifies deployment of HIPAA applications by offering a rich set of dynamic scalability, developer services, high availability options, and strong security. Hosting a HIPAA application on the public cloud may seem pretty scary, but Ideomed solved some of this architecture's most vexing challenges by building a major health portal and deploying it on AWS. Come hear Ideomed CEO Keith Brophy and solution architect Gerry Miller talk first-hand about the challenges and solutions, including CloudHSM encryption, multi-AZ failover, dynamic scaling, and more!
Citation preview
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Implementing Bulletproof HIPAA Solutions on AWS
Gerry Miller, CTO - Cloudticity
Keith Brophy, CEO – Ideomed
Mark Welscott, Director – Spectrum Health
November 15, 2013
Convergence of technology, storage,
connectivity, medical advances
Mark Welscott, Director – Spectrum Health
Keith Brophy, CEO - Ideomed
Gerry Miller, CTO - Cloudticity
The Three Big Problems We Solved
The Three Big Problems We Solved
The Three Big Problems We Solved
Architecture Overview
CorporateInternalFirewall
WindowsFirewall
Corp server auth and ACLs across all internal datacenters
VPC Security Layers
Internet
CorporateVPN
Firewall
AmazonRouting
Rules
Solution Specifics
CloudHSM Configuration
Encryption of Data at Rest
Securing Database via TDE
Amazon CloudHSM
SQL ...
sp_configure ‘show advanced options’, 1 ;
GO
RECONFIGURE ;
GO
sp_configure ‘EKM provider enabled’, 1 ;
GO
RECONFIGURE ;
GO
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = “C:\PROGRAM FILES\LunaSA\EKM\LunaEKM.DLL” ;
GO
...
Securing Sensitive Info from Devs
Custom Protected Config Provider ...
public override XmlNode Encrypt(XmlNode node)
{
var encryptedData = "";
var stringToEncrypt = node.OuterXml;
for (var i = 1; stringToEncrypt.Length > 0; i++)
{
var encryptTheseBytes = stringToEncrypt.Substring(0,
Math.Min(MaxBlockSize, stringToEncrypt.Length));
var encryptedBytes = EncryptString(encryptTheseBytes);
encryptedData += "<Block" + i + ">"
+ encryptedBytes + "</Block" + i + ">";
stringToEncrypt = (stringToEncrypt.Length > MaxBlockSize) ?
...
Unencrypted Configuration <secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-Document-
Transform" xdt:Transform="Replace">
<add key=”ClientSecret" value=”xgR2%%f" />
<add key="MessageAttachmentsKey"
value=”D7sdlj0GGjhadjkj77sd8jlaj9aihaf0993j=" />
<add key="MessageAttachmentsIV" value=”hhGJfl87JJhhsl+8sj==" />
</secureAppSettings>
Encrypted Configuration <secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-Document”
configProtectionProvider="LunaSAProtectedConfigurationProvider"
xdt:Transform="Replace">
<EncryptedData>
<Block1>Gsk2WVr8b9R6gN49c11RTzlHtOSL2QsGX3vGXVIqGYCuBKQh=</Block1>
<Block2>Hhhj9Ljjd90jJjhf99shjoljjlJUIUYRJjj87fHHgdkri77a=</Block2>
<Block3>HHDG99jsjJJDLKL99LKJhoijsdfiOIH847jJHYETQKmfkgiU=</Block3>
<Block4>88HHJjfhk9773HhfyUirKIOPjustUhf886djNNjfoe9Hjdfk=</Block4>
</EncryptedData>
</secureAppSettings>
Process Automation & Governance
Automated Build & Deployments
AWS CloudFormation Manages Environments
Things We Learned
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC306