Industry: 
Healthcare
Region:  
NA
AWS Segment:  TODO
Startup

The Challenge

Taproot needed a net new workload deployed. Taproot was running into huge hurdles finding off-the-shelf solutions to cater to the needs of their multi-faceted, highly customized EHR application, which included a myriad of technologies encompassing in the areas of Application Development, Product Development, AI and Machine Learning, Customized ERP solutions, Application Integration, Technology Consulting, Project Management and Quality Assurance Consulting. After a successful Well-Architected Review with Cloud303, with a focus on HIPAA-compliance and scalability, Taproot was convinced that AWS had all the services needed to host their architecture. 

Why Taproot Chose Cloud303?

Cloud303's reputation as the number one AWS Well-Architected Review partner boded well for Taproots' aspiration to roll out their EHR application, which had to be HIPAA-compliant, on AWS.

Cloud303 also turned out to be a great fit for Taproot because of their extensive experience with Health and Life Science companies. Cloud303’s experience meant that their engineers are extremely knowledgeable on what it takes to ensure HIPAA compliance in the cloud. This includes but is not limited to how to effectively keep track of the data needed for HIPAA compliance on the AWS account level as well as data and logs from within the application itself - all of which were defined and discusses extensively during the Well-Architect Review during the Assess Phase of the migration.

Cloud303's Solution

Patients log in and enter data into Taproot's Electronic Data Capture (EDC) and Electronic Health Records (EHR) application, which is hosted in containers powered by Amazon Elastic Compute Cloud (EC2) instances on Amazon Elastic Container Service (ECS). All the cancer/clinical research data is stored in a three-pronged MongoDB cluster hosted on EC2 instances, with replica sets spanning multi-AZs. Route 53 is used to manage Taproot's DNS. Taproot's CICD pipeline is orchestrated by AWS CodePipeline and AWS CodeBuild, with the codebase being version controlled using GitHub. AWS Config rules are configured according to AWS' Operational Best Practices for HIPAA Security. Amazon CloudWatch alarms and AWS CloudTrail logs storage are also configured to be HIPAA-compliant.

Cloud303 scoped out the project and optimized the EHR platform by configuring compute-optimized c5.2xlarge EC2 instances to power the Docker containers running in Amazon ECS. The workload was spread in private subnets over multiple availability zones in an Auto Scaling Group behind an Application Load Balancer in the North Virginia region for high availability.

The development pipeline was orchestrated using AWS CodePipeline, with AWS CodeBuild and AWS CodeCommit which integrated perfectly with GitHub as the version control system. Cloud303 built the Docker image and pushed this image to an Amazon Elastic Container Registry (ECR), and then deployed it to ECS on EC2. 

All testing of the application's backend was conducted in a development environment. Topic branches based off the main branch were used for feature and bug fixes. These feature branches isolate work in progress from the completed work in the main branch.

With autoscaling configured with a step scaling policy triggered by Amazon CloudWatch metrics, the ECS containers were powered by c5.2xlarge instances spread across two AZs during the development phase as a proof of concept (PoC) in the Dev account. The containers were set up to scale horizontally if CPU utilization exceeds 80%, and to scale in if CPU utilization falls below 60%. Following three months of monitoring, it was decided to scale the workload in the production environment to match demand, with the minimum and desired number of instances set at five and the maximum number set to twelve. Utilizing native right-sizing and cost-optimization capabilities from AWS, this was accomplished.

To achieve the best possible outcome in this regard, ECS cluster auto scaling (CAS) was enabled to provide more control over the scaling of the EC2 instances within the cluster, with the ECS Service configured to send metrics to CloudWatch, which triggers an alarm to add more tasks in the ECS Service, with the capacity provider set up to target the autoscaling group, using the CapacityProviderReservation metric.

The entire infrastructure was encrypted at-rest and in-transit using AWS Key Mangement service (KMS) with automated annual key rotation in order to comply with HIPAA regulations.

Results/Benefits

Cloud303 built a resilient, scalable, highly available backend architecture for Taproot's EDC/EHR application. Through the use of  AWS' conformance packs, t he application was able to be built robustly, while conforming to HIPAA requirements. Taproot's business has benefited greatly from running their containerized workload on AWS. They are set up to save their logs for the required six years under HIPAA, both at the application level and the account level. Additionally, end-to-end encryption is featured both in transit and at rest. Taproot now has considerably more control over the resources they are using when compared to their prior application hosted using a managed provider. As a result, Taproot no longer has trouble controlling their infrastructure and adjusting security settings when necessary.

 .