The big theme at AWS re:Invent 2017 was serverless computing. Whether deploying microservices in containers using ECS, Kubernetes, or Fargate, or building systems using Lambda that connect to serverless relational databases like Serverless Aurora or DynamoDB, Amazon is rapidly moving to remove “undifferentiated heavy lifting” common to building and deploying software applications.
Healthcare has historically been slow to move to the cloud. Some of this stemmed from spotty HIPAA eligibility, and from a desire of health systems not to be the first to break new ground. Today, however, many of the barriers have been cleared away: serverless technologies like Lambda and ECS are already on Amazon’s HIPAA-eligible services list with many more likely to come in the future.
There are many benefits to serverless architectures, including faster time to market, lower operating costs, and lower complexity. Here are 4 compelling reasons why serverless systems are uniquely positioned to thrive in healthcare:
The HIPAA security rule contains a number of requirements for server security. You’d be hard pressed to find a list of security recommendations that doesn’t start with patching your servers. Indeed, over the last year unpatched servers have led to several major security incidents and breaches. There are many (poor) reasons why people don’t patch. Failure to patch machines promptly is a significant risk vector.
With serverless systems, this risk vector goes away.
In actuality, the risk is not entirely removed; instead you’re selling it to Amazon. Underneath serverless technologies, there are still servers running operating systems. However, the bet that you’re making is that Amazon has this down to a science across their millions of servers in a way that other IT departments can’t match.
Governance and Compliance
HIPAA mandates a set of administrative controls that govern things like access control and auditability. This is another area that is already baked deeply into serverless architectures.
AWS contains a strong policy-driven identity and access framework in AWS IAM. This is a core component of serverless architectures to control access at every step in the architecture. Applying the ‘least privilege’ principle with IAM roles naturally limits the “blast radius” if a service does become compromised. And because policies are all held in one place, it’s easier to see and control which accounts have access to what.
Auditability and robust logging go hand-in-hand, and if serverless architectures do anything, they generate a ton of log data. Each service, from AWS Gateway routing request to VPC delivering network traffic, to Lambda services handling requests, to S3 getting and setting bulk data is heavily logged, with most logs aggregating into either S3 or CloudWatch Logs. Several of the re:Invent sessions this year explored novel ways to report on this data using tools like ElasticSearch (note: the AWS-managed ElasticSearch Service is not yet on the HIPAA eligible list), and even automatically detect anomalous usage patterns using Kinesis Analytics.
Finally, AWS Artifact organizes all of the compliance documentation for Amazon’s part of the shared-responsibility model, including things like your AWS Business Associate Addendum (BAA), and access to SOC2 audits.
All of this stuff is just baked in, and there’s hardly any work needed to make use of it.
Availability and Scalability
While the security and encryption parts of HIPAA get most of the attention, it also contains provisions for ensuring availability, business continuity, and emergency mode operations.
Capacity and availability is something that used to be hard to plan in the days of individual server instances. A well-designed serverless architecture, by contrast, encourages robust-by-design implementations that can scale based on actual usage. Deploying across multiple data centers (AZs) is the default. Deploying across multiple regions is easy. This once again removes a common source of error and failure and gives solution builders tools to build “internet scale” systems that deliver three, four, or more 9’s of availability.
And in the unlikely event that there is an outage, backup and restore is also easy. Relational (Aurora) databases automatically perform backups, and backup/restore support for the DynamoDB document database was announced at re:Invent.
Healthcare data has often been locked into data silos inside EMRs and other proprietary systems-of-record. Additionally, the quantity of data has meant that health systems need to undertake massive data consolidation and data warehousing projects to begin to recognize the value stored in this data.
At the same time, in recent years, there has been an explosion in patient-generated data. Vast quantities of activity tracking data, medication adherence records, blood glucose measurements, and patient reported outcome data (to name a few examples) sits collected but underused and uncorrelated.
In modern serverless architectures, patient data from inside and outside the four walls of the clinic can be easily collected and stored in large-scale data lakes like S3 where it can be easily aggregated, cleaned, transformed, queried, and reported on. HIPAA regulations are easily fulfilled, with HIPAA-compliant encryption at no additional cost just a button-click away (or sometimes a few buttons if you want to manage your own encryption keys). Control over who can access and use this data are returned to governance groups and clinicians based on business requirements and policy rather than obscure formats, closed databases, and network firewalls.
At Wellpepper, we help healthcare providers deploy interactive care plans to their patients, so we take our data security and compliance responsibilities seriously. We were an early adopter of the AWS cloud back when EC2 and S3 were the only services available under the HIPAA umbrella, but things have changed! Following AWS’ announcement earlier this year that Lambda is now HIPAA-elegible, we’ve been looking more seriously at serverless system design, and we like what we see.
This is the future that anyone building solutions in healthcare IT should be excited about.
Relevant Content from AWS re:Invent 2017