Securing Healthcare Networks: A Cloud-Powered Transformation Story from Complexity to Compliance
Nov 30, 2023
About the Client
Customer is a New Jersey based leading non-profit healthcare systems provider known for providing exceptional patient outcomes and experiences., they are committed to providing the highest quality care delivered at the right time, at the right place, and at the right cost.
Powered by a passionate workforce of 18,000 team members and 4,800 affiliated physicians dedicated to building healthier communities, the client serves more than half the state of New Jersey, including 11 counties and 4.9 million people. The system provides care for the full continuum of health needs across a wide array of settings, including 12 urgent care centers, virtual urgent care, and other telehealth services with the transportation fleet facilitating connections between these services on both land and air.
Executive Summary
To address the healthcare client's complex networking and security challenges, Intuitive embarked on a transformative project. This initiative unified multi-site network architectures while ensuring robust security standards like HIPAA and HITRUST. It began with a secure Direct Connect connection, seamlessly interfacing with the Virtual Private Gateway (VGW) for enhanced security and low-latency data transfers. AWS Network Firewalls fortified security, and dedicated accounts were established using AWS Control Tower for comprehensive security resource management, enabling strict security control policies (SCPs) and centralizing account management. AWS Transit Gateway streamlined networking for efficiency, while Palo Alto Firewalls deployed in the on-premises data center environments enhanced packet inspection, bolstering overall security. Centralized logging within the log archive account and comprehensive security services in the Audit account ensured robust monitoring and compliance with industry standards.
Goals
The overarching aim of this project was to establish a highly secure, scalable, and operationally efficient cloud network infrastructure that addressed the customer's complex networking and security requirements. The following consolidated goals were set and successfully achieved:
- Architectural Design and Efficiency: Design and implement a comprehensive, efficient, and secure multi-account cloud network architecture that adhered to the principles of security, scalability, and operational readiness, providing a solid foundation for the customer's cloud infrastructure.
- Account Orchestration and Segmentation: Orchestrate the creation of dedicated cloud accounts tailored to specific functions and security requirements, enhancing the overall cloud account structure and posture.
- Infrastructure Automation and Resource Control: Implement infrastructure automation to expedite the deployment of cloud infrastructures and services while ensuring consistent resource management and access control.
- Network Connectivity and Security: Simplify communication among various workloads and use cases, reducing network complexity, and seamlessly integrating advanced security measures to provide robust threat detection and prevention capabilities.
- Secure Connections and Efficient Data Transfer: Establish secure, high-speed connections between on-premises data centers and cloud resources, ensuring secure and efficient data transfers.
Challenges
The customer faced a challenge in scaling up their security posture to match their ever-growing AWS workloads They needed to bolster threat detection and incident response capabilities, ensuring protection against malicious activities and unauthorized access across their AWS accounts and workloads. Compliance with security benchmarks, such as CIS AWS Foundational Benchmarks, and enforcing security best practices were crucial requirements. Additionally, the customer sought to secure network traffic patterns, both within AWS and between on-premises and AWS-hosted resources, while dealing with the intricacies of multi-account architecture and AWS Control Tower. The task requires a deep understanding of AWS intricacies to ensure a seamless and secure operational structure.
Solution and Outcomes
The customer uses a multi-faceted AWS account strategy to host their applications on the AWS Cloud platform. Our team crafted an intricate solution, intricately designed to bolster this multi-account strategy. Leveraging the advanced features of the AWS landing zone, we meticulously planned and implemented a comprehensive architectural design. This design incorporated a multitude of AWS services, including AWS Config, Guardrails, CloudTrail, AWS Single Sign-On (SSO), AWS Security Hub, AWS Control Tower, AWS Organizations, encryption protocols, and more to provide a seamless, highly available fault tolerant infrastructure.
The following tasks were completed to define the AWS Landing Zone solution.
- Architectural Design: Our solution commenced with the design and implementation of a comprehensive multi-account network architecture within AWS. This architecture, driven by the principles of service-oriented security, scalability, and operational readiness, provided a robust foundation for the customer's network infrastructure.
- Control Tower Implementation: Leveraging AWS Control Tower, Intuitive orchestrated the creation of dedicated AWS accounts tailored for specific services, including an Audit Account for centralized security management, a Log Archive account for efficient log storage and analysis, and a Network Account for housing networking resources like AWS Transit Gateway and Network Firewalls.
- Infrastructure Automation: Utilizing Infrastructure as Code (IaC), we automated the deployment across all native AWS infrastructures and services, enhancing efficiency and consistency.
- Dedicated VPC for Security: To fortify security and streamline network management, we established a dedicated Virtual Private Cloud (VPCs). This VPC was strategically designed to facilitate specific security functions, ensuring efficient traffic inspection and control.
- Efficient Network Connectivity with AWS Transit Gateway: The adoption of AWS Transit Gateway significantly simplified network connectivity by creating a hub-and-spoke model. This design improved communication among various workloads and use cases while reducing network complexity.
- Advanced Security with AWS Network Firewalls: Seamless integration of AWS Network Firewalls provided advanced traffic filtering and inspection capabilities. This enhanced layer of security ensured all network traffic adhered to rigorous security standards.
- Secure On-Premises Connections via AWS Direct Connect and Palo Alto Firewalls: Through AWS Direct Connect, we established secure, high-speed connections between the client's on-premises data centers and AWS cloud resources. This setup facilitated rapid and secure data transfers, essential for uninterrupted operations. Moreover, deep packet inspection was done by Palo Alto Firewalls ensuring that egress traffic was rigorously scrutinized.
- Resource Tagging Policy: A comprehensive tagging policy was devised and implemented for all AWS resources, enhancing visibility, management, and resource tracking.
- Proof of Concept Analysis: A thorough Proof of Concept was conducted, identifying the most efficient, cost-effective, and least disruptive automated application and infrastructure strategy.
- Automated Setup Processes: Fully automated processes and toolsets were established, expediting the landing zone setup while ensuring accuracy and reliability.
- Comprehensive Engineering Designs: Complete engineering designs, including runbooks, platform designs, and configurations, were meticulously crafted. Additionally, a detailed knowledge transition strategy was developed, facilitating a seamless transfer of knowledge to the customer's business and technology teams.
Our solution's integration of AWS Control Tower and dedicated accounts, combined with a robust network architecture and service-oriented security measures, successfully tackled the customer's complex networking and security challenges. The resulting AWS network not only met stringent security and compliance standards but also set the stage for optimized performance and future growth.