© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ben Snively, Senior Solutions Architect, Amazon Web Services

Casey Helfrich and Stuart Ingram, UPMC Enterprises

12/1/2016

Healthcare Data LiberationPHI in AWS

Build everything on a constantly improving security baseline

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentC

ust

om

ers

Let AWS do the heavy lifting for you

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

AWS HIPAA Program

Strong presence in healthcare and life

sciences from our roots

Business Associates & January, 2013

Omnibus Final Rule

Starting signing Business Associate

Agreements (BAA) in Q2 2013

Program is based on Shared Security

Responsibility Model

AWS HIPAA Program is aligned to

NIST 800-53 & FedRAMP

Authorizations

Alignment to HIPAA Security Rule

HIPAA Security Rule(45 CFR Part 160 and Subparts

A and C of Part 164)

NIST 800-66An Introductory Resource Guide

for Implementing the Health

Insurance Portability and

Accountability Act (HIPAA)

Security Rule

NIST 800-53 Moderate baseline + FedRAMP

Controls

AWS HIPAA Eligible Services

You may use all services within a “HIPAA Account”

You may process, store, or transmit PHI using only Eligible Services

Amazon EC2Elastic Load

BalancingAmazon S3Amazon EBS Amazon Glacier Amazon Redshift

Amazon RDS

(MySQL & Oracle)Amazon

DynamoDBAmazon EMR

1) Provider

2) Payer

3) Other Stuff

UPMC Factoids

$13 billion integrated global health

enterprise

More than 20 academic, community, and regional hospitals 5,000+ licensed beds

UPMC Health Plan: over 3 million total

members; network of 125+ hospitals,

11,500+ physicians

Affiliated with the University of Pittsburgh

285,000+ inpatient admissions

185,000 surgeries performed annually

3.9 million+ outpatient visits

710,000 emergency visits

$1.5 billion invested in technology over the

past five years

Western PA’s largest employer:65,000 employees

UPMC Enterprises

Value-based care and IDFS

development (Population

Health)

Cost management

(Business Services &

Infrastructure)

Risk adjustment

(Population Health)

Neurocognitive/concussion

assessment

(Clinical Tools)

Online mental health

wellness tool

(Consumer)

Clinical decision support

and data acquisition

(Clinical Tools)

Automated clinical

interpretation of genomes

(Clinical Tools)

Cognitive supply chain

(Business Services &

Infrastructure)

Revenue cycle services

(Business Services &

Infrastructure)

Supply chain efficiency

(Business Services &

Infrastructure)

Clinical decision support

for cancer

(Clinical Tools)

Remote patient monitoring

(Population Health)

UPMC (Clinical) Data Sources Inventory

Healthcare Data Landscape

Discrete

Structured

Unstructured

Notes

Semi-Static or Batch

Real-time

Healthcare Data Landscape

Discrete

Structured

Unstructured

Notes

Semi-Static or Batch

Real-time

Electronic Medical Records

Healthcare Data Landscape

Discrete

Structured

Unstructured

Notes

Semi-Static or Batch

Real-time

Data Liberation Project

Electronic Medical Records

Transactional vs. Analytical, Individual vs. Aggregate, Clinical User vs. 3rd Party

Data Liberation Project (DLP) Requirements

Secure and

CompliantResilient Cost Effective

Federal Regulations

Data Governance

Full Traceability of all

Data movement

BAA Zone

IAM/CloudTrail

Independent of

Clinical operations

(workload and failure)

“Well Architected”

Review

Operational Cost:

S3, EC2

Development Cost:

NIST Cloud

Formation Templates

DLP Architecture

The Holding Tank

(S3)

Opera

tional S

erv

ices

Asset

Metadata

(RDS MySQL)

DLP Architecture

The Holding Tank

(S3)

Inbound Services

Outbound Services

Opera

tional S

erv

ices

Asset

Metadata

(RDS MySQL)

Project Specific Data

(S3)

DLP Architecture

The Holding Tank

(S3)

Inbound Services

Outbound Services

Opera

tional S

erv

ices

Asset

Metadata

(RDS MySQL)

Project Specific Data

(S3)

Assets are Immutable in

Steady State

Write Only on Inbound

Read Only on Outbound

Software is

fundamentally incapable

of displaying PHI

Minimal Surface Area

BAA Zone

Outbound Data is

ephemeral

Inbound Asset

facilitation Software is

ephemeral

DLP Example Use Cases

Genomics

Imaging

Bioinformatics

Machine Learning

Investment and Strategic Business decisions

Verification of vendor/partner capabilities

Quality Initiatives

Commercial Research (Pharma etc…)

Healthcare Data Landscape

Discrete

Structured

Unstructured

Notes

Semi-Static or Batch

Real-time

Data Liberation Project

Electronic Medical Records

Neutr

ino

Clinical Documentation

“Unstructured Data” ~80% of the data>5000 known variants at

UPMC alone

Txt, Rtf, Doc, Pdf, Pdf

scan

Use cases

Population Analytics

Institutional

Compliance

Patient Centric

Use cases

Population Analytics

Institutional

Compliance

Patient Centric

Documentation Aggregation Challenges – 4 V’s

Variety Veracity Volume

Sources

Content

Format

Workflow

Identity Management 3M Plan subscribers

6M patient events

Velocity

Average 700,000

documents per week

Spikes @ 300

documents per

minute

Documentation Aggregation Challenges – 5 V’s

Variety Volume

Source

Content

Format

Workflow

3M Plan subscribers

6M patient events

Velocity

Average 700,000

documents per week

Spikes @ 300

documents per

minute

Veracity

Identity Management

Versioning

Neutrino

• Centralized enterprise repository of truth

• Real-time ingestion

• Document normalization

• Document verification

• Patient crosswalk

• Durable, scalable & reliable

• Exposure of NLP derived information

• Multi engine capable

Neutrino

API

Doc

Source 1

Doc

Source 2

Message

Router1

APIAPI

Load

BalancerMirth

AWS S3

MongoDB

cluster

HL7 TCP/IP

JSON

HMAC & HTTPS

External

Broker

APIAPIWorkersInternal

Broker

Neutrino

API

Doc

Source 1

Doc

Source 2

Message

Router1

APIAPI

Load

BalancerMirth

AWS S3

MongoDB

cluster

HL7 TCP/IP

JSON

HMAC & HTTPS

API

ADT Src1

ADT Src2

APIPatient

Identity

SecondaryPrimary

EMPI

Memcached protocol

External

Broker

APIAPIWorkersInternal

Broker

Data & access characteristics

Meta

Document

Index

NLP

Data & access characteristics

Meta

Asset

Index

Annotator

Data & access characteristics

• HIPAA Compliance &

Security model

Meta

Asset

Index

Annotator

AWS Development Accelerator - S3

• S3 – Simple Storage Service

• 3x9 Uptime

• 11x9 Durability

• Secure by default

• IAM & ACL

• TLS

• SSE

• VPC Endpoints

• Access log

• Cost

AWS Development Accelerator - Infrastructure

• CloudFormation

• Infrastructure as code

• Rapid, reliable, repeatable & reviewable deployments

• Library of standards increases acceleration (ServiceCatalog)

• CloudTrail

In Summary

• Use cases demonstrated

• Low velocity, high volume, batch (DLP)

• High velocity, high volume, real-time (Neutrino)

• Platform security, compliance, reliability and durability

• Cost profile

In Summary

• Use cases demonstrated

• Low velocity, high volume, batch (DLP)

• High velocity, high volume, real-time (Neutrino)

• Platform security, compliance, reliability and durability

• Cost profile

Enterprise volume PHI in the cloud is here and ready

Thank you!

Remember to complete

your evaluations!

Related Sessions