Linus Health believes it can help to address this urgent need by both growing its cloud team and preparing its cloud platform for the broader healthcare market–and it chose ScaleSec to support its expansion.
The security management program launch included selecting a security control framework, drafting policy templates to support the framework, and documenting responses for security controls.
The team adopted controls from NIST 800-66 and tailored them to suit a commercial organization. NIST 800-66 provides prescriptive guidance and controls for the HIPAA Security Rule. All controls were mapped to SOC 2 criteria to support future competitive compliance endeavors.
The team launched a new AWS Organization using AWS Control Tower to create a landing zone for all AWS accounts. Guardrail policies were configured to ensure adherence to company policy. The new AWS Organization was designed by tailoring recommendations from the AWS Security Reference Architecture, including setting up centrally managed security capabilities like logging collection, monitoring, and identity management.
Linus Health uses AWS Config to manage inventory, AWS Security Hub to manage security findings, and threat detection provided by AWS GuardDuty. Further, the team configured AWS CloudTrail for activity logging, VPC Flow Logs for network activity, and IAM Access Analyzer to manage externally exposed resources.
Protecting workloads and customer data is a critical step to setting up a security program. Accordingly, the companies collaborated on a detailed data flow diagram to understand system boundaries, use cases, user personas, and data types to be protected.
To further accelerate innovation the team used HashiCorp Terraform to create templates for common patterns used by the company’s developers and data scientists. All infrastructure as code (IaC) configurations were hardened to the NIST 800-66 controls for the HIPAA Security Rule.
While the project was underway and meeting milestones, Linus Health hired new employees and added them to the team. Because ScaleSec used best practices and industry standards easily recognizable by each new hire, the onboarding process was straightforward and made onboarding easier.
Results / Impact / Highlights
Key design decisions that helped Linus Health maintain momentum include:
Adopt proven frameworks, standards, and controls. Creating custom controls is time-consuming and largely unnecessary compared to selecting and tailoring existing controls.
Use managed cloud services for system components that do not require extensive customization, like message brokers.
Start with a modest scope and depth for compliance and security capabilities. Expand and improve over time.
Accelerate HIPAA compliance by configuring and hardening HIPAA compliant cloud services.