Zivankh is a mid-to-large healthcare services organization providing electronic health record (EHR) management, telemedicine infrastructure, patient data analytics, and medical imaging services across multiple hospital networks and outpatient clinics. Prior to this engagement, Zivankh operated fragmented, aging on-premises server infrastructure spread across three co-located data centres — a legacy environment that was generating escalating costs, compliance risk, and innovation bottlenecks.
As the designated AWS Migration Acceleration Program (MAP) partner, our firm conducted a structured migration engagement — spanning discovery, architecture design, migration execution, and modernization — to move Zivankh's entire workload portfolio to Amazon Web Services. The project was completed within a 52-week program timeline, resulting in a 42% reduction in total IT infrastructure costs, elimination of all 23 open HIPAA compliance findings, and a disaster recovery posture that reduced Recovery Time Objective (RTO) from 18–24 hours to under 30 seconds.
| Key Outcome Summary Zivankh now operates a fully cloud-native, HIPAA-compliant, multi-region AWS architecture — enabling the clinical and IT teams to focus on patient outcomes and innovation rather than infrastructure management. Annual savings total $3.4M against a pre-migration IT spend of $8.2M. |
2. Company Profile
Zivankh is a privately held healthcare services organization operating across 12 facilities. The organization delivers a broad spectrum of digital health services to over 500,000 active patients and employs approximately 2,400 clinical and administrative staff.
Organization Type | Private Healthcare Provider Network |
Headquarters | India |
Number of Facilities | 12 hospitals and outpatient clinics |
Active Patient Records | 500,000+ (PHI-classified data) |
Clinical & Admin Staff | 2,400 users |
Pre-Migration Infrastructure | VMware vSphere on premises (3 co-located data centers) + legacy IBM AS/400 claims system |
The following core application workloads were in scope for migration:
• Electronic Health Record (EHR) Core Platform — clinical workflows, patient records, prescriptions
• PACS / Medical Imaging System (DICOM) — radiology image storage and retrieval
• Telemedicine Platform — real-time video consultations and asynchronous messaging
• Claims Processing System (legacy IBM AS/400)
• Patient Self-Service Portal — appointment booking, results viewing, messaging
• Analytics & Business Intelligence (BI) Reporting — population health and operational dashboards
• Machine Learning (ML) Clinical Decision Support
• HIPAA Audit Logging & Compliance Reporting
• Identity & Access Management (IAM) — SSO for clinical staff
• HL7 v2 Integration Engine — 120+ interfaces to payers, labs, and pharmacies
3. Pain Point Discovery & Assessment
Our team conducted a structured 6-week discovery engagement using AWS Application Discovery Service (ADS), AWS Migration Evaluator, and in-depth stakeholder interviews across IT leadership, clinical operations, compliance, and finance teams. Seven critical pain points were identified and formally documented
Assessment Methodology
Tools used: AWS Application Discovery Service (ADS) for server dependency mapping, AWS Migration Evaluator for TCO analysis, structured stakeholder interview workshops, HIPAA compliance audit review, and manual infrastructure inventory across all 3 data centres.
PP-01 Fragmented On-Premises Infrastructure Without Unified Governance
Zivankh's workloads were distributed across VMware vSphere on-premises infrastructure in three aging co-located data centres with no unified management plane. IT teams spent over 40% of their working capacity managing infrastructure inconsistencies, patching cycles, and hardware failures rather than delivering value. Hardware end-of-life events were creating unplanned capital expenditure requests annually.
P-02 Critical HIPAA Compliance Gaps & Security Vulnerabilities
An independent compliance audit identified 23 unresolved HIPAA findings, including unencrypted Protected Health Information (PHI) at rest in legacy databases, inadequate role-based access controls, incomplete audit trail coverage, and network segmentation failures. The fragmented infrastructure made maintaining valid Business Associate Agreements (BAAs) with third-party integrated systems operationally complex and legally exposed the organization to significant regulatory risk.
PP-03 High Fixed Infrastructure Costs with Zero Elasticity
On-premises compute was provisioned to handle peak demand periods (annual wellness campaigns, flu season surges), leaving 60-70% of compute capacity idle during normal operations. Annual hardware refresh cycles, software licensing (VMware, Oracle Database, Windows Server CALs), and data center colocation costs totaled $8.2M/year with no mechanism to scale capacity up or down in response to demand. The organization was paying for maximum capacity 12 months per year.
PP-04 Inadequate Disaster Recovery & Business Continuity Posture
The organization's documented Recovery Time Objective (RTO) was 18-24 hours and Recovery Point Objective (RPO) was 4-8 hours — entirely unacceptable for a clinical environment where a system outage forces staff to revert to paper-based workflows with direct patient safety implications. Of the last three annual disaster recovery drills, two failed to complete within the target window. The organization had no tested failover path for its primary EHR database.
PP-05 Slow Application Deployment Cycles Impeding Clinical Innovation
New feature deployments required a 6–8-week cycle involving manual server provisioning requests, change advisory board (CAB) review meetings, environment preparation, and coordinated testing across shared infrastructure. No CI/CD (Continuous Integration / Continuous Deployment) pipeline existed. DevOps maturity was assessed at Level 1 (ad-hoc). Competitor healthcare organizations were delivering new telemedicine capabilities in weeks; Zivankh required 4-6 months for comparable features.
PP-06 Limited Analytics Capability and No Machine Learning Infrastructure
Patient outcome analytics and population health reporting ran nightly batch jobs on a single on-premises SQL Server instance, producing reports 24-48 hours stale. Clinical leadership could not access real-time operational data. The data science team had no self-service compute infrastructure — each ML model training experiment required a formal infrastructure request and a 2-3 week provisioning wait. No production ML inference capability existed.
PP-07 Legacy Integration Engine Creating Interoperability Bottlenecks
Integration with insurance payers, laboratory systems, pharmacy networks, and government reporting portals was managed through a custom Enterprise Service Bus (ESB) built in 2009 — a single point of failure managing 120+ HL7 v2 message interfaces. Adding a new payer integration required 3-5 months of custom development. The system had no support for modern FHIR R4 APIs mandated by the CMS Interoperability and Patient Access rule, putting the organization at regulatory compliance risk for federal reporting requirements.
The solution architecture was designed using the AWS 7Rs Migration Strategy framework (Rehost, Replatform, Refactor, Repurchase, Retire, Retain, Relocate) to determine the optimal migration path for each workload. Each AWS service was selected based on its ability to directly address one or more of the identified pain points, its HIPAA eligibility under the AWS Business Associate Agreement, and its long-term operational fit for a healthcare organization.
ID | AWS Service | What It Does | Why This Service Was Selected |
|---|---|---|---|
S-01 | Amazon VPC + AWS Transit Gateway Addresses: PP-01 | Replaces fragmented on-premises networking with a unified Virtual Private Cloud topology. Transit Gateway provides hub-and-spoke connectivity across all 12 facilities. | Single network governance plane eliminates the multi-data-center visibility gap. Transit Gateway supports centralized firewall inspection, VPC Flow Logs, and routing policies across hundreds of VPCs — purpose-built for multi-facility enterprise networking. |
S-02 | AWS Security Hub + Amazon Macie + Amazon GuardDuty Addresses: PP-02 | Security Hub aggregates compliance findings from Macie (PHI data classification), GuardDuty (continuous threat detection), and AWS Config (compliance rule evaluation) into a single compliance dashboard. | AWS is the only hyperscaler with a pre-built HIPAA compliance framework covering over 180 HIPAA-eligible services under a single BAA. Security Hub's HIPAA standard checks directly map to the 23 audit findings identified during assessment. |
S-03 | Amazon EC2 Auto Scaling + Amazon EKS Addresses: PP-01, PP-03, PP-05 | EHR and telemedicine workloads replatformed to containerized microservices on Amazon Elastic Kubernetes Service (EKS). Auto Scaling Groups dynamically match compute capacity to real-time clinical demand. | Eliminates over-provisioning by scaling compute to actual workload demand. EKS provides the container orchestration foundation required for modern CI/CD deployment pipelines, directly addressing the deployment velocity pain point. |
S-04 | Amazon Aurora Global Database + AWS Backup + Amazon Route 53 Addresses: PP-04 | Aurora Global Database provides a primary database cluster in us-east-1 with a read replica in us-west-2 replicating with sub-second lag. Route 53 health checks automate DNS failover. AWS Backup enforces cross-region backup retention policies. | Aurora Global Database delivers an RPO of under 1 second and RTO of under 1 minute for EHR clinical data — reducing RTO from 24 hours to 30 seconds. This is the only fully managed relational database with native global failover at this performance tier. |
S-05 | AWS CodePipeline + AWS CodeBuild + AWS CDK Addresses: PP-05 | Replaces manual 6-week deployment cycles with fully automated CI/CD pipelines. AWS CDK (Cloud Development Kit) defines all infrastructure as code, ensuring every environment is reproducible and auditable. | Native AWS toolchain integrates directly with IAM for deployment permissions and CloudTrail for deployment audit logging — essential for HIPAA-compliant change management. Deployment frequency increased from monthly to daily. |
S-06 | Amazon Redshift + Amazon SageMaker + Amazon QuickSight + AWS Glue Addresses: PP-06 | AWS Glue ETL pipelines stream patient data from EHR sources to Redshift for warehousing. SageMaker provides managed ML infrastructure for model training and inference. QuickSight delivers real-time clinical and operational dashboards. | SageMaker is HIPAA-eligible and offers the only managed notebook and endpoint infrastructure designed for PHI-containing ML workloads. Redshift eliminates the 24–48-hour batch reporting delay with real-time query capability. |
S-07 | AWS HealthLake + Amazon API Gateway + Amazon EventBridge Addresses: PP-07 | AWS HealthLake is a FHIR R4-compliant managed data store purpose-built for healthcare interoperability. API Gateway exposes standardized FHIR APIs. EventBridge replaces the legacy ESB as a modern, serverless event-driven integration bus. | AWS HealthLake is the only fully managed, HIPAA-eligible FHIR R4 datastore on any cloud platform. Replacing the legacy ESB with EventBridge eliminates the single point of failure and reduces new payer integration time from 3-5 months to approximately 2 weeks. |
S-08 | AWS HealthImaging + Amazon S3 (Intelligent-Tiering) + Amazon S3 Glacier Addresses: PP-01, PP-03 | AWS HealthImaging provides a DICOM-compliant managed medical image store with sub-second retrieval for active studies. S3 Intelligent-Tiering automatically moves inactive imaging data to lower-cost storage tiers. Glacier archives studies beyond regulatory retention requirements. | AWS HealthImaging is a purpose-built, HIPAA-eligible service for medical imaging that does not exist as a native managed service on any competing platform. S3 Intelligent-Tiering reduced imaging storage costs by 74% compared to on-premises SAN storage. |
S-09 | IAM Identity Center + Amazon Cognito Addresses: PP-02 | IAM Identity Center centralizes SSO for 2,400 clinical and administrative staff, federated with Active Directory. Cognito manages patient-facing portal authentication with MFA and granular RBAC down to the PHI field level. | IAM Identity Center satisfies HIPAA's minimum necessary access principle with attribute-based access control (ABAC) policies. Cognito's healthcare-compliant authentication flows support patient identity verification requirements under HITECH. |
S-10 | Amazon CloudFront + AWS WAF + AWS Shield Standard Addresses: PP-01, PP-02 | CloudFront delivers the Patient Portal and telemedicine frontend from AWS edge locations globally. WAF enforces custom security rules and protects against OWASP Top 10 threats. Shield provides always-on DDoS protection. | A healthcare organization's patient-facing portal is a high-value target. The combined CloudFront + WAF + Shield stack is mandated by AWS Well-Architected Healthcare best practices and satisfies HIPAA security rule requirements for transmission security. |
5. Why AWS? Decision Rationale & Alternative Evaluation
Prior to committing to AWS as the target platform, the partner team and Zivankh's IT leadership conducted a structured evaluation of all viable alternatives. The evaluation criteria were weighted across compliance coverage, purpose-built healthcare services, disaster recovery capability, total cost of ownership, and partner ecosystem maturity.
Alternative 1 — Expand Existing On-Premises Infrastructure (VMware Refresh)
A hardware refresh of the VMware vSphere environment was quoted at $4.1M CapEx with a 5-year hardware lock-in. This option was rejected because it would deliver no improvement in agility, disaster recovery, or compliance automation. The TCO analysis showed that a continued on-premises strategy would cost 2.3 times more over a 5-year horizon than the AWS alternative. Critically, a hardware refresh cannot address the HIPAA compliance gaps, the FHIR interoperability mandate, or the deployment velocity issues — which are architectural, not hardware, problems.
Alternative 2 — Retain On-Premises + Add a Cloud Overlay
A hybrid architecture retaining on-premises infrastructure while adding cloud burst capacity was evaluated. This was rejected because it would perpetuate the existing fragmentation, require maintaining two separate governance frameworks, and add complexity rather than reducing it. The primary goal of the engagement was consolidation — a hybrid overlay would undermine that objective and increase, not decrease, operational overhead for the IT team.
Alternative 3 — Replace On-Premises with Managed Hosting / Colocation Upgrade
Upgrading from self-managed co-location to a managed hosting provider was considered. This option was rejected because managed hosting cannot deliver the elastic scaling, DevOps toolchain integration, or purpose-built healthcare services (HealthLake, HealthImaging, SageMaker HIPAA-eligible endpoints) that were core requirements. Managed hosting also provides no native path to FHIR R4 compliance or advanced analytics.
AWS was selected as the target platform based on a combination of factors that no alternative could match in aggregate:
Decision Factor | AWS Advantage |
HIPAA BAA Coverage | AWS provides HIPAA-eligible coverage for over 180 services under a single Business Associate Agreement — the broadest coverage of any cloud provider. This was decisive for a healthcare organization requiring PHI protection across compute, storage, networking, ML, and analytics services simultaneously. |
Purpose-Built Healthcare Services | AWS HealthLake (FHIR R4 datastore), AWS HealthImaging (DICOM-native), and the AWS Health AI Services portfolio have no equivalent on other platforms. These services reduce integration effort by months and provide out-of-the-box regulatory compliance that would otherwise require significant custom engineering. |
Disaster Recovery Performance | Aurora Global Database's sub-1-second RPO and sub-1-minute RTO capability is unmatched for managed relational databases. For a healthcare organization where clinical staff availability depends on database availability, this was a non-negotiable requirement. |
AWS Migration Acceleration Program (MAP) | MAP provides structured migration funding credits, access to AWS Migration Competency Partners, a dedicated Migration Success Manager, and a proven 3-phase methodology (Assess, Mobilize, Migrate & Modernize). This program infrastructure significantly de-risks the migration engagement and was available exclusively through AWS. |
5-Year TCO Advantage | The AWS migration delivers a projected 5-year TCO saving of $17M compared to continued on-premises operation. The combination of elastic pricing, reserved instance discounts, S3 storage tiering, and elimination of hardware refresh CapEx drives this saving. |
Healthcare Partner Ecosystem | AWS Marketplace and the AWS Partner Network offer the largest ecosystem of validated healthcare ISV solutions — including EHR vendors, clinical decision support tools, and population health management platforms — all pre-integrated with AWS services. |
Global Infrastructure & Compliance | AWS operates 33 geographic regions with dedicated compliance programs including FedRAMP, StateRAMP, and HITRUST — providing the regulatory coverage required for potential future expansion of Zivankh's operations. |
The target architecture is a multi-region, defense-in-depth, HIPAA-compliant AWS cloud environment. All workloads are deployed within a multi-layer VPC architecture with strict subnet segmentation, and the entire infrastructure is managed as code using AWS CDK. The architecture follows the AWS Well-Architected Framework across all five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization.
The architecture spans two AWS regions for active DR capability:
• Primary Region: us-east-1 (US East — N. Virginia) — all production workloads
• DR Region: us-west-2 (US West — Oregon) — warm standby for all critical systems
All workloads are deployed within a multi-layer Amazon VPC using the following subnet segmentation model:
Subnet Layer | Services Hosted | Access Control |
Public Subnet | CloudFront CDN, AWS WAF, Application Load Balancer, Amazon API Gateway, Amazon Cognito (Patient Auth) | Internet-accessible. Protected by WAF rules, Shield DDoS mitigation, and Security Groups allowing HTTPS (443) only. |
Private Application Subnet | Amazon EKS (EHR Microservices), AWS HealthLake, AWS HealthImaging, Amazon SageMaker, AWS Lambda, Amazon EventBridge, AWS CodePipeline, IAM Identity Center | No direct internet access. All outbound traffic via NAT Gateway. Strict Security Group rules allowing application tier traffic only. |
Private Data Subnet | Amazon Aurora Global DB (EHR clinical data), Amazon S3 (imaging + backups), Amazon Redshift (analytics), Amazon ElastiCache Redis (session cache), AWS Glue (ETL), Amazon QuickSight (BI) | No internet access. Access exclusively via VPC Endpoints for S3 and DynamoDB. KMS encryption enforced for all data at rest. |
Security & Management Layer | AWS Security Hub, Amazon GuardDuty, Amazon Macie, AWS CloudTrail, AWS Config, Amazon Route 53 (Failover DNS), AWS KMS, AWS Backup | Centralized across all subnets via AWS Organizations and Service Control Policies (SCPs). All API calls logged to CloudTrail with immutable S3 log storage. |
The clinical data flow through the architecture follows a strict, audited path from ingestion to storage to analytics:
• Clinical Staff & Patient requests enter via CloudFront → WAF → Application Load Balancer → EKS microservices
• PHI data written by EKS services is persisted to Aurora (transactional) and HealthLake (FHIR R4 canonical store)
• Medical imaging (DICOM) is ingested directly to AWS HealthImaging with metadata indexed in S3
• AWS Glue ETL pipelines replicate de-identified analytics data from Aurora to Redshift for reporting
• SageMaker accesses Redshift and S3 training datasets via VPC endpoints — no PHI leaves the private data subnet
• All API integrations with external payers, labs, and pharmacies route through API Gateway → EventBridge → HealthLake FHIR APIs
• All data replication to the DR region (us-west-2) is encrypted in transit using TLS 1.2+ and at rest using AWS KMS Customer Managed Keys (CMKs)
The DR architecture uses an active-warm standby model with the following components deployed in us-west-2:
Aurora Global Database Secondary | Asynchronous replication from primary. <1 second RPO. Promotes to primary in <1 minute RTO. |
Amazon S3 Cross-Region Replication (CRR) | All clinical and imaging data in S3 is replicated in real-time to us-west-2 S3 buckets. |
Amazon EKS Standby Cluster | Warm standby EKS cluster pre-configured with all application workloads. Scaled down to minimal nodes, scales up on failover trigger. |
AWS Backup Vault (DR Region) | All backup policies replicate vaults to us-west-2 with immutable backup lock enforced per HIPAA retention requirements. |
Amazon Route 53 Health Checks | Active health monitoring of primary region endpoints. Automatic DNS failover to DR region within 60 seconds of primary region degradation. |
AWS Transit Gateway (Cross-Region Peering) | Encrypted tunnel between us-east-1 and us-west-2 Transit Gateways for DR traffic routing and facility connectivity failover. |
The migration followed the AWS MAP three-phase methodology. Each phase had defined entry and exit criteria, go/no-go checkpoints, and formal deliverable sign-offs between the partner team, Zivankh's IT leadership, and the AWS Migration Success Manager.
Workload | 7R Strategy | AWS Target | Migration Wave |
EHR Core Platform | Replatform | Amazon EKS + Aurora | Wave 2 |
PACS / Medical Imaging | Refactor | AWS HealthImaging + S3 | Wave 3 |
Legacy Integration ESB (HL7) | Refactor | EventBridge + HealthLake | Wave 3 |
File Servers (Clinical Docs) | Rehost | Amazon FSx for Windows | Wave 1 |
Analytics SQL Server | Replatform | Amazon Redshift | Wave 3 |
IBM AS/400 Claims System | Repurchase | AWS Marketplace SaaS ISV | Wave 2 |
Dev / Test Environments | Retire | Consolidated into shared EKS namespace | Wave 1 |
Patient Portal | Replatform | EKS + Cognito + CloudFront | Wave 1 (Pilot) |
Telemedicine Platform | Replatform | EKS + Amazon Chime SDK | Wave 2 |
Analytics ML Workloads | Refactor | Amazon SageMaker | Wave 3 |
Phase 1: MAP Assess (Weeks 1–6)
Deploy AWS Application Discovery Service (ADS) agents across all servers and databases. Run AWS Migration Evaluator to build a detailed TCO analysis. Conduct HIPAA gap assessment. Map all application dependencies using ADS Service Map. Produce the Migration Readiness Assessment (MRA) report. Identify 7R disposition for each of the 80+ application components in scope. Obtain stakeholder sign-off on migration business case and target architecture.
Phase 2: MAP Mobilize (Weeks 7–18)
Deploy AWS Control Tower to establish the multi-account landing zone with HIPAA-compliant guardrails via Service Control Policies (SCPs). Configure AWS Organizations, AWS Config rules baseline, and CloudTrail. Establish VPC topology, Transit Gateway, and AWS Direct Connect circuits to all 12 facilities. Stand up Security Hub, GuardDuty, and Macie. Execute Wave 1 pilot migration: Patient Portal and File Servers. Conduct first DR drill. Train Zivankh IT team on AWS operations tooling.
Phase 3A: Migrate & Modernize — Core (Weeks 19–36)
Execute Wave 2: Rehost EHR VMs to EC2, then replatform to EKS containers using AWS Application Migration Service (MGN). Migrate Oracle Database to Aurora PostgreSQL using AWS Database Migration Service (DMS). Deploy HealthLake and begin FHIR R4 data ingestion. Deploy Aurora Global Database DR replica. Establish CI/CD pipelines in CodePipeline for all EHR microservices. Decommission on-premises data centers 1 and 2.
Phase 3B: Migrate & Modernize — Advanced (Weeks 37–52)
Execute Wave 3: Migrate PACS/DICOM imaging to AWS HealthImaging. Stand up Redshift data warehouse and migrate historical analytics. Deploy SageMaker ML pipelines and migrate data science workloads. Replace legacy ESB with EventBridge and HealthLake FHIR APIs. Repurchase IBM AS/400 claims system with AWS Marketplace SaaS. Decommission final data center. Execute comprehensive Well-Architected Review with AWS Solutions Architect. Final compliance audit and HIPAA attestation.
The following results were measured 12 months after the final cutover to AWS. Metrics were captured using AWS Cost Explorer, Amazon CloudWatch, AWS Security Hub, and Zivankh's internal IT operations reporting systems.
42% Reduction in Total IT Infrastructure Cost | 99.97% Platform Uptime (vs 97.1% pre-migration) | <30s Recovery Time Objective (was 18-24 hrs) | 0 Open HIPAA Findings (was 23) |
$3.4M Annual Cost Savings vs Pre-Migration | 18x Faster Feature Deployment Cycles | 2 wks New Payer Integration Time (was 3-5 months) | Real-time Clinical Analytics (was 48-hour batch delay) |
Metric | Before Migration | After Migration (AWS) |
Infrastructure Management (% of IT capacity) | 40% of IT team capacity spent on infra management | 12% — freeing 28% of IT capacity for innovation |
Platform Availability (SLA) | 97.1% (scheduled & unscheduled downtime) | 99.97% (Well-Architected multi-AZ deployment) |
Recovery Time Objective (RTO) | 18–24 hours | <30 seconds (Aurora Global + Route 53 failover) |
Recovery Point Objective (RPO) | 4–8 hours | <1 second (Aurora Global Database replication) |
HIPAA Compliance Findings | 23 open findings (audit risk) | 0 open findings (continuous automated monitoring) |
Annual IT Infrastructure Cost | $8.2M / year | $4.8M / year (42% reduction) |
Deployment Frequency | Monthly releases (6–8-week cycle) | Daily on-demand deployments (CI/CD pipeline) |
New Payer Integration Time | 3–5 months (custom ESB development) | 2 weeks (FHIR R4 API standard) |
Security Incidents / Year | 14 incidents requiring investigation | 1 minor incident (GuardDuty auto-remediated) |
Mean Time to Recover (MTTR) | 4.2 hours average | 11 minutes average |
Clinical Analytics Data Freshness | 24–48 hour stale batch reports | Real-time streaming dashboards (QuickSight) |
ML Model Deployment Time | Weeks (manual provisioning) | Hours (SageMaker managed endpoints) |
Medical Imaging Storage Cost | 1.1M / year (SAN on-premises) | 290K / year (S3 Intelligent-Tiering) |
DR Drill Success Rate | 33% (1 of 3 drills passed) | 100% (automated failover tested quarterly) |
All AWS services deployed within Zivankh's environment are HIPAA-eligible and covered under the AWS Business Associate Agreement (BAA). The following regulatory frameworks are satisfied by the target architecture:
HIPAA (Health Insurance Portability and Accountability Act) | All PHI is encrypted at rest (AES-256 via KMS CMKs) and in transit (TLS 1.2+). Access is controlled via IAM Identity Center with RBAC. All access to PHI is logged via CloudTrail with immutable S3 storage. Macie performs continuous PHI discovery and classification. |
HITECH (Health Information Technology for Economic and Clinical Health Act) | Breach notification requirements are met through automated GuardDuty alerting and Security Hub event workflows. Access audit trails satisfy HITECH's enhanced enforcement provisions. |
SOC 2 Type II | AWS infrastructure used by Zivankh holds SOC 2 Type II certification. AWS Artifact provides on-demand access to AWS compliance reports for customer audits. |
HL7 FHIR R4 | AWS HealthLake is a FHIR R4-compliant data store. All external integrations with payers, labs, and pharmacies are served via FHIR R4 APIs through Amazon API Gateway, satisfying CMS interoperability requirements. |
CMS Interoperability and Patient Access Rule | Patient access to their health records is enabled via FHIR R4 APIs in compliance with the CMS mandate. Payer-to-payer data exchange is supported through HealthLake's FHIR bulk export capabilities. |
NIST Special Publication 800-66 (HIPAA Security Rule) | The architecture implements all NIST 800-66 administrative, physical, and technical safeguards through AWS native controls including VPC network isolation, KMS encryption, IAM access controls, and CloudTrail audit logging. |