Buisness Healthcare App migration From onprem to Aws

Overview

The client faced a severe cyberattack that compromised patient data and exposed critical security vulnerabilities. In addition to addressing these security concerns, the client sought to modernize its applications and adopt a scalable cloud architecture, as its existing on-premises infrastructure was limited in flexibility, performance, and disaster recovery capabilities.

To remediate the situation and enhance security, we implemented a cloud migration strategy to AWS, ensuring robust security, resilience, and high availability for the client’s key applications, EMED and CEGI. As part of this transformation, the architecture was restructured across multiple availability zones (Zone 1 and Zone 2) instead of keeping everything on-premises, significantly improving fault tolerance and redundancy.

This migration not only strengthens security but also provides the client with a modern, scalable infrastructure, enabling high availability, disaster recovery, and improved operational efficiency, ultimately positioning them as a benchmark in secure digital healthcare technologies.

Context

The cyberattack, identified as part of a broader ESXiArgs ransomware campaign. The breach threatened the integrity and availability of critical healthcare applications. As a result, an urgent security remediation plan was required to:

• Secure patient-sensitive data.
• Strengthen the clinic’s IT infrastructure.
• Migrate critical applications to a scalable and secure AWS cloud.

The clinic’s previous infrastructure relied heavily on on-premises VMware ESXi servers, which had limited security capabilities and lacked efficient disaster recovery mechanisms.

---

Objectives

The project aimed to achieve the following:

1. Secure the IT infrastructure
   • Implement advanced threat detection (AWS GuardDuty, AWS Inspector).
   • Apply enhanced security policies (AWS WAF, AWS Network Firewall).
   • Establish continuous monitoring and logging with AWS CloudTrail and CloudWatch.
2. Migrate to AWS Cloud for enhanced security and scalability
   • Deploy a secure, multi-account AWS Landing Zone with structured network isolation.
   • Implement strong identity governance via AWS IAM and AWS Organizations.
   • Utilize AWS Backup for disaster recovery and data resilience.
3. Ensure compliance and resilience
   • Introduce Service Control Policies (SCPs) to restrict unauthorized actions.
   • Implement encryption and secure access controls for all cloud resources.

---

Architecture Solution

AWS Landing Zone Setup

To provide a structured, highly secure AWS environment, the following AWS accounts were established:

1. Organization Root Account – Centralized governance and billing.
2. Log Archiving Account – Secure storage of AWS logs (CloudTrail, Config).
3. Connectivity Account – Management of VPNs, Transit Gateway, and VPC networking.
4. Security Account – Hosting security services (AWS GuardDuty, AWS Inspector, AWS WAF).
5. Application Account – Dedicated for hosting EMED & CEGI applications.

Network and Security

• AWS VPC Architecture:
  • Production VPC with multi-zone redundancy.
  • Dedicated security VPC for firewall and traffic inspection.
  • AWS Transit Gateway (TGW) for secure on-premises and AWS connectivity.
• Security Enhancements:
  • AWS GuardDuty for real-time threat detection.
  • AWS WAF to protect web applications from SQL Injection, XSS attacks.
  • AWS Network Firewall to filter and inspect all inbound/outbound traffic.

---

Platform & Services Implemented

1. Application Hosting
   • EMED & CEGI applications deployed on Amazon EC2 instances.
   • AWS Elastic Load Balancing (ALB/NLB) for high availability.
2. Data Protection & Compliance
   • AWS Backup configured for daily snapshots with 30-day retention.
   • AWS IAM Roles & Policies enforce least privilege access.
3. Continuous Monitoring & Logging
   • AWS CloudTrail for audit logs across all AWS services.
   • AWS Config for real-time compliance monitoring.
   • AWS SNS (Simple Notification Service) for incident alerts.
4. Secure Storage & Data Migration
   • Amazon S3 Buckets securely store backups and application data.
   • Restricted access policies ensure only authorized IPs can interact with stored data.

---

Conclusion

The client successfully mitigated security risks and modernized its IT infrastructure by migrating to AWS Cloud. This strategic shift enhances security, scalability, and high availability, allowing the client to deliver uninterrupted healthcare services while ensuring strict data protection and compliance.

Key Benefits Gained from the Project

✅ Scalability & High Availability

• Migrated from a single on-premise setup to a multi-site, multi-zone AWS cloud architecture (Zone 1 & Zone 2).
• Deployed Auto Scaling and Load Balancing to ensure uninterrupted healthcare services.
• Optimized compute and storage resources, reducing operational costs while improving efficiency.

✅ Resilient Backup & Disaster Recovery

• Configured AWS Backup for daily automated snapshots with a 30-day retention policy.
• Implemented immutable backups using AWS Backup Vault Lock to prevent deletion or tampering.
• Enabled Point-in-Time Recovery (PITR) for fast restoration of data in case of incidents.
• Deployed Amazon S3 with Object Lock for immutable storage, ensuring ransomware protection.

✅ Enhanced Security & Compliance

• Implemented AWS GuardDuty, AWS WAF, and AWS Network Firewall for real-time threat detection and mitigation.
• Strengthened identity and access management (IAM) with AWS Security Policies and AWS Identity Center.
• Enforced data encryption at rest and in transit using AWS Key Management Service (KMS).
• Adopted AWS Organizations and Service Control Policies (SCPs) for governance and compliance enforcement.

✅ Seamless Connectivity & Modernized Infrastructure

• Integrated AWS Transit Gateway & Site-to-Site VPN for secure and high-speed hybrid cloud connectivity.
• Established a dedicated AWS Landing Zone to segment environments (Production, Security, Connectivity, Log Archiving).
• Migrated legacy applications to a cloud-native architecture, ensuring future scalability and flexibility.

✅ Data Encryption & Immutability

• Implemented end-to-end encryption for all sensitive healthcare data:
  • AWS KMS for key management and automatic encryption of EBS volumes, RDS, and S3 storage.
  • TLS encryption for data in transit across AWS services.
• Immutable storage mechanisms prevent accidental or malicious deletion of critical patient records.
• Adopted AWS CloudTrail & S3 Access Logging for auditability and regulatory compliance.

By adopting AWS best practices, implementing strong governance controls, and leveraging AWS security services, the client now operates a resilient, secure, and scalable cloud-based healthcare platform—ensuring business continuity, improved efficiency, and enhanced patient data protection with encryption and immutability.