Overview
Envi, located in Aliso Viejo, California, a subsidiary of Inventory Optimization Solutions (IOS), is an independent software vendor (ISV) that creates web-based healthcare facility supply chain solutions using the internet as a communications and procurement medium, and provides access to collaborative inventory management tools.
To protect their expanding business, a key Envi strategy is to make their platform as secure as possible, which includes performing regular assessments and quickly addressing any vulnerabilities to meet any new digital threats.
This long-term SoftServe client requested a cloud security assessment of the company’s AWS infrastructure, and to detect any issues and offer risk mitigation strategies. The assessment’s main objective was to improve Envi’s security posture and ensure their platform was in full compliance with Health Insurance Portability and Accountability Act (HIPAA) security requirements.
Project Planning and Assessment
SoftServe assembled a project team of Center of Excellence security experts, who conducted a kick-off meeting with Envi representatives to better understand the scope and context of the assessment. Then, multiple tests were performed on the Envi AWS configuration, based on:
- CIS Amazon Web Services Foundation Benchmark v1.40
- AWS Well-Architected Framework: Security Pillar
- Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
- HIPAA standards set (Security Rule)
Assessment workflow
AWS Services used in the assessment
- AWS API Gateway
- AWS Certificate Manager
- AWS CloudWatch
- AWS CloudTrail
- AWS SES
- AWS SQS
- AWS EC2
- AWS ELB
- AWS IAM
- AWS KMS
- AWS RDS
- AWS S3
- AWS VPC
- AWS Inspector
SoftServe chose Amazon Inspector as an important tool in this assessment because as an automated security assessment service, it helps improve the security and compliance of applications deployed on AWS.
We used AWS Inspector to scan the dedicated set of AWS EC2 instances and container images in AWS ECR for software and network vulnerabilities. Based on the scan results containing information about any discovered vulnerabilities, we were quickly able to locate and patch threats to protect applications and prevent data breaches.
Third-party applications or solutions used in the assessment
Open-source tools, such as ScoutSuite and Kali Linux
Results
SoftServe’s team discovered a total of 22 high-severity and 29 medium-severity vulnerabilities. A list of identified risks and weaknesses with clear recommendations on how to mitigate them was compiled and presented to the client, along with a HIPAA compliance mapping table that illustrated SoftServe’s assessment findings as compared with HIPAA Security Rule requirements.
SoftServe also delivered a detailed report that identified risks and weaknesses in Envi’s current architecture. Based on Envi’s business goals, SoftServe made security recommendations for the architecture to improve Envi’s security posture and to be more prepared for HIPAA compliance activities.
Conclusion
Following this successful cloud security assessment, Envi has instituted an annual AWS HIPAA Assessment conducted by SoftServe and was able to:
- Earn trust from their customers by fulfilling their commitment to confidentiality, availability, and integrity of customer’s data.
- Reduce risk from compliance with all applicable laws, regulations, and industry standards.
Said one Envi team member, “This annual AWS HIPAA assessment extends our security compliance program, helps us maintain high standards, and facilitates our continuous improvement program. It also allows us to fulfill Envi’s commitment to confidentiality, availability, and the integrity of our customer’s data.”