CIKLUM Case Study: Transforming the telemedicine platform infrastructure with DevSecOps implementation for Doxy.me

THE SITUATION

Doxy.me was looking for a partner with DevSecOps expertise to implement state-of-the-art security and encryption protocols, making Doxy.me compliant with HIPAA and HITECH requirements. The requirements were precise and exceptionally challenging since the company is operating in a regulated market where security measures must be implemented to protect health information and to be compliant with corresponding HIPAA regulation:

  • Design and implement a parallel production environment that meets long term operational needs, including proper monitoring, disaster recovery, scalability, etc.
  • Design and implement modern software development workflows: adequate CI/CD with risk-mitigation strategies (green/blue or canary, etc.), stricter dev/stage/production environments, better integration with outside tools and services.
  • Define and implement a more rigorous approach to data and system security
  • Summarize and structure security requirements for created infrastructure components.
  • Identify efficient approaches for validating security requirements implementation.

“We considered Ciklum because of word of mouth. We chose to move forward with Ciklum due to the roadmap and vision’s quality from our DevSecOps workshop. The Ciklum DevSecOps team took the time to understand our goals and challenges deeply, advise us on solutions and a roadmap, and then was able to immediately deliver a team of excellent technical specialists to implement that roadmap. We are confident in their vision and have been impressed with the expertise of everybody we’ve worked with.”  Heath Morisson, CTO at Doxy.me

With patient privacy as a top priority for the Doxy.me team, Ciklum was tasked with developing a precise, exceptionally challenging solution in an industry under careful government scrutiny regarding private health information.

THE SOLUTION

 Over four months, Ciklum worked to create stable and reliable DevSecOps processes for maximizing availability and resilience while also leaving room and flexibility to update new functionalities for Doxy.me.

Ciklum offered the following solution:

  • Collect all security (HIPAA) requirements and create a set of documentation with detailed procedures and controls.
  • Design and implement an environment’s infrastructure to use as a template for development, QA, staging, and production environments.
  • Design and implement a development workflow, with CI/CD pipelines built in Gitlab CI/CD automatically by source code events (git commits, GitLab merge requests) using Terraform toolsets, Terragrunt, Atlantis, Gitlab-CI, Ansible, Helmfile, Helm charts, Kubernetes, and SonarQube.
  • Implement Quality Gates into pipelines that contain static source code checks, automatic runs of test run suites (unit, integration, regression, and performance testing), and deployment to the upper environment after successful test execution.
  • Achieve deployment downtime minimization and risk mitigation through a combination of blue-green and canary strategies.
  • Meet security requirements with a regular automatic check of infrastructure drift and running reviews of essential system parts.
  • Develop security standards by collecting and structuring leading security practices for components, such as the OpenVPN Configuration Security Standard, AWS Configuration Security Standard, and GitLab Configuration Security Standard.
  • Select and implement tools for security requirements validation based on tool maturity and community knowledge to ensure fast feedback and implementation.

In each of these steps, security was a key integration with standard DevOps practices. Following the DevSecOps structure ensured that Doxy.me would be equipped with an infrastructure with privacy and security built-in from the ground up, not incorporated at a later stage.

THE RESULT

Doxy.me now enjoys the benefits of DevSecOps throughout its environment infrastructure, including:

  • Documented procedures and controls, which allow Doxy.me to implement HIPAA-compliant automation of cloud services and workflows.
  • An efficient path throughout its CI/CD strategy, ensuring that the proper access controls, authentication methods, and logging mechanisms are in place to pass annual HIPAA risk assessments.
  • An infrastructure design that can be used as a template for additional Doxy.me environments, from development to production.
  • A fully designed and implemented development workflow featuring CI/CD pipelines built with GitLab CI/CD.
  • Fully implemented Quality Gates throughout pipelines, providing a solution for catching issues earlier in the deployment pipeline.
  • Deployment downtime minimization and risk mitigation, ensuring the platform now meets all security requirements by regular automatic checks for infrastructure drift and checks of system ports.

By leaning into the DevSecOps methodology, the infrastructure design created by Ciklum provides Doxy.me with the necessary privacy and security solutions for a comprehensive healthcare platform without sacrificing speed and agility.

 

About Doxy.me

Doxy.me (www.doxy.me) provides a convenient and straightforward way for healthcare providers to meet with their patients remotely, improving the healthcare experience. With headquarters in Rochester NY, Salt Lake City UT, and Charleston SC, Doxy.me incorporates standard clinical workflows with ease of use and information availability for patients and doctors.  Doxy.me’s platform is used throughout the world, by more than 700,000 providers. Securing data transmission and patient privacy was a top priority for Doxy.me team, protecting patient data while making it seamlessly available.

About Ciklum

Ciklum (www.ciklum.com) is a leading global digital services and software engineering company, serving Fortune 500 and fast-growing organizations. Headquartered in the UK, with offices throughout Europe, the Middle East and the US, Ciklum has 3,600+ consultants, software developers, designers, product managers and data scientists around the world building tailored digital solutions that leverage emerging technologies. Ciklum specializes in enabling digital transformation for some of the largest household names and platforms in the digital economy. The Company partners with its clients to achieve their true potential in the digital age.

 

 


©2020 PACT All Rights Reserved