All ProjectsAK
AWSHealthcare SecurityHIPAA

Security Assessment & AWS Architecture – MedCircle

Cloud Security Engineer·Jan – Feb 2024

Overview

A cloud security assessment of MedCircle's AWS infrastructure focused on HIPAA Security Rule compliance. The engagement identified critical vulnerabilities including unencrypted PHI at rest, over-permissive IAM roles, vulnerable EC2 instances, and absent audit logging — then provided a HIPAA-aligned remediation roadmap.

The Challenge

Healthcare cloud infrastructure has a dual failure mode: it can fail security review for technical vulnerabilities and separately fail HIPAA compliance for missing administrative controls. MedCircle's environment had both — technical gaps (unencrypted S3, over-permissive IAM) and compliance gaps (no CloudTrail, no access logging on PHI data stores).

The Solution

Assessed IAM policies for least-privilege violations, reviewed S3 bucket configurations for public access and encryption settings, examined EC2 patch levels and security group rules, and audited CloudTrail enablement and log retention. Mapped each finding to the corresponding HIPAA Security Rule provision and provided prioritized, implementation-ready remediation steps.

Tech Stack

AWS IAMOver-permissive role and policy analysis
CloudTrailAudit logging gap identification and remediation
S3 EncryptionPHI data-at-rest encryption assessment
VPC Security GroupsNetwork access control review
HIPAA Security RuleCompliance mapping for all technical safeguard requirements

Outcomes

  • 6 critical findings including unencrypted PHI at rest in S3 buckets
  • IAM least-privilege redesign proposed — eliminated 3 overly permissive admin roles
  • CloudTrail enablement and log retention policy implemented per HIPAA requirement
  • HIPAA Technical Safeguards roadmap delivered with implementation timeline
← Back to all projectsView Artifact ↗