Frequently Asked Questions (FAQ)

Need help? You can likely find the answer below.

Why do I need a managed services provider (MSP) for my AWS infrastructure?

Most organizations are short-staffed when it comes to managing their cloud infrastructure. This can cause delays in application development and support. In addition, most organizations do not have the AWS expertise to effectively build and manage a HIPAA-compliant AWS infrastructure.

Inexperience can cause AWS services to be deployed incorrectly, causing reliability or scaling issues, and, even worse, HIPAA data breaches. A trusted healthcare MSP can ensure that your AWS services are designed, built, and managed properly, so you can focus on what you do best: your application.

What is Cloudticity's experience?

At Cloudticity, we are experts in helping healthcare organizations establish and maintain HIPAA compliance in the AWS cloud. We’ve been exclusive in this realm for over eight years.

Cloudticity has built some of the largest healthcare systems on AWS, including the first patient portal for a major healthcare system, the first healthcare information exchange (HIE), the first FISMA high deployment on AWS GovCloud, and the first Meaningful Use 2 (MU2) compliance.

How is Cloudticity different from other AWS managed services providers (MSPs)?

At Cloudticity, we start everything with automation, and have been doing so since day one. This is a groundbreaking advantage because our platform, Cloudticity Oxygen™, allows fully HIPAA-compliant AWS services to be deployed in minutes instead of days or weeks.

This fully automated hosting platform is the most important difference. Other MSPs that claim to be automated tend to be manual behind the scenes. We’ll typically know if something is wrong with your infrastructure and fix the issue before you know anything is wrong.

We have many firsts on AWS, including the first patient portal deployed to the platform, the first successful Meaningful Use II attestation on AWS, the first health information exchange (HIE) deployed on AWS, and the only FISMA-High workload on GovCloud.

We are the only company in the world to have the unique combination of the following credentials:

  • HITRUST Certification
  • AWS Audited Managed Services Provider
  • AWS Healthcare Competency
  • AWS DevOps Competency
  • AWS Public Sector Partner
  • AWS Authorized Commercial and Government Reseller
  • AWS GovCloud Authorized Partner
  • Three AWS Service Delivery Partner designations: EC2 Systems Manager, Service Catalog, and QuickSight

Has Cloudticity or its systems ever experienced a security breach?

No system under our management has ever experienced a HIPAA breach.

Why should I use a healthcare-exclusive MSP for my AWS infrastructure?

Healthcare is a highly regulated industry, with requirements that change often and affect compliance. Generalist MSPs often lack the resources and expertise to keep up with ever-changing regulatory requirements. 

Generalist MSPs are also not as experienced in deploying and maintaining a HIPAA-compliant server infrastructure. Inexperience leads to mistakes, which can lead to a data breach. In fact, we have found that most healthcare organizations that use generalist MSPs are not fully HIPAA compliant when it comes to their server infrastructure.

What are the consequences of a HIPAA data breach?

HIPAA data breaches can be an end of life event for a company. Studies have shown that most small- and medium-size companies go out of business within six months of a data breach.

The average cost of a healthcare data breach in 2018 was $408 per patient record, according to a study conducted by the Ponemon Institute on behalf of IBM Security. The combination of federal and state fines, class action lawsuits, and bad press can be too much for an organization to overcome.

How do I know if I am HIPAA compliant on AWS?

Cloudticity has created a free automated HIPAA technical assessment for existing AWS accounts. Additional details can be found here.

When it comes to HIPAA data, how does Cloudticity interface with AWS and clients? Who manages the information relationship with AWS?

Cloudticity is an AWS reseller and audited managed services provider. We maintain the relationship and business associate agreement (BAA) with each client, and also manage the interaction and interface with AWS.

Can Cloudticity help with my HITRUST Certification journey?

Yes. Cloudticity is HITRUST certified, and you can inherit many of Cloudticity's HITRUST controls. In fact, Cloudticity just made your HITRUST journey even easier with the launch of HITRUST in Box. This solution provides a path for healthcare organizations to become fully HITRUST certified in a matter of months at a fraction of the cost of the traditional route.

The Provider Third-Party Risk Management Council recently announced that in less than 24 months, its member organizations will require technology vendors to be HITRUST certified.

In addition, a number of insurance companies have already mandated this as well. These new developments have left healthcare technology companies scrambling to achieve HITRUST certification. Cloudticity saw this trend coming well in advance and created a solution to help you meet your aggressive HITRUST goals.

Does Cloudticity offer professional services on AWS?

Yes. Cloudticity’s professional services team provides application architecture, AWS migrations, and data lake builds, as well as building rational DevOps practices that leverage AWS infrastructure as code.

We have an exceptionally strong DevOps practice, so we can help customers build integration pipelines, deployment pipelines, full automation of code deployments, infrastructure deployments, and more.

Does Cloudticity offer a business associate agreement (BAA)?

Yes. Cloudticity offers a comprehensive BAA. Cloudticity will also sign your BAA. Learn more about obtaining a BAA.

Does Cloudticity offer cloud migration services on AWS?

Yes. Cloudticity has performed many migrations to AWS with no downtime to the customer's end users. The key to a successful cloud migration is proper planning. Cloudticity is happy to speak with you about a customized migration plan.

What is the full scope of services from Cloudticity OxygenTM?

The HITRUST-certified Cloudticity OxygenTM platform is a fully managed service that offers workloads specifically designed for HIPAA on AWS. Oxygen has three pillars:

  • Managed services include a 24/7 help desk, full-system monitoring, and automation of routine tasks such as patching and backups. Most help desk tickets are resolved through automation.
  • Managed compliance includes thousands of continuous compliance checks of both AWS and OS configurations, mapped to HIPAA CFRs and HITRUST CSF requirements with automated remediations.
  • Managed security includes a full HITRUST-certified security operations center, including intrusion detection and prevention, log monitoring, file integrity monitoring, and real-time malware prevention.

Cloudticity Oxygen is a fully managed service. What other services or platforms does Cloudticity offer if we don't need a fully managed service?

Cloudticity Oxygen is a full package, meaning clients can't turn pieces on and off, other than the optional addition of Trend Micro Deep Security (which is highly recommended). Oxygen is applied at the AWS account level, meaning clients can have multiple accounts and choose to have Cloudticity manage a subset of them.

What does the transition for onboarding/offboarding clients look like?

Onboarding (and offboarding, although rare) is accomplished through automation as much as possible, and generally takes place in a few hours. We can add an existing AWS account into Cloudticity Oxygen, and also remove Oxygen and return an account to client management as necessary.

What kind of client support does Cloudticity provide?

Cloudticity assigns a team of technical resources to each client to assure 24/7 coverage while still maintaining consistency of personal relationships. We also assign a client success manager, as well as perform quarterly architectural reviews.

What level of design support does Cloudticity offer?

Cloudticity's professional services team offers deep expertise in advanced AWS technologies as they apply to healthcare workloads, centered around four practice areas:

  1. Migration to AWS
  2. Optimization of application architecture to become cloud-native, leveraging modern architecture techniques and cloud-native services
  3. DevSecOps automation
  4. Healthcare data ingestion, management, and analytics at scale, including data lakes, BI analytics, visualization, and artificial intelligence/machine learning

Does it matter which development language we use?

Cloudticity is language- and technology-agnostic, so feel free to use whatever programming languages and environments make sense for your team and applications.

What is the best architecture for disaster recovery in small, single regions?

We will need to perform an architectural assessment that factors in parameters such as required recovery time objective (RTO) and recovery point objective (RPO). Cloudticity always recommends redundant components deployed across multiple availability zones within any particular region, so that failure of an individual component doesn't necessarily result in overall system failure.

In addition, we have standard patterns for self-healing systems, such as the use of auto-scaling groups that recreate failed EC2 instances automatically.

When it comes to pricing and scope, what minimum level of engagement do you work with? What does your average customer pay for services?

Cloudticity Oxygen pricing is based on a percentage of the monthly AWS bill, with a minimum $2,500 monthly service charge.

Is Cloudticity’s development outsourced or done in-house?

Cloudticity does not use contractors for client-facing work. We limit the use of outsourcers to administrative tasks such as marketing, documentation, and website maintenance. 

All client-facing Cloudticity personnel are full-time employees, US citizens who have passed complete background checks. Most employees maintain US government secret-level clearance for the work we do with the Department of Veterans Affairs.

Have you done any projects with the US government? Are you able to meet the US government’s security standards?

Cloudticity does extensive work with the VA on GovCloud and manages the only FISMA-High workload ever deployed to that environment. As a result, most of our technical staff maintain US government secret-level clearance to work on that project.