Architecting for Compliance as an Enterprise Startup

Download Now

Complete the form below to receive the white paper.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Blog Post
November 1, 2022

Architecting for Compliance as an Enterprise Startup

Patrick Smith

6 Tips to Run Efficient Compliance Audits

Courier Health recently completed our 2022 SOC 2 Type 2 and HIPAA audits. These are two critical compliance frameworks for any enterprise software company operating in healthcare. I’ll assume readers of this blog post have background on the respective audits, but as a quick introduction SOC 2 concerns the overall security and integrity of the system, while HIPAA concerns the privacy and security of patient data. Both audits provide important points of validation and assurance to customers and partners.

As SOC 2 and HIPAA are complex and lengthy audits, I want to share six key learnings to help others run more efficient and effective audit processes.

1. Choose HIPAA compliant cloud infrastructure services

As a Business Associate, it’s critical to ensure that your cloud infrastructure provider can provide the necessary services. Not every feature of the cloud provider may be suitable for use in a HIPAA-compliant architecture. For example, AWS maintains a list of HIPAA eligible services. When putting together your architecture, be sure that the services you expect to use are eligible for your compliance requirements before you begin building. Another consideration is utilizing cloud services where possible. For example, Courier Health uses AWS Lambda over EC2 for several processing services. This allows us to focus less on applying security patches to EC2 instances and focus more on building innovative features to improve the patient experience.

2. Leverage a compliance automation tool

The requirements for compliance are intimidating (and for good reason!). To wrap our head around all the requirements and then ensure that our infrastructure was implemented with the right tools to confirm compliance, Courier Health partnered with Drata. Drata is a compliance automation solution that integrates with our cloud infrastructure provider, GitHub, Jira, HR system, training, device management, and other systems to continuously monitor and test our system and processes. Drata offers a comprehensive and intuitive platform that we use to manage our security and compliance. Drata also enables our third-party auditors to review our controls, which lightens the burden on us to provide proof of controls for the audit.

3. Use test-driven deployment (TDD) for security compliance

As a software engineer, I’m a huge fan of automated tests for our code. Test-driven development (TDD) is a software development methodology that can produce a quality software system by writing tests first, and then writing code to satisfy the tests. In the case of security and compliance, Drata has written all the tests for us! For example, when adding a new piece of infrastructure, the automated controls can inform us of what type of encryption, monitoring, alerting, networking, etc. are required. We can then address these requirements before the infrastructure is utilized in the production system. When all test controls are passing, we have confidence in the security of our system.

4. Log everything & tag protected health information (PHI)

Logging events and activity is an integral and necessary part of any software application. This is especially important when applying role-based access restrictions to different operational systems because the log data may be the only way to figure out what happened or what’s really going on in your system. Courier Health also takes further precautions with regard to protected health information (PHI). We created a logging utility that is used throughout our application to explicitly tag any logging statements that may contain PHI (note: we tag the data even if it may include PHI to err on the side of caution). Tagging PHI in logs allows us easily segregate logs and maintain an accessible audit trail. As far as setting up these logs, the best time to know if a logging statement has PHI is when writing the code, so make it easy to do at that point in time. This also encourages developers to keep security in mind while writing code, which should always be a core value!

5. Use infrastructure as code to automatically apply security & permissions

Applying proper controls to cloud resources should be done in a repeatable way so that you can maintain security and compliance while scaling operations. At Courier Health, we use Terraform, which is an infrastructure as code tool that allows us to define specific architecture and apply those controls to all necessary cloud resources. This ensures that the necessary settings are never changed manually. For example, Courier Health’s firewall was recently blocking some valid requests; rather than manually disabling the firewall, our process forces a developer to add exceptions. Applying these exceptions in Terraform also triggers our required peer review process before any change is committed and applied everywhere. Lastly, in addition to automatically applying our security and permission controls, running Terraform is just a lot easier (and much more pleasant!) than spending hours in the AWS console.

6. Split up development accounts

This last tip may be obvious, but it still merits an explicit callout: you should split up your development accounts! It’s certainly possible to have all resources (eg. dev, stage, prod, etc.) in one AWS account and architect it securely to ensure that no product data or resources are accessible from other environments. Courier Health even started out this way very early on, but we quickly moved to a model that splits any development or stage resources into their own account. Splitting up accounts allows for safer changes in development because by isolating resources there is no possible way to affect resources in an entirely different account. Depending on your solution, it’s possible that you’ll need to separate resources for different clients anyway so it’s best to “rip the Band-Aid off” early versus having to migrate more infrastructure later. In case you aren’t already convinced; I’ll make the final point that your compliance automation tool (eg. Drata) will monitor all resources in an account so you would need to manually exclude development resources if they are failing any monitoring checks. You absolutely want checks and alerts on production resources, but it’s often not necessary (and can become very noisy) on development resources.

The effort to maintain secure and compliant operations requires company-wide alignment on the goal and its importance. Courier Health has a patient-centric culture, and everyone is mindful of the implications for our enterprise customers and the patients we ultimately serve. From the very first line of code, we designed our platform with security in mind. Even with ‘Security Leads’, everyone is responsible for ensuring high integrity systems and processes. This includes our partners, like Drata and our auditor, Sensiba San Filippo, who hold themselves to the same standards of excellence in security and compliance.

I hope this blog has been helpful and if you have any questions, please feel free to ping me at!

Get Started

True patient-centricity. Everyone says it, but few deliver. Upgrade your patient experience with Courier Health.

Contact Us