Introducing Landing Zone Accelerator for Healthcare

October 14, 2022 Donny Wilson

Today, Amazon Web Services (AWS) announced the availability of Landing Zone Accelerator (LZA) for Healthcare.

The LZA for Healthcare is an industry-specific deployment of the Landing Zone Accelerator on AWS solution architected to align with AWS best practices and in conformance with multiple, global compliance frameworks. When used in coordination with services such as AWS Control Tower, the Landing Zone Accelerator provides a comprehensive no-code solution across more than 35 AWS services and features to manage and govern a multi-account environment. The LZA is built to support customers with highly-regulated workloads and complex compliance requirements.

Supporting security standards alignment with global compliance frameworks

The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud. Healthcare customers can benefit from the LZA for Healthcare as the security controls implemented are aligned with several prominent international frameworks, including:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Cloud Computing Compliance Controls Catalog (C5)
  • National Cyber Security Centre (NCSC)
  • Esquema Nacional de Seguridad (ENS) High
  • International Organization for Standardization (ISO) 27001 and ISO 27002

The LZA for Healthcare can help reduce the effort and complexity in supporting your healthcare compliance efforts. In the rapidly evolving healthcare industry, organizations are increasingly realizing the benefits of cloud-based solutions, like those offered by AWS, to help them operate more efficiently and drive innovation. However, a key question that may arise is, “How do we run sensitive workloads in AWS?”

The answer to this question requires consideration of multiple factors, such as geographic location, regulatory requirements, or organization goals. Leveraging a multi-account strategy sets the stage for improved security posture and growth. This is referred to as an AWS landing zone. Individual AWS accounts enable resource independence and isolation through natural security, access, and billing boundaries for AWS resources.

For example, users outside of your account do not have access to your resources by default. By using a landing zone as a foundation, you can deploy your mission-critical application workloads and solutions across a centrally-governed multi-account environment. Further detail can be found in the Organizing your AWS Environment Using Multiple Accounts whitepaper.

The LZA for Healthcare builds upon this guidance to quickly deploy a solution foundation in AWS designed to be secure, resilient, scalable, and automated. This foundation can accelerate your readiness for a cloud compliance program, including:

  • Default accounts
  • Account structure
  • Core networking infrastructure
  • Security configurations for logging, monitoring, and notification
  • Encryption

The LZA helps establish platform readiness with security, compliance, and operational capabilities. It is important to note that the LZA solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.

You must review, evaluate, assess, and approve the solution in compliance with your organization’s particular security features, tools, and configurations. It is the sole responsibility of you and your organization to determine which regulatory requirements are applicable and to make sure that you comply with all requirements. This solution does not help you comply with the non-technical administrative requirements.

For additional information, please reference the Landing Zone Accelerator on AWS – Implementation Guide.

The Landing Zone Accelerator for Healthcare architecture

The following architecture offers an overview of the AWS landing zone deployed using the LZA for Healthcare.

Figure 1 - The LZA for Healthcare architectureFigure 1 – The LZA for Healthcare architecture

The LZA for Healthcare is a set of configuration files focused on further meeting the needs of healthcare affiliated organizations. The LZA for Healthcare leverages AWS best practices established through the experience of customers from regulated industries.

It then incorporates healthcare specific configurations, such as the detective guardrails defined in the Operational Best Practices for HIPAA Security conformance pack. These are implemented using the AWS Config service which records configuration changes to AWS resources and provides notification when those resources are not in compliance with your baseline.

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub standards, specifically the AWS Foundational Security Best Practices and the CIS AWS Foundations Benchmark, are configured and deployed as part of the LZA for Healthcare. AWS Security Hub and AWS Config have been enabled for healthcare customers leveraging centralized account delegation and providing a single set of optimized guardrails.

The LZA for Healthcare uses AWS CloudTrail for centralized logging and configurable log retention to help you meet security and compliance needs related to accessing and auditing sensitive data and resources. Centralized networking with inspection, AWS Organizations service control policies, and backup policies are provided as examples of how to establish controls when deploying workloads in your cloud environment.

For the protection of sensitive data, AWS Key Management Service (AWS KMS) is used to encrypt data at rest. Additionally, the LZA solution is covered by Developer through Enterprise AWS Support Plans should you need assistance.

Get started with the AWS Landing Zone Accelerator for Healthcare

To get started, follow the procedures outlined in the Landing Zone Accelerator on AWS – Implementation Guide. It is recommended to begin with a new AWS payer account without existing resources deployed.

For customers that are subject to HIPAA, a Business Associate Addendum with AWS is required before placing protected health information (PHI) in your AWS environment. The LZA for Healthcare configuration files are available in the public GitHub repo.

The LZA for Healthcare leverages AWS expertise enabling regulated customers to set up their AWS environments in days instead of weeks in an optimized and secure configuration. By reducing the undifferentiated heavy lifting of establishing a regulated cloud environment, organizations have the opportunity to focus on innovative solutions that provide the greatest value to the customers they serve.

To learn more about how AWS works with healthcare organizations globally visit If you have questions, reach out to your AWS account team or send an inquiry to the AWS Public Sector Sales Team.

Previous Article
Simplify archiving Amazon EBS Snapshots and monitor progress using a live Amazon CloudWatch dashboard
Simplify archiving Amazon EBS Snapshots and monitor progress using a live Amazon CloudWatch dashboard

Data protection is top of mind for our customers, and having a data backup strategy is critical to ensure c...

Next Video
AWS Startup Scale: Best price-performance, with next-gen cloud infrastructure
AWS Startup Scale: Best price-performance, with next-gen cloud infrastructure