Cloud303 builds resilient and HIPAA-compliant infrastructure for Taproot's EHR application

EHR  Modernization HIPAA


Taproot is a company dedicated to advancing cancer research. They partner with patients, clinics, researchers, and businesses to collect data and  build a model that necessary to make advancements in the field. 

One of the biggest issues facing cancer research is small or incomplete data sets. To address this issue, Taproot collects regulatory-grade data from community and and academic centers all over the country in combination with complete patient data and outcomes that are linked to biomarker data to provide a complete dataset picture of care. 

Cancer is a huge issue to tackle and is difficult for any one group or company to solve. In order to provide unity amongst researchers Taproot strives to connect and share all data that can be used in the development of cures and help finance further research to improve patient care. 


AWS Segment:  TODO

Our Customer

Taproot Health is building a new generation of real-world data. Their prospective, regulatory-grade data fill a missing research gap, bridging the current efforts of others and providing a more comprehensive picture of cancer patients. These data are needed by all stakeholders to advance cancer care.

The Challenge

Taproot needed a net new workload deployed. Taproot was running into huge hurdles finding off-the-shelf solutions to cater to the needs of their multi-faceted, highly customized EHR application, which included a myriad of technologies encompassing in the areas of Application Development, Product Development, AI and Machine Learning, Customized ERP solutions, Application Integration, Technology Consulting, Project Management and Quality Assurance Consulting. After a successful Well-Architected Review with Cloud303, with a focus on HIPAA-compliance and scalability, Taproot was convinced that AWS had all the services needed to host their architecture. 

Why Taproot Chose AWS?

Amazon Web Services (AWS) is a leading cloud provider, offering a comprehensive suite of services and tools that enable businesses to build, deploy, and manage applications in the cloud. AWS was chosen by Taproot due to its proven track record in scalability, reliability, and cost-effectiveness. The wide range of AWS services and tools allowed Taproot to build a robust and scalable infrastructure that was HIPAA compliant.

Why Taproot Chose Cloud303?

Cloud303's reputation as the number one AWS Well-Architected Review partner boded well for Taproots' aspiration to roll out their EHR application, which had to be HIPAA-compliant, on AWS.

Cloud303 also turned out to be a great fit for Taproot because of their extensive experience with Health and Life Science companies. Cloud303’s experience meant that their engineers are extremely knowledgeable on what it takes to ensure HIPAA compliance in the cloud. This includes but is not limited to how to effectively keep track of the data needed for HIPAA compliance on the AWS account level as well as data and logs from within the application itself - all of which were defined and discusses extensively during the Well-Architect Review during the Assess Phase of the migration.

      Phil Supinski     Sujaiy Shivakumar
CEO/Solutions Architect      CTO/Solutions Architect

AWS Services Employed:
 EC2 ECS VPC Route 53 AWS CodePipeline AWS CodeBuild AWS Config Amazon CloudWatch AWS CloudTrail ECR
 AWS CodeCommit AWS KMS

Cloud303's Solution

Patients log in and enter data into Taproot's Electronic Data Capture (EDC) and Electronic Health Records (EHR) application, which is hosted in containers powered by Amazon Elastic Compute Cloud (EC2) instances on Amazon Elastic Container Service (ECS). All the cancer/clinical research data is stored in a three-pronged MongoDB cluster hosted on EC2 instances, with replica sets spanning multi-AZs. Route 53 is used to manage Taproot's DNS. Taproot's CICD pipeline is orchestrated by AWS CodePipeline and AWS CodeBuild, with the codebase being version controlled using GitHub. AWS Config rules are configured according to AWS' Operational Best Practices for HIPAA Security. Amazon CloudWatch alarms and AWS CloudTrail logs storage are also configured to be HIPAA-compliant.

Cloud303 scoped out the project and optimized the EHR platform by configuring compute-optimized c5.2xlarge EC2 instances to power the Docker containers running in Amazon ECS. The workload was spread in private subnets over multiple availability zones in an Auto Scaling Group behind an Application Load Balancer in the North Virginia region for high availability.

The development pipeline was orchestrated using AWS CodePipeline, with AWS CodeBuild and AWS CodeCommit which integrated perfectly with GitHub as the version control system. Cloud303 built the Docker image and pushed this image to an Amazon Elastic Container Registry (ECR), and then deployed it to ECS on EC2. 

All testing of the application's backend was conducted in a development environment. Topic branches based off the main branch were used for feature and bug fixes. These feature branches isolate work in progress from the completed work in the main branch.

With autoscaling configured with a step scaling policy triggered by Amazon CloudWatch metrics, the ECS containers were powered by c5.2xlarge instances spread across two AZs during the development phase as a proof of concept (PoC) in the Dev account. The containers were set up to scale horizontally if CPU utilization exceeds 80%, and to scale in if CPU utilization falls below 60%. Following three months of monitoring, it was decided to scale the workload in the production environment to match demand, with the minimum and desired number of instances set at five and the maximum number set to twelve. Utilizing native right-sizing and cost-optimization capabilities from AWS, this was accomplished.

To achieve the best possible outcome in this regard, ECS cluster auto scaling (CAS) was enabled to provide more control over the scaling of the EC2 instances within the cluster, with the ECS Service configured to send metrics to CloudWatch, which triggers an alarm to add more tasks in the ECS Service, with the capacity provider set up to target the autoscaling group, using the CapacityProviderReservation metric.

The entire infrastructure was encrypted at-rest and in-transit using AWS Key Mangement service (KMS) with automated annual key rotation in order to comply with HIPAA regulations.


Cloud303 built a resilient, scalable, highly available backend architecture for Taproot's EDC/EHR application. Through the use of  AWS' conformance packs, t he application was able to be built robustly, while conforming to HIPAA requirements. Taproot's business has benefited greatly from running their containerized workload on AWS. They are set up to save their logs for the required six years under HIPAA, both at the application level and the account level. Additionally, end-to-end encryption is featured both in transit and at rest. Taproot now has considerably more control over the resources they are using when compared to their prior application hosted using a managed provider. As a result, Taproot no longer has trouble controlling their infrastructure and adjusting security settings when necessary.


AWS Programs/Funding Used:
Well-Architected Review (WAR) Funding