AWS Compliance Case Study: Pegasystems

About Pegasystems

Pegasystems is a global leader of customer relationship management (CRM) and Business Process Management (BPM) software. Pega’s rules-driven software helps enterprise and government agencies update their operations and systems to reflect changes in business goals and strategies. Pegasystems helps leading organizations create and evolve their critical business systems by helping them to engage their customers, simplify their operations and build for change.

Pega’s Healthcare line of business helps leading health plans, pharmacy benefit managers, providers, and government healthcare agencies improve clinical, financial and operational outcomes. As healthcare organizations attempt to navigate the post-reform economy turmoil, many turn to Pegasystems to assist in their efforts to innovate, reduce costs and improve the customer experience. Furthermore, Pega’s customers face a complex array of HIPAA application requirements, such as processing and storing individually identifiable health information.

In Pega Cloud, Pegasystems is delivering an innovative and secure platform that enables its customers to deploy and operate healthcare CRM and BPM workloads on AWS’ enterprise-grade infrastructure. Willy Fox of Pegasystems explains, “Amazon was ahead in the cloud space and had APIs to allow us to integrate our products into the AWS cloud infrastructure and power our cloud product line.” The Pega Cloud service offers a seamless and scalable service for developing, deploying and running Pega applications in the cloud. Fox notes that “There’s been a significant increase in interest and greater acceptance for cloud solutions in the healthcare space.” The Challenge

Pegasystems has been serving HIPAA-regulated customers for several years. It has contractual obligations to secure its clients’ data and it has controls in place that allow its customers to be HIPAA compliant. Fox explains that “we assume all of our clients have personally identifiable information or protected health information data in their environments even if they don’t. This drives us to maintain the highest level of security controls across all of our clients.” Because Pegasystems had many existing HIPAA compliant customers, it became a priority for Pega to sign a Business Associate Agreement with AWS and to implement HIPAA privacy and security controls within their AWS environment in order to enable HIPAA compliance for its customers. The Solution

By executing a Business Associate Agreement, Pega was able to remain HIPAA compliant while continuing to take advantage of AWS to provide its portfolio of healthcare clients with the advantages of the AWS Cloud to create a new, innovate deployment option with even lower costs and faster time-to-value.

As part of its continuing efforts to help protect healthcare information, Pega incorporated the Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Instances option into the Pega Cloud HIPAA Edition. Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud on hardware that's dedicated to a single customer. AWS Dedicated Instances are physically isolated at the host hardware level from instances that aren't Dedicated Instances and from instances that belong to other AWS accounts. This alternative deployment option was simple to exercise and helped Pega Cloud meet the compliance demands of their healthcare clients. Why Amazon Web Services

Once the HIPAA Omnibus rule was released and clarified the requirements for cloud service providers, Pegasystems reached out to its AWS account manager to inquire about the process for obtaining an AWS Business Associate Addendum (BAA). Working hand-in-hand with AWS solution architects and the security assurance team, Pega designed its platform and security controls to address HIPAA’s business associate requirements. Pega took into consideration the use of shared infrastructure, reserved instances, and its redundancy standpoint while migrating its existing AWS solution to dedicated instances.

HIPAA compliance, like other AWS compliance programs, is comprised of a shared responsibility model between AWS and the customer. The shared responsibility model makes it easier to understand security and how to meet compliance requirements. Fox states, “Now with the signed BAA and follow-on adjustments made to our AWS implementation model, Pega can offer our clients the capabilities they require to certify their applications are HIPAA compliant.”

Pegasystems has been successfully audited on HIPAA controls and standards by 3rd party assessors. As a result, Pegasystems’ customers can have confidence that the applications they deploy on Pega Cloud can be configured to process protected health information against strict HIPAA security and privacy requirements. Fox explains that “Pega relies on AWS certifications in almost all of our client engagements. We have relied on the SOC2, FedRAMP / FISMA, PCI, and ISO certifications to help our clients understand that Amazon takes security seriously and helps ensure the proper controls are in place.”

Pegasystems’ internal security processes and practices were already hardened to meet HIPAA requirements. Pegasystems’ strict model on delineating responsibility and keeping environments separate and contained was a contributing factor to ensuring its ability to meet HIPAA Omnibus requirements.

Fox explains, “Pega Cloud is built on the basis of transparency and standards compliance. Having an independent third party validate our practices for Information Security, Availability & Confidentiality practices against industry compliance standards such as HIPAA gives our customers peace of mind while they increase their pace of innovation. Customers get the benefit of quickly scalable cloud solutions without compromising their security requirements. With a focus on security, compliance and confidentiality at the core of the service, customers are able to evaluate Pega Cloud offerings in a transparent manner, not as a black box service.”

Steps to achieving BAA with AWS:

Reach out to Review Terms Sign BAA Sales Rep of BAA

The Benefits

Pegasystems considers its cloud solution to be an overall more attractive environment for its customers because of its HIPAA compliance. The BAA between Pegasystems and AWS allowed Pegasystems’ customers to have confidence that their protected health information processed in Pega Cloud meet HIPAA’s strict security and privacy requirements.

Benefits of the Pega Cloud on AWS include:

 Enterprise-grade Security and Compliance. Pega is one of the first companies to create an enterprise Platform-as-a-Service offering using AWS’s HIPAA eligible services, and Pega believes that the combination of AWS service features and compliance reports is helping it respond to the PHI challenges its customers are facing. “The fact that AWS has security controls and access to the audit reports are a huge benefit. In the past we have also had access to an AWS resource to assist with any questions that we did not have answers to,” says Fox.

 Agility and Availability. By running their solution in a high availability configuration on AWS, Pega recognizes it can help enterprises eliminate the need for planned downtime and provide them with a global footprint that can immediately recover from unplanned events.

 Lower cost of operation. By running on AWS, Pega says that they significantly reduced their cost of maintaining and expanding Pega Cloud. Fox explains that “the current mercurial environment demands accelerated time to value, and Pega Cloud delivers. Clients who deploy Pega Solutions on Pega Cloud dramatically accelerate time to value while addressing compliance.” Fox explains further, “Leveraging Amazon Web Services, Pega Cloud enables our customers to scale their infrastructure on-demand while significantly improving speed of project completion that drives down the total cost of ownership.” Next Step To learn more about how AWS can help you achieve compliance in the cloud, explore the reference whitepapers and compliance program information on the AWS Compliance site: https://aws.amazon.com/compliance.

If you’re ready to assess AWS for migrating HIPAA compliant workloads to the cloud, start by contacting your business development representative or submitting a request here.