HIPAA-aligned cloud foundation for a clinical data startup

A two-engineer founding team with a working prototype on a single AWS account, hardcoded credentials in env files, and an enterprise customer asking for a HIPAA attestation in six weeks.

1. 01

   Multi-account org with dedicated accounts for prod, staging, audit, and security tooling. SSO with break-glass procedure documented and rehearsed.

2. 02

   VPC architecture with PHI-handling workloads isolated, all egress through inspected paths, no public subnets in production.

3. 03

   Replaced env-file secrets with Vault on a hardened EKS cluster, dynamic database credentials, secrets rotation automated.

4. 04

   Wired CloudTrail, GuardDuty, and Config into the audit account with immutable storage. Mapped each HIPAA technical safeguard to a specific technical control with evidence collected continuously.

5. 05

   Wrote the actual policies — access management, incident response, change management — in plain English, with the technical controls each one referenced.

Passed the customer's review on first submission. The CTO walked into the next sales conversation with a one-page security overview that was true. The same foundation later carried them through SOC 2 Type I without re-architecture.