A 600-bed regional hospital network — eleven clinics, two acute-care sites, a growing telehealth line — gets a board mandate after a competitor’s patient portal leaks 200,000 records and lands on the front page: ship a patient portal where people can see lab results, message their care team, book appointments, and download their records, and do it on a stack the hospital’s CISO and privacy officer will sign in front of regulators. The constraint is the one that makes healthcare different from every other industry: this is electronic Protected Health Information (ePHI) under HIPAA, the breach the board is reacting to triggered an OCR investigation and a settlement, and a single record exposed across a patient-identity boundary is a reportable event with statutory penalties per affected individual. A long weekend with a React template and a Postgres box is not the answer. This article is the reference architecture for building that portal properly on AWS — an identity-gated, encrypted, audited, FHIR-backed patient portal that a hospital’s compliance committee will actually approve.
The pressures stack the way they always do in regulated healthcare. Regulation means every access to a record needs an immutable audit entry, every byte at rest and in transit must be encrypted under keys you control, and the cloud account must sit under a signed Business Associate Agreement (BAA) with AWS. Identity is the hard part nobody budgets for: these are consumers, not employees — a 78-year-old managing a spouse’s care from a tablet, a parent who needs delegated access to a child’s records, a patient who forgot their password at 11 PM with a lab result waiting. Scale is spiky: a flu-season morning, or the hour after the hospital emails 50,000 patients that results are ready, looks nothing like 3 AM. And interoperability is now law — the ONC information-blocking rules and the patient-access API mandate mean the portal must speak FHIR, not a proprietary schema, so patients and the apps they choose can pull their own data. The architecture has to satisfy all of it at once.
Why not the obvious shortcuts
The naive builds each fail predictably in healthcare, and naming why matters because someone on the project will propose all three.
Roll your own auth — a users table, bcrypt, a password-reset email — and you have signed up to build account recovery, MFA, bot defense, breached-credential detection, and consent management for consumers yourself, which is a multi-year security program disguised as a login form. The competitor that leaked 200,000 records did exactly this. Reuse the staff identity provider (the hospital’s Entra ID or Okta Workforce tenant) for patients, and you have put millions of consumer accounts in the same directory as privileged clinical staff, blurring a blast-radius boundary auditors will fail you for. Store clinical data in a generic relational schema of your own design, and you have guaranteed that the day the ONC patient-access API is enforced, you are writing a fragile translation layer from your bespoke tables to FHIR under deadline.
The architecture threads the needle. A dedicated Customer Identity and Access Management (CIAM) tenant owns consumer identity as a product — registration, recovery, MFA, delegation, consent — separate from the workforce directory. A FHIR-native datastore holds clinical data in the standard from day one, so the interoperability API is a thin read path, not a rewrite. And the whole estate sits inside HIPAA-eligible AWS services under a BAA, encrypted with customer-managed keys, with every record access landing in an immutable audit trail.
Architecture overview
The platform runs two distinct paths that share infrastructure but answer to different stakeholders: a synchronous portal request path that serves patients, and an asynchronous clinical-sync path that keeps the portal’s view of records current with the hospital’s source-of-truth EHR (Epic, in this network’s case). Keeping them separate in your head is the first step to operating this well.
The defining property of the topology is the one the privacy officer cares about most: no ePHI data-plane traffic touches the public internet, every store is encrypted under a customer-managed KMS key, and every read of a patient record is logged before the byte reaches the patient. The portal subnets are private; AWS PaaS is reached over VPC endpoints; the only public surface is the CloudFront/Akamai edge in front of the WAF.
Portal request path, following the control flow:
- A patient opens the portal. Akamai sits at the very edge for global TLS termination, anycast, and its App & API Protector WAF plus Bot Manager — credential-stuffing and account-takeover attempts against a consumer login are constant, and you want them scrubbed before they reach AWS. Akamai fronts Amazon CloudFront (origin-cloaked so the AWS origin is never directly reachable), with AWS WAF and AWS Shield Advanced as the second, AWS-native layer for DDoS and managed OWASP rules.
- Authentication is delegated to Okta CIAM (a Customer Identity tenant, wholly separate from the hospital’s Okta Workforce org). Okta owns patient registration with identity proofing, passwordless and password sign-in, adaptive MFA that steps up on risk, breached-credential detection, and — critically for healthcare — delegated/guardian access so a parent or caregiver can be granted scoped rights to another patient’s record. Okta issues an OIDC ID token and a scoped access token; the portal never sees or stores a credential.
- The token reaches Amazon API Gateway, the single front door for every portal and FHIR call. A Lambda authorizer validates the Okta JWT signature against the tenant JWKS, checks
aud/iss/expiry, and resolves the token’s subject to the internal patient identifier and any active delegation grants. API Gateway throttles per-client and enforces usage plans so one abusive client cannot starve the rest. - The request reaches the application tier — the portal’s BFF (backend-for-frontend) APIs running on Amazon ECS Fargate in private subnets, fronted by an internal Application Load Balancer. Fargate is the right call here: no nodes to patch (a real HIPAA control-hardening win), and it scales cleanly for spiky load. The service pulls the few secrets it cannot get from its task IAM role — the Epic integration client secret, third-party API tokens — from HashiCorp Vault via short-lived dynamic leases, so nothing sensitive sits in a task definition or environment variable.
- For transactional portal data — appointment slots, secure messages, notification state, consent records, session and delegation metadata — the service reads and writes Amazon Aurora PostgreSQL (Multi-AZ, encrypted with a customer-managed KMS key). For clinical data — labs, conditions, medications, allergies, documents — it reads from AWS HealthLake, a managed FHIR R4 datastore, via FHIR REST calls.
- Before any clinical byte is returned, the access is written to the audit trail: a structured record (who, which patient, which resource, when, from where, via which delegation) emitted to Amazon CloudWatch Logs and streamed to an immutable, object-locked S3 audit store. The response goes back through the same chain; large documents are served as short-lived pre-signed S3 URLs rather than proxied through the app tier.
Clinical-sync path, independent and event-driven: the hospital’s Epic EHR is the source of truth. New and updated clinical events flow out of Epic over its FHIR/HL7 interfaces into an Amazon Kinesis stream (or an SQS-buffered ingestion endpoint), where a fleet of AWS Lambda functions normalize and map them to FHIR R4 resources and upsert them into HealthLake. HealthLake’s built-in integrated medical NLP can additionally extract structured entities from unstructured clinical notes, enriching searchability. This path is what keeps the patient’s portal view eventually consistent with their chart, on the order of minutes — and keeping it separate from the request path means a burst of EHR updates never degrades patient-facing latency.
Component breakdown
| Component | Service / tool | Role in the platform | Key configuration choices |
|---|---|---|---|
| Edge | Akamai | TLS, anycast, WAF, bot/ATO mitigation at the perimeter | App & API Protector rules; Bot Manager on login; origin cloaking to CloudFront |
| CDN / DDoS | CloudFront + AWS WAF + Shield Advanced | AWS-native edge, managed OWASP rules, L3/4 + L7 DDoS | OAC to private origin; rate-based rules; Shield Advanced + 24x7 SRT |
| Patient identity (CIAM) | Okta CIAM | Consumer registration, recovery, adaptive MFA, delegation, consent | Separate Customer tenant; identity proofing; guardian/delegated access; risk-based MFA |
| API front door | Amazon API Gateway | Single ingress for portal + FHIR APIs, throttling, authz | Lambda authorizer (Okta JWT); usage plans; per-client throttles |
| Application tier | ECS Fargate + internal ALB | Portal BFF APIs: orchestration, authz, audit emission | No nodes to patch; task IAM roles; private subnets; auto scaling |
| Transactional data | Aurora PostgreSQL (Multi-AZ) | Appointments, messages, consent, delegation, session state | CMK encryption; Multi-AZ; IAM auth where possible; automated backups |
| Clinical data | AWS HealthLake | Managed FHIR R4 store for labs, meds, conditions, documents | FHIR REST; integrated medical NLP; CMK encryption; powers patient-access API |
| Secrets | HashiCorp Vault | Epic client secret, third-party tokens, signing keys | AWS IAM auth method; dynamic DB creds; short leases; no secrets in task defs |
| Documents | Amazon S3 (object lock) | Clinical documents + immutable audit store | SSE-KMS; Object Lock (compliance mode) on audit bucket; pre-signed URLs |
| EHR ingestion | Kinesis / SQS + Lambda | Epic FHIR/HL7 events → FHIR R4 upserts into HealthLake | Idempotent upserts; DLQ; decoupled from request path |
| CSPM / data posture | Wiz | Cloud posture, ePHI exposure detection, attack-path analysis | Agentless scan of S3/Aurora/HealthLake; alert on any public-exposure drift |
| Runtime security | CrowdStrike Falcon | Container runtime protection, image scanning in CI | Falcon Cloud Security on Fargate; block unscanned images at deploy |
| Observability | Datadog | Metrics, logs, traces, RUM; HIPAA-eligible with a signed BAA | APM tracing; SLO monitors; sensitive-data scrubbing in the pipeline |
| ITSM / IR | ServiceNow | Incident, change, and breach-response workflow | Auto-ticket on guardrail/audit anomaly; change gate before prod release |
| CI / IaC | GitHub Actions + Terraform | Build/test/scan pipeline; infrastructure as code | OIDC to AWS (no stored keys); Wiz Code IaC scan as a gate |
A few of these choices deserve the why, because they are the ones teams get wrong.
Why a separate Okta CIAM tenant, not the workforce directory. Mixing millions of consumer accounts with privileged clinical staff in one directory collapses a blast-radius boundary auditors care deeply about. A dedicated CIAM tenant lets you tune consumer concerns independently — progressive profiling, passwordless, social-style recovery, delegated access for guardians and caregivers (a first-class healthcare requirement), and consent capture — while the workforce tenant keeps its stricter, employee-grade policies. The two can still share federation upstream, but the data and the policy stay separate. Okta CIAM also brings breached-credential detection and adaptive MFA that only challenges on risk signals, so the 78-year-old is not fighting a TOTP app on every login but a suspicious sign-in from a new country gets a step-up.
Why HealthLake instead of a relational schema for clinical data. The ONC information-blocking and patient-access rules effectively mandate a FHIR API. If clinical data lives in HealthLake — a managed FHIR R4 store — the interoperability API is a thin, governed read path, and SMART-on-FHIR apps a patient chooses can be granted scoped access cleanly. Build your own schema and you owe a brittle FHIR translation layer the day enforcement bites, plus you reimplement search semantics FHIR gives you for free. The split is deliberate: FHIR-native clinical data in HealthLake, portal-operational data (appointments, messages, consent) in Aurora where relational integrity and transactions matter.
Why the audit trail is write-before-read and immutable. HIPAA’s accounting-of-disclosures and the practical reality of an OCR investigation mean you must be able to prove, for any record, exactly who accessed it and when. Emit the audit entry before the response is returned (not fire-and-forget after), and land it in an S3 bucket with Object Lock in compliance mode so not even an admin — or an attacker who reaches an admin role — can alter or delete it. An audit log an attacker can tamper with is not an audit log.
Implementation guidance
Provision with Terraform, and sign the BAA before anything else. None of this is HIPAA-compliant until the AWS account is covered by a Business Associate Agreement and you have constrained the build to HIPAA-eligible services (HealthLake, Aurora, ECS/Fargate, S3, KMS, API Gateway, CloudFront, WAF, Kinesis, Lambda all qualify — confirm each against the current AWS eligibility list). The deployment order then matters: network and keys first, data stores second, compute and edge last.
- A VPC with private subnets for Fargate and Aurora, and VPC endpoints (interface/Gateway) for S3, HealthLake, KMS, Secrets paths, and CloudWatch so PaaS traffic never leaves the AWS network.
- A customer-managed KMS key (or a small set, scoped per data domain) with a tight key policy and automatic rotation, used for Aurora, S3, HealthLake, and Kinesis encryption.
- The data stores — Aurora (Multi-AZ,
storage_encrypted = true, backups + PITR), the HealthLake FHIR datastore, and S3 buckets (one for documents, one object-locked for audit). - The compute tier — ECS Fargate services with task IAM roles, the internal ALB, and API Gateway with the Lambda authorizer.
- The edge — CloudFront with OAC, WAF web ACL, Shield Advanced, and Akamai pointed at the cloaked origin.
A minimal Terraform shape for the HealthLake datastore and the audit bucket communicates the intent — encrypted under your key, audit immutable:
resource "aws_healthlake_fhir_datastore" "clinical" {
datastore_name = "patient-portal-fhir-prod"
datastore_type_version = "R4"
sse_configuration {
kms_encryption_config {
cmk_type = "CUSTOMER_MANAGED_KMS_KEY"
kms_key_id = aws_kms_key.phi.arn # your key, not an AWS-owned one
}
}
}
resource "aws_s3_bucket" "audit" {
bucket = "rhn-portal-audit-prod"
object_lock_enabled = true # immutable audit trail
}
resource "aws_s3_bucket_object_lock_configuration" "audit" {
bucket = aws_s3_bucket.audit.id
rule {
default_retention {
mode = "COMPLIANCE" # not even root can delete early
years = 7 # match your retention obligation
}
}
}
The pipeline that applies this runs in GitHub Actions, authenticating to AWS via OIDC federation so there is no long-lived access key to leak — a non-negotiable after the board’s breach scare. The same pipeline runs Wiz Code to scan the Terraform for misconfigurations (a public S3 ACL, an over-broad security group, an unencrypted volume) and CrowdStrike image scanning, both as required gates before an artifact can promote.
Identity wiring: tokens in, internal IDs resolved, delegation honored. The portal is a public OIDC client to Okta CIAM with PKCE; it never holds a client secret a browser could leak. On callback it receives an ID token and a scoped access token. The Lambda authorizer at API Gateway validates the JWT against the tenant JWKS, then maps the sub claim to the internal patient record and resolves active delegation grants — so when a guardian acts for a child, the authorizer attaches both identities and the app tier enforces that the guardian may only touch resources the grant allows. Scope every clinical read against this resolved context; never trust a patient identifier passed in the request body.
Least privilege everywhere. The Fargate task role gets exactly the permissions it needs — healthlake:*Resource actions scoped to the datastore, read/write to the specific Aurora secret path in Vault, s3:GetObject/PutObject on the document prefix, kms:Decrypt on the PHI key — and nothing more. Aurora uses IAM database authentication where the access pattern allows, so the app authenticates with a short-lived token rather than a static password; the residual credentials that must exist (the Epic integration secret, third-party tokens) live in HashiCorp Vault, leased dynamically with short TTLs, so a leaked credential is useless within minutes.
Enterprise considerations
Security & the HIPAA Security Rule. Map the architecture to the rule explicitly, because your auditor will. Access control: Okta CIAM authentication, API Gateway authorization, least-privilege IAM, and unique user identity throughout. Audit controls: the write-before-read, object-locked audit trail. Integrity: CMK encryption and TLS everywhere, immutable audit. Transmission security: TLS 1.2+ at the edge and on every internal hop, no public ePHI data plane. Layer on top: (a) Wiz running continuous CSPM and sensitive-data scanning across S3, Aurora, and HealthLake, alerting the moment a bucket drifts public or an ACL widens — the posture backstop behind your policy controls; (b) CrowdStrike Falcon Cloud Security providing container runtime threat detection on Fargate and blocking unscanned images at deploy; © AWS WAF + Shield Advanced with Akamai bot mitigation specifically tuned for credential stuffing and account takeover, the dominant threat against a consumer login; (d) any guardrail breach or audit anomaly auto-raises a ServiceNow incident routed into the hospital’s breach-response workflow, so the privacy team has a ticket — and a clock — not just a log line. AWS Config and SCPs deny the creation of any unencrypted store or public S3 bucket, and Wiz independently verifies the guardrails are actually holding.
Cost optimization. Healthcare workloads are spiky and the bill is dominated by always-on data services, so engineer for both.
| Lever | Mechanism | Typical effect |
|---|---|---|
| Fargate right-sizing + Spot for async | Tune task CPU/mem to p95; run ingestion Lambdas/Spot batch off-peak | Cuts idle compute spend |
| Aurora auto scaling + Serverless v2 | Scale ACUs to demand instead of provisioning for the flu-season peak | Avoids paying for peak 24x7 |
| S3 lifecycle tiering | Transition old clinical documents to Infrequent Access / Glacier | Large savings on cold archives |
| CloudFront/Akamai caching | Cache static portal assets at the edge, shrink origin egress | Offloads the app tier |
| Per-environment teardown | Ephemeral non-prod via Terraform; no idle staging overnight | Trims lower-environment cost |
Stream cost and utilization into Datadog alongside the operational metrics, so the platform team sees spend and performance on one pane and can attribute cost to features.
Scalability. Each tier scales independently. ECS Fargate scales tasks on ALB request count and CPU; API Gateway absorbs ingress and throttles abusive clients before they reach compute. Aurora scales reads with replicas and, on Serverless v2, scales capacity to load — which is what carries the “results are ready” email blast that sends 50,000 patients to the portal in an hour. The ingestion path scales by Kinesis shard count and Lambda concurrency, fully decoupled so an EHR update storm never touches patient-facing latency. HealthLake is managed and elastic; the practical ceiling to watch is FHIR API throughput, which you load-test against your worst expected morning.
Failure modes, and what each one looks like. Name them before they page you.
- Okta CIAM unreachable — patients cannot authenticate; the portal is effectively down even though every AWS component is healthy. Mitigation: graceful degraded mode (cached read-only where safe), clear status messaging, and Okta’s own multi-region SLA factored into your availability math.
- HealthLake or Aurora throttling under the email-blast spike — clinical reads slow or error mid-session. Mitigation: Serverless v2 headroom, read replicas, API Gateway throttling to shed the abusive tail, and a queue-and-retry on writes.
- EHR sync lag — a result is in Epic but not yet in HealthLake, so the patient does not see it and calls the clinic. Mitigation: monitor ingestion lag as an SLO, surface a “recently updated” freshness indicator, and alert when lag exceeds the agreed window.
- Audit pipeline backpressure — if audit emission is on the request path (and it must be), a slow audit sink could stall reads. Mitigation: a fast, buffered local emit with asynchronous durable persistence to the object-locked store, designed so the durable write cannot silently fail without alerting.
- Regional outage — see DR below.
Reliability & DR (RTO/RPO). Decide the numbers per tier and write them down, because in healthcare “the portal was down” has patient-safety and regulatory weight. Aurora Multi-AZ gives automatic failover within the region for transactional data; for cross-region DR, an Aurora global database plus cross-region snapshot copies under your KMS key. S3 is regionally durable; replicate the document and audit buckets cross-region (audit replication must preserve Object Lock). HealthLake is regional, so DR means a documented restore/rehydrate plan in a paired region driven from the durable source data and Epic as the ultimate system of record. A pragmatic target for this portal: RTO 30 minutes, RPO 5 minutes for portal-transactional state, with clinical data recoverable from Epic and replicated stores. The DR runbook is tested, and the failover is orchestrated through ServiceNow so the major-incident process and the privacy team are in the loop from minute one.
Observability. Instrument the request span end to end in Datadog with distributed tracing: one trace covering edge → API Gateway → authorizer → Fargate → HealthLake/Aurora → audit, with timing on each hop. Datadog is HIPAA-eligible under a signed BAA, but you still configure sensitive-data scrubbing in the ingestion pipeline so no ePHI leaks into logs or traces — a control you verify, not assume. Emit the metrics the business and compliance actually care about: authentication success/failure and MFA-challenge rate (a spike is an attack), EHR sync lag, p95 portal latency, audit-write success rate, and failed-authorization counts (a climbing number is either a bug or someone probing delegation). Synthetic checks watch the login and a representative record-fetch journey continuously.
Governance & compliance evidence. Pin the BAA, keep an inventory of which services are HIPAA-eligible, and treat that list as a gate in code review. Apply AWS Config rules and SCPs to deny unencrypted stores, public buckets, and non-compliant regions, with Wiz as the independent check that the controls are real and producing continuous compliance evidence. Keep infrastructure and application config in version control, reviewable and revertable. Every production change passes a ServiceNow change gate, giving the compliance committee a documented approval trail. And retain the audit log for your full statutory window in the object-locked store, with a defined process for an accounting-of-disclosures request — the artifact that, in an OCR investigation, separates a manageable finding from a catastrophic one.
Explicit tradeoffs
Accept these or do not build it. Splitting clinical data into HealthLake and operational data into Aurora is the right call for interoperability and integrity, but it means the app tier joins across two stores and you own the eventual-consistency seam between Epic, HealthLake, and the patient’s view — freshness you must measure, not assume. The separate Okta CIAM tenant adds an identity system to operate and a federation/token-resolution hop the single-directory shops avoid, but it is the boundary that keeps a consumer breach away from clinical staff. Write-before-read auditing costs a little latency on every record fetch and real engineering to make the durable audit write reliable without stalling the request — and it is non-negotiable. The private-networking, CMK-everywhere, BAA-constrained posture that makes the privacy officer sign costs setup complexity and forecloses public debugging shortcuts; the price of forgetting a VPC endpoint or an encryption flag is a compliance finding, not a clear error. And the edge (Akamai + WAF + Shield), the CIAM, the audit immutability, and the posture scanning are all overhead you could skip for an internal ten-user tool and absolutely cannot skip for a public patient portal holding ePHI.
The alternatives, and when they win. If you are a small practice rather than a hospital network, a vendor patient portal bundled with your EHR (Epic MyChart, athenahealth) is faster and cheaper than building — graduate to a custom build when you need a differentiated experience, multi-EHR aggregation, or control the vendor cannot give. If your clinical data genuinely does not need to be FHIR-native and you will never face the patient-access API, a relational store is simpler — but in 2026 that bet is almost always wrong. If consumer identity is trivial for your use case, Amazon Cognito is the cheaper, AWS-native CIAM; Okta CIAM earns its premium specifically when you need mature delegation, adaptive MFA, breached-credential intelligence, and consent — exactly the consumer-grade healthcare requirements that sink a homegrown login.
The shape of the win
For the hospital network, the payoff is not “a portal.” It is that a patient at home checks a lab result the morning after their draw, messages their care team a follow-up question, and downloads their records into the health app they chose — and every one of those actions is authenticated against a consumer-grade identity system, authorized down to a delegation grant, served from an encrypted FHIR store that never touched the public internet, and logged in an audit trail no one can tamper with. That last clause is the one that funds the platform. Everything upstream — the Okta CIAM tenant, the HealthLake FHIR backend, the KMS-encrypted stores, the object-locked audit, the Wiz posture scanning, the CrowdStrike runtime sensors, the WAF and Shield at the edge — exists so that a privacy officer, a CISO, and ultimately an OCR investigator each say yes. The architecture here is the destination; start narrower if you must, but this is where a public, regulated, patient-facing health portal has to land.