AWS Cloud: EC2 T2 license restriction needs to be removed - seeing "lack of capacity" EC2 Webserver shutdowns on this "old" platform

@stephenwaite
Situation
The OpenEMR license of OpenEMR on AWS prevents running the OpenEMR Webserver on the current burstable instance type T3.

The OpenEMR license of OpenEMR on AWS restricts that the OpenEMR Webserver must be on a T2 instance, which is being deprecated by AWS. T3’s are not allowed due to the OpenEMR AWS Marketplace license restriction that the webserver instance must be on a T2. Note that the MySQL database can run on a T3.

Over the past 3 months or so I have seen spot instances of EC2 T2 instances are being shut down occasionally (sometimes daily, sometimes every 2 weeks) due to a lack of capacity on all US domains. This is an annoyance because our EMR is being occasionally shut down (it can usually be restarted immediately).

I asked AWS support about this, and they recommended switching to on-demand instances (increases my cost by several hundred dollars per month - great idea Amazon lol ) or switching to T3’s, which, of course, I cannot do. This license restriction needs to be removed.

OpenEMR Version
I’m using the OpenEMR version 6.0.0(3)

Browser:
I’m using: N/A

Operating System
I’m using: AWS

Logs
Did you check the logs? Yes.
Was there anything pertinent in them? The EC2 spot system is shutting these instances down. A reason is not given by the “spot instance” events. The “spot instance” support team confirmed that they are being shut down due to a lack of capacity by AWS.

@jesdynf any thoughts on this?

Standard or Express?

I am using Standard. However, most likely all AWS-hosted OpenEMR systems are affected if they use the spot instance type to save money (reduces the cost by about 50% which is significant when you are paying several hundred dollars a month to AWS). On-demand instances (the default that is installed with the script) are unaffected at this time, however, the T2 instances are obsolete, and it is likely that they could be affected in the near future as well.

Note that T3 instances are actually cheaper than their older T2 predecessors.
–RBL

Done, with caveats.

Marketplace allows you to restrict the type of instances used, and I’d done so because I thought it was more useful to allow a curated selection of relevant instance types (and because I didn’t want to manually check hundreds and hundreds of cells on a spreadsheet). But the selection of instances keeps expanding, and I hadn’t kept up with what’s sensible.

I’ve disabled the restrictions in an update request I just sent to Marketplace staff. Note that I don’t know how long it will take them to implement, and although I specified the changes should apply to all known versions I don’t know for sure they’ll cleanly affect existing installations.

Sorry for the trouble!

@jesdynf
Wonderful. Thank you very much! Do you have an AWS support case number that I can reference in my own AWS support request?

I would recommend that the installation script for the OpenEMR Cloud EXPRESS and STANDARD both recommend t3 instead of t2 (deprecated) for typical intermittent use – not sure if that is in your AWS request or not. Heavy users of OpenEMR may want to consider m3 etc.
–RBL

I did catch the t2 rec and bump it up! I’ll let you know a ticket ID if I hear back from them, but I don’t always get a direct response on these.

Back and forth with AWS Support, still in progress.

Good work!
I just looked at
AWS Marketplace: OpenEMR Cloud - Express Editionptnr_web_datasheet

And apparently AWS has fixed this without telling you.
The pricing tool and Configuration page now includes t3 nano, micro, etc. instances.

My AWS account isn’t fully active yet, so I can’t go further in setup, but it looks as though you fixed this.

TLDR-

• Good News!!
• Open EMR Express installs on AWS t3micro (it installs on t3nano but won’t run)
• This is eligible for Amazon’s BAA, so this installation can be HIPAA compliant.
• Not so good news: Their BAA requires PHI to be encrypted on their servers

Long version:

Fixed the account, installed OpenEMR Cloud - Express Edition on a t3nano instance, then went to
AWS Artifact console
and selected the HIPAA BAA.
Amazon changed their HIPAA requirements in 2017; you no longer need a dedicated server. Any Amazon EC2 is now a HIPAA Eligible Service

Their BAA is very vague, except it REQUIRES encryption of all PHI, not just in transit but ALSO on their servers.

image1173×157 46.2 KB

Is there a setting to encrypt the database?

(Edit- there is a setting, in the Demo, it’s on.)
Using ANY Amazon services without encrypting the PHI is a HIPAA violation, because you’re not following the Business Associate Agreement, that you’re a party to, so it’s part of YOUR HIPAA documents. Not following your own HIPAA manual is an obvious violation.

If this weren’t part of Amazon’s BAA, encryption would not be required. Encryption is considered “Addressable” when you’re doing your required ‘risk analysis’.

So if you have an unencrypted DB on your own server, which is otherwise reasonably secure, that’s permissible.

Answered my own question

Enable Encryption of Items Stored on Drive[edit]

• (This setting was added in OpenEMR version 5.0.2)
• This will enable enable encryption of items that are stored on the drive.

Found at
https://www.open-emr.org/wiki/index.php/Administration_Globals#Enable_Encryption_of_Items_Stored_on_Drive

It’s in the Demo, and it’s on.
One less problem.
Thanks to those who did this in V 5!!

They got back to me about Standard just today, I haven’t had a chance to review it yet.

Note that Standard uses KMS to encrypt both the RDS database instance and the particular EC2 block device used for patient documents.

Express can’t match that – it has to do with how the AMI is deployed. although that’s so not the only reason Express is not HIPAA eligible – but if I recall correctly I think Express Plus also uses KMS encryption of the instance.