Context
Vyna's telehealth platform tripled its patient volume in a year. Everything ran in a single-region ECS cluster built in 2019 — including every PHI data path.
A HIPAA audit was scheduled in one quarter, and the existing setup couldn't demonstrate the required access controls, encryption posture, or disaster-recovery story.
The challenge
PHI can't take downtime and can't leak: every migration step had to keep data paths encrypted, logged, and inside the BAA boundary.
The audit date was fixed. The migration either finished — with evidence — in 11 weeks, or the audit failed.
Approach
Compliance mapping
Weeks 1–2Built the control matrix mapping each HIPAA safeguard to an enforceable platform control, plus data-flow diagrams for every PHI path.
Landing zone
Weeks 3–5Multi-region EKS (active/passive) with Karpenter provisioning, Vault for secrets and PHI encryption keys, Cilium eBPF network policies default-deny.
Strangler migration
Weeks 6–10Service-by-service migration with shadow traffic: each service ran in both environments with live-mirrored requests until parity was proven, then cut over.
Audit preparation
Week 11Automated evidence collection — policy reports, access logs, encryption attestations — generated from the platform itself rather than screenshots.
Architecture
Results
Fixed deadline met with one week of buffer to spare.
Karpenter-provisioned headroom absorbed the next year of growth.
First-try pass; auditors cited the automated evidence pipeline.
Down from a 4-hour manual runbook.
“The auditors asked how we generated the evidence packet. That's the first time an audit ended with them taking notes.”