AWS Public Sector Blog
Migrating and modernizing state WIC applications with AWS
Public health agencies know that modernizing their technology infrastructure is necessary to avoid disruptions to program operations and create new opportunities to serve their constituents.
To this end, the Arizona Department of Health Services (AZDHS) migrated their Women, Infants and Children (WIC) solution to Amazon Web Services (AWS) to increase resiliency so essential services are available to WIC beneficiaries, and to provide a more seamless WIC program experience overall. This makes the State of Arizona the first in the nation to run their WIC program in a multi-Region cloud environment with robust disaster recovery capabilities.
Learn how the State of Arizona migrated and modernized its WIC program with AWS, and find out more about how public health agencies can adopt a similar solution to take a measured approach to modernization.
The modernization opportunity for WIC programs
The Women, Infants and Children (WIC) program, sponsored by the United States Department of Agriculture (USDA), aims to promote and encourage the health of low-income women, infants, and children under five years of age who may be facing nutrition risk. The AZDHS WIC Program provides services through 21 local agency providers, including 13 county health departments, seven community health centers, and one non-profit agency. The AZDHS WIC Program serves an average of 138,000 women, infants, and children each month. In addition, the AZDHS WIC Program serves as the lead agency in the Health And Nutrition Delivery System (HANDS) Consortium which consist of American Samoa, Commonwealth of the Northern Mariana Islands, Guam, Navajo Nation, and Washington, D.C.
Historically, consortiums built WIC technology solutions on premises and leveraged them across several states or regions in the US. This technology is aging across the U.S., which can create challenges for both WIC beneficiaries and staff – highlighting the need for modernization.
The American Rescue Plan Act of 2021 provided the USDA with $390 million available in non-competitive grants to offer WIC agencies looking to innovate their technology. Modern, advanced WIC technology applications (i.e. electronic benefits, smartphone capabilities, program administration) can offer a more intuitive and effective beneficiary and program-staff experience. Cloud migrations and microservices can create opportunities for WIC administrators and technologists to plug-and-play solutions that assist beneficiaries with WIC applications, case management, reduced administrative burden, and engagement in their health, while continuing to leverage their current technical solutions.
The State of Arizona’s WIC migration journey with AWS
AZDHS leadership recognized the need to begin their WIC modernization journey by migrating to AWS. AZDHS wanted to increase resiliency and add a disaster recovery environment to better support program staff using the technology for WIC beneficiary case management. First, AZDHS engaged AWS to evaluate moving the WIC program technology to the cloud to promote the protection and availability of WIC data, currently used in clinics across numerous cities, counties, and territories to manage WIC eligibility and electronic benefit transfer (EBT) benefits. AZDHS elected to migrate over a dozen essential WIC services and databases onto AWS.
Then, the AZDHS and AWS teams worked with WIC program leadership to plan and validate the team’s design for multiple environments of their WIC technology. Together, AZDHS and AWS built several environments including disaster recovery in another AWS Region giving them geographic separation of their workload to protect this system from technical failures ensuring business continuity. The team migrated applications for WIC constituent agencies across time zones in their off-hours, which included a pre-planned clinic closure on a Saturday during the switch-over event timing. The WIC system went live in production in March 2023.
It took AZDHS six months to migrate multiple environments to the AWS Cloud, using AWS technical assistance alongside their own information technology resources. AZDHS later added AWS microservices to enhance functionality.
“The migration was frictionless and speedy, with excellent guidance from the AWS account team—working directly alongside our AZDHS leadership,” said Paula Mattingly, chief information officer (CIO) for AZDHS. “As a collective, we were not only committed to solving for a solution that would improve our standard environments, but accounted for, planned, and tested a complete disaster recovery environment.”
AZDHS chose AWS for its modernization approach to simplify backup and restoration capabilities, reduce effort for capacity planning across program and case management, and improve deployment times—all of which AZDHS has realized since completing the migration.
Hosting WIC applications on AWS: A solution overview
Are you curious about how to design a similar migration and modernization architecture, like the one AZDHS used to migrate their WIC applications?
Figure 1 shows how to host a classic web application, such as a WIC management information system (MIS), on AWS, and how to migrate WIC applications to the cloud. AWS supports multiple disaster recovery strategies that public health agencies can deploy based on their uptime or service level agreement (SLA) requirements. The AWS whitepaper Disaster recovery options in the cloud describes how the architecture can be extended to implement disaster recovery.
Figure 1. High-level architecture of a WIC web application on AWS, described in more in the following section.
The architecture illustrated in Figure 1 is divided into sections based on component functionality.
Section 1: The User Interface Layer is the part of the solution that end users engage with. Users can safely log into the application website and browse the website contents. For example, a WIC program manager may be able to securely log into the WIC Management Information System (MIS) before seeing a WIC program beneficiary. Section 1 uses the following AWS services:
- Amazon Route 53 (Route 53) provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services. When end users access the website through a web browser using a URL, Route 53 receives web requests and forwards them to AWS WAF.
- AWS WAF, a web application firewall, provides protection for the solution against common web exploits and bots that have the potential to compromise security, reduce the solution’s availability, or consume an excessive number of resources. AWS WAF examines web requests for common web exploits and, upon successful verification, forwards them to Amazon CloudFront (CloudFront).
- CloudFront analyzes incoming web requests targeting static items like .html, .css, and .js files. It expeditiously serves these assets from its cache repository when available. In instances where the requested items are not cached, CloudFront directs the request to the Elastic Load Balancing (ELB) infrastructure integrated into the AWS backbone network. CloudFront provides end users the benefit of a faster distribution of both static and dynamic web content. This includes image files as well as .html, .css, and .js files. Amazon CloudFront delivers the contents of the website to users and reduces the amount of time it takes for users to browse, submit requests, and receive responses.
- AWS Shield is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS. AWS Shield Standard is automatically enabled to all AWS customers at no additional cost and provides protection against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of WIC applications on AWS.
Section 2: The Middle Layer infrastructure controls how users engage with the underlying data. This can involve things like authenticating users, managing sessions, and granting access to data stored in underlaying databases. For example, this layer controls information stored or used in a WIC MIS or eligibility verification solution. Section 2 uses the following AWS services:
- A frontend ELB routes the traffic to the web servers, and an application ELB routes the traffic to the App servers. To enhance resiliency, the architecture demonstrates the deployment of WIC applications web servers and app servers across two Availability Zones (AZ). The combination of ELB and AWS Auto Scaling enhances application responsiveness, availability, and the user experience by distributing traffic across multiple targets, scaling up or down based on the traffic pattern.
- Amazon Elastic Compute Cloud (Amazon EC2) offers scalable computing capacity within the AWS Cloud. In this solution, Amazon EC2 hosts the application code that receives requests from ELB and then responds to those requests.
Section 3: The Database Layer stores the application data that is created, used, and updated by the users of the website. This may include databases storing data for EBT, eligibility, or MIS applications. Section 3 uses the following AWS services:
- Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, run, and scale databases in the cloud. Amazon RDS provides an option to pick a database engine of your choice from one of the seven well-known database engines. The solution achieves high availability by using multi-AZ deployments of Amazon RDS databases. Multi-AZ deployment in Amazon RDS involves setting up a primary database instance in one AZ and creating a standby instance in another AZ within the same AWS region. This setup aims to enhance the availability, durability, and fault tolerance of your RDS database.
Securing WIC applications in the cloud
When working with sensitive medical information and personally identifiable information (PII), it is standard practice to encrypt data both in transit and at rest. Encrypt data at rest using customer managed keys for least-privileged access controls and AWS Key Management Service (AWS KMS). AWS KMS lets you create, manage, and control cryptographic keys across your applications and AWS services.
Optionally, you can enable Amazon GuardDuty (GuardDuty) in an AWS account where WIC applications are deployed. GuardDuty is an intelligent threat detection service that continuously monitors your AWS accounts and Amazon EC2 instances. If potential malicious activity, such as anomalous behavior, credential exfiltration, or command and control infrastructure (C2) communication, is detected, GuardDuty generates detailed security findings that can be used for security visibility and assisting in remediation.
Learn more about AWS for WIC and public health
WIC is an integral citizen service that makes sure woman, infants and children have access to healthy and effective health programs, goods, and services. Migrating WIC technology can help public health agencies increase scalability, resiliency, disaster recovery, modernization opportunities, and more. As the first state to migrate their WIC program to the cloud, AZDHS has paved the way for cloud modernization for other public health agencies.
For more information on migrating your WIC technology or how AWS can help, please contact aws-publichealthmodernization@amazon.com.