This deployment provides a production-ready OpenEMR system on Amazon ECS with Fargate for serverless compute, automatic container orchestration, elastic scaling, and an integrated monitoring, security, and observability stack.
⚠️ HIPAA Compliance Notice: No matter what you're deploying to AWS full HIPAA compliance requires ...
- Executed Business Associate Agreement (BAA) with AWS
- Organizational policies and procedures
- Staff training and access controls
- Regular security audits and risk assessments
- Value Proposition
- Architecture
- What You Get
- Costs
- Prerequisites
- Quick Setup (~50 minutes)
- Access OpenEMR
- Clean Up
- Need Help?
- Automation & Maintenance
- Additional Resources
Transform your healthcare facility with enterprise-grade EHR system at a fraction of traditional costs:
- Traditional EHR setup: $40-50M upfront
- OpenEMR on AWS: Starting at $214/month
- Includes: HIPAA-eligible architecture, automated scaling, multi-zone availability, and 7-year backup retention
- Zero infrastructure management required
| Component | Purpose | Connects To | Scaling |
|---|---|---|---|
| Application Load Balancer | Traffic distribution & SSL termination | WAF, Fargate Tasks | Auto |
| AWS WAF | Web application firewall | Internet, ALB | Fixed |
| ECS Fargate | OpenEMR application hosting | ALB, EFS, RDS, ElastiCache | Auto |
| Amazon EFS | Shared file storage | Fargate Tasks | Auto |
| Aurora Serverless v2 | MySQL database | Fargate Tasks | Auto |
| ElastiCache Serverless | Redis caching | Fargate Tasks | Auto |
| Secrets Manager | Credential storage | Fargate Tasks | Managed |
| KMS | Encryption key management | All encrypted services | Managed |
Compute Layer
- ECS Fargate: Serverless container platform running OpenEMR with automatic scaling based on CPU/memory utilization
Storage Layer
- Amazon EFS: Serverless NFS for shared OpenEMR files, documents, and configurations
- Aurora Serverless v2: Auto-scaling MySQL database with multi-AZ deployment for high availability
Caching Layer
- ElastiCache Serverless: Redis cache for session management and application performance optimization
Security Layer
- AWS WAF: Protection against common web exploits and bot attacks
- KMS: Encryption at rest for all data stores
- Secrets Manager: Secure credential rotation and access
Network Layer
- Application Load Balancer: SSL termination and traffic distribution across availability zones
- Private Subnets: Isolated network segments for database and cache resources
- NAT Gateways: Secure outbound internet access for private resources
- A fully managed, HIPAA-eligible OpenEMR installation
- Automatic scaling to handle any workload
- Enterprise security with AWS WAF and encrypted storage
- Automated daily, weekly, and monthly backups with 7-year retention
- High availability across multiple AWS availability zones
You'll pay for the AWS resources you use with this architecture but since that will depend on your level of usage we'll compute an estimate of the base cost of this architecture (this will vary from region to region).
Key Assumptions:
- Work week: 40 hours (8 hours/day, 5 days/week)
- Peak hours: 8AM-4PM EST, Monday-Friday (160 hours/month)
- Off-peak hours: All other times (570 hours/month)
- Region: N. Virginia (us-east-1)
- Load Balancer: 25 requests per second
- AWS Fargate: Note: A minimum of two tasks with 1 vCPU and 2GB of memory running during peak and off-peak hours for this architecture
- Peak Hours (160 hours):
- vCPU: 2 tasks × 1 vCPU × 160 hours × $0.04048 = $12.95
- Memory: 2 tasks × 2 GB × 160 hours × $0.004445 = $2.84
- Off-Peak Hours (570 hours):
- vCPU: 2 tasks × 1 vCPU × 570 hours × $0.04048 = $46.15
- Memory: 2 tasks × 2 GB × 570 hours × $0.004445 = $10.13
- Total: $59.10 + $12.98 = $72.07/month
- Peak Hours (160 hours):
- Load Balancer: 25 requests per second
- $0.0225/hour = 730h * $0.0225 = $16.43/month
- LCU cost: 1 LCU × $0.008 × 730 hours = $5.84/month
- Total: $16.43 (Fixed) + $5.84 (LCU) = $22.27/month
- 2 NAT Gateways: $0.09/hour = 2 * (730h * $0.045) = $65.70/month
- Elasticache Serverless: $0.0084/hour = 730h * $0.0088 = $6.45/month
- EFS Costs: Minimum billing is 1GB per mount (2 mounts)
- Total: 2GB × $0.08 per GB-month = $0.16/month
- RDS Aurora Serverless V2:
- 160 hours per month × 2 ACUs × $0.12 = $38.40/month - Compute
- 10GB × $0.10 per GB = $1.00/month - Storage
- Baseline IO operations: (730 hours × 3,600) × $0.0000002 = $0.53
- Total: $38.40 + $1.00 + $0.53 = $39.93/month
- AWS Backup Costs:
- Backup Storage Calculation: Daily backups (30 days): 0.005 GB × 30 = 0.15 GB Weekly backups (52 weeks): 0.005 GB × 52 = 0.26 GB Monthly backups (84 months/7 years): 0.005 GB × 84 = 0.42 GB Total backup storage: 0.83 GB
- Warm storage (first 50TB): $0.05 per GB-month
- Cost per month: 0.83 GB × $0.05 = $0.0415/month
- Additional costs:
- Backup API requests: $0.05 per 1,000 requests
- 30 daily + 4 weekly + 1 monthly = ~35 backups per month
- Cost: (35/1000) × $0.05 = $0.00175/month
- Total AWS Backup Monthly Cost: $0.05/month
- 2 Secrets Manager Secrets: $0.80/month
- 1 WAF ACL: $5/month
- 1 KMS Key: $1/month
- Total base cost: ~$214/month
This works out to a base cost of $214/month. The true value of this architecture is its ability to rapidly autoscale and support even very large organizations. For smaller organizations you may want to consider looking at some of OpenEMR's offerings in the AWS Marketplace which are more affordable.
- An AWS Account
- AWS CLI installed and configured
- Python 3.x installed
- Node.js and npm installed (required for CDK)
- AWS CDK installed (
npm install -g aws-cdk)
For detailed setup instructions, see DETAILS.md Instructions section
-
Install Dependencies
# Create and activate Python virtual environment python3 -m venv .venv source .venv/bin/activate # On Windows use: .venv\Scripts\activate.bat # Install required packages pip install -r requirements.txt # Create required AWS service accounts aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com aws iam create-service-linked-role --aws-service-name ecs.application-autoscaling.amazonaws.com
-
Configure Access
- Open
cdk.json - Set
security_group_ip_range_ipv4to your IP address (e.g., "[IP_ADDRESS]") - "203.0.113.131/32" will open it to that ip address (Recommended: use your public IP address)
- For public access, use "0.0.0.0/0" (not recommended)
For advanced configuration options, see DETAILS.md Customizing Architecture Attributes
- Open
-
Deploy (~40 minutes)
cdk deploy
- Use the URL provided in the deployment output
- Login credentials:
- Username:
admin - Password: Find in AWS Secrets Manager under "Password..."
- Username:
When you have completed your testing you can clean up the deployed environment by running:
cdk destroyManual cleanup items:
- AWS Backup Vault
For information about backup retention and recovery, see DETAILS.md AWS Backup section
- Full documentation in DETAILS.md
- Submit issues on GitHub: https://github.com/openemr/host-openemr-on-aws-fargate
- Join the OpenEMR community: https://community.open-emr.org/
- CI Validation (
.github/workflows/ci.yml) – Runs unit tests and tests synthesizing the CDK application on every PR and push. Uses mocked AWS credentials withcdk synth --no-lookupsto keep the pipeline credential-free. - Monthly Version Check (
.github/workflows/monthly-version-check.yml) – Scheduled on the first of each month (and manually runnable) to scan pinned Python packages, Aurora engine versions, EMR Serverless releases, Lambda runtimes, and container tags. Creates an issue when updates are detected. - Manual Release (
.github/workflows/manual-release.yml) – Provides a guidedworkflow_dispatchrelease process with semantic version bumps, tag/release creation, and optional dry run. Seedocs/MANUAL_RELEASES.mdin the EKS project for process parity.
Detailed usage notes and manual trigger instructions are available in DETAILS.md.
- Detailed Architecture Documentation
- Load Testing Results
- Customizing Architecture Attributes
- Serverless Analytics Environment
- HTTPS Setup Guide
- DNS Automation
- Security Best Practices
- HIPAA Compliance Notes
- REST and FHIR APIs
- AWS Backup Configuration
- Database Access via ECS Exec
- Aurora ML for AWS Bedrock
- AWS Global Accelerator
- AWS CDK Documentation
- AWS CLI Documentation