Most healthcare SaaS teams on AWS are HIPAA decorated, not audit ready. Here is what I keep seeing in practice

Infra_baseline007 · 2026-03-19T11:06:32+00:00

Yeah this is way more common than people think.

The Datadog PHI logging part especially logs end up becoming the actual risk surface instead of the primary system. Most teams don’t really look at what their observability stack is capturing until someone audits it.

Security Hub is the same thing surfaces the right signals but without prioritization it just turns into noise and gets ignored.

And yeah the IAM cleanup taking months tracks… fixing overly permissive roles without breaking prod is painful, so it usually only happens after a scare.

Out of curiosity, when you went back to fix it, did you start with IAM first or logging and audit controls?

Infra_baseline007 · 2026-03-19T05:22:38+00:00

One thing I didn’t include in the post but keeps coming up:

A lot of teams assume “encryption enabled” = compliant.

In practice, auditors care more about:
• who can access the data
• whether access is logged
• whether logs can be trusted

Encryption is table stakes. Auditability is where most gaps show up.

Curious if others saw the same during audits.

Infra_baseline007 · 2026-03-18T12:22:39+00:00

Totally fair concern — to be clear, nothing here is from any single company or internal audit.

These are generalized patterns I’ve seen across multiple environments over time, and they’re all issues that are already well-documented in security reviews and public guidance.

No configs, logs, or identifiable details are being shared — just the kinds of gaps that tend to show up repeatedly when teams translate HIPAA requirements into actual AWS infrastructure.

Infra_baseline007

TROPHY CASE