Gulf Specialized Hospital (GSH)

Healthcare Data Residency Compliant Platform on AWS Local Zone in Oman

Customer Overview

International Specialized Hospital (GSH), established in 2015, is one of Oman’s leading healthcare providers, delivering a broad range of specialized medical services including advanced outpatient clinics and surgical care. As part of its digital transformation strategy, GSH adopted the Kare pert healthcare platform to modernize clinical and operational workflows while ensuring compliance with strict healthcare data residency regulations in Oman.

Business Challenge

As a regulated healthcare organization, GSH is required to ensure that sensitive patient and clinical data remains physically within Oman. At the same time, the KareXpert platform needed a modern, scalable, and resilient infrastructure capable of supporting increasing user demand, performance requirements, and future growth.
GSH required a solution that would:

• Enforce strict healthcare data residency within Oman
• Support containerized, cloud native workloads
• Meet high security and compliance standards
• Deliver high availability and scalability
• Reduce operational and management overhead

Solution Overview

Cirrusgo designed and implemented a production grade AWS architecture using AWS Local Zone in Oman to meet data residency requirements, combined with a parent AWS Region for non-sensitive supporting services. The platform was built using Amazon EKS for container orchestration and a self-hosted MongoDB cluster on Amazon EC2 to ensure that all sensitive healthcare data remained within the Oman Local Zone.

Cirrusgo also provides ongoing managed and support services, allowing GSH to focus on delivering high quality patient care while Cirrusgo operates and optimizes the cloud environment.

Architecture Highlights

The solution was deployed within a dedicated AWS Virtual Private Cloud spanning the Oman Local Zone and the parent AWS Region, and includes:

• Amazon EKS cluster with six worker nodes and auto scaling
• Self-hosted MongoDB cluster on Amazon EC2 deployed in the Oman Local Zone
• Application Load Balancer protected by AWS WAF
• Public and private subnet segmentation for application and database tiers
• NAT and proxy services with static Omani public IP addresses
• Secure integration with AWS managed services in the parent region

Data Residency and Database Architecture Decision

A critical architectural decision in this project was the database deployment model, driven by healthcare data residency requirements.

MongoDB Atlas via AWS Marketplace was evaluated as a managed database option. However, MongoDB Atlas is deployed at the AWS Region level and does not support deployment within AWS Local Zones. Using MongoDB Atlas would therefore have required hosting healthcare data outside the Oman Local Zone, which would violate local healthcare data residency regulations.

To address this constraint, Cirrusgo designed and implemented a self-hosted MongoDB cluster on Amazon EC2 deployed directly in the Oman AWS Local Zone. This approach ensured:

• Full control over database placement and data locality
• Compliance with Oman healthcare data residency regulations
• Low latency access from the Amazon EKS application workloads
• Alignment with security, encryption, and backup requirements

This design enabled GSH to benefit from a modern cloud native application platform while ensuring that all sensitive healthcare data remains within Oman at all times.

Security and Compliance

Security and compliance were foundational design principles due to the regulated nature of healthcare workloads.

The implemented security controls include:

• IAM access management with least privilege policies
• Multi factor authentication and strong password enforcement
• Secure root account configuration
• Network isolation using security groups and network ACLs
• AWS WAF for application layer protection
• Threat detection services at both account and workload levels
• Encryption at rest using AWS Key Management Service
• TLS encryption for all data in transit

These measures align the platform with AWS Well Architected security best practices and healthcare regulatory expectations.

Operations, Monitoring, and Resilience

Cirrusgo implemented centralized monitoring, logging, and operational tooling to ensure platform reliability and observability:

• AWS CloudTrail for API activity auditing
• Amazon CloudWatch dashboards and alarms
• Automated backups for critical resources
• Secure operational access using AWS Systems Manager

The solution was designed for scalability, leveraging auto scaling at the container and compute layers to handle varying workload demand.

Business Outcomes

By partnering with Cirrusgo, GSH achieved:

• Full compliance with Oman healthcare data residency requirements
• A scalable and resilient cloud native healthcare platform
• Reduced operational overhead through managed services
• A future ready architecture capable of supporting additional digital healthcare initiatives

Value Delivered by Cirrusgo

Cirrusgo delivered this project end to end, covering architecture design, security, implementation, and ongoing managed operations. By combining deep AWS expertise with experience in regulated healthcare environments, Cirrusgo enabled GSH to modernize its platform while maintaining compliance, security, and operational excellence.