[markolschesky]

"I'm pretty sure AWS has a package for HIPAA compliance that will checkmark most of the required fields outside of the application."

Not quite, in fact, the first thing you need to do to meet a BAA with many cloud vendors is terminate SSL locally. This means no using things like ELBs. What about if you need a VPN? How do you guarantee that traffic is still encrypted (let's say TCP) once it hits the VPC VPN to your application server. These are very real healthcare compliance scenarios which you would need to figure out a solution for on the infrastructure side which you would need to build buy. I'm sure there are similar things that need to be handled WRT PCI.

Application security is important (of course). I used to work on application security with hospital organizations at an EHR vendor, so even though we sell infrastructure I can help customers out when it comes to this topic. The reason why there isn't really an "Application Security checkbox" is because the question? "What is the correct amount of access to patient data" is a hard one. Prestigious healthcare organizations all the way down to startups struggle with it, so it's usually a more involved process.