Best Practices for HIPAA Compliance in a Containerized Environment
The HIPAA compliance framework is somewhat infamous for setting high-level requirements regarding healthcare data and privacy without recommending specific ways of meeting those requirements. That tendency leaves many developers, admins and DevOps engineers wondering how, exactly, to comply with HIPAA.
If you find yourself in that situation, keep reading. This blog post identifies best practices for HIPAA compliance on one of today’s most common types of environments—those built with containers. It draws on the NIST’s Cybersecurity Framework recommendations for addressing the high-level compliance requirements that HIPAA includes.
The tips below are drawn from Twistlock’s Guide to HIPAA Compliance for Containers, a 38-page resource that walks through best practices for HIPAA compliance in a containerized environment with the help of the Twistlock platform. Additionally, the requirements leverage NIST SP 800-190, the Container Security Guide, that Twistlock helped author, which is an important component related to the official “crosswalk” between HIPAA Security Rule and NIST Cybersecurity Framework.
Lock Down Remote Access
As cloud-native technology, containers are unlikely to run on a single server that is administered onsite. Instead, you likely host your containers in a cloud environment that is administered remotely.
Since the NIST framework requires remote access to be managed, locking down remote access to container environments is a crucial basic step if you are using the NIST recommendations as the foundation for your HIPAA compliance efforts.
Manage Access Permissions
The NIST recommends managing access control by adhering to the principle of least privilege. This means that all accounts and components in your containerized environment should have the fewest privileges necessary to achieve their intended goal.
In practice, this means taking steps such as limiting which commands can be run inside a container environment, limiting account access and blocking certain commands altogether if they are not necessary for your mission.
Secure Container Data in Transit
Since the data governed by HIPAA includes not just at-rest data that lives in a database but also data in transit, securing all of the data moving within your container environment (or between the environment and external storage services) is important.
A good strategy for securing container data in transit is to use a service mesh, such as Istio, to provide TLS for all inter-container communications. Istio automatically manages key distribution and rotation and takes much of the friction out of doing TLS broadly across your services.
Whitelist Trusted Data Sources
The NIST cybersecurity framework mentions using “integrity mechanisms” to ensure that the software, firmware and data in your environment are secure.
What this means in practice in a containerized environment (among other things) is verifying that the sources you use for container images are trusted. You can do this by whitelisting repositories so that they are permitted to supply images to your environment, while automatically blocking the rest.
Establishing trusted repositories in this way is especially important given the ease with which a Docker container image can be pulled in seconds from a variety of publicly available repositories. All those repositories may be convenient, but downloading images from ones you don’t trust is a bad idea if you want to ensure HIPAA compliance.
Separate Development from Testing
Keeping development environments separate from testing environments is a basic best practice for ensuring that security problems from one environment don’t spill over into another. It’s also one of the NIST’s recommendations.
That means that when you are setting up your CI/CD chain for containerized apps, it’s important to ensure that you keep development isolated from testing to the extent possible.
Backups
A NIST recommendation that can be easy to overlook if you are focused on HIPAA compliance is backups.
This includes not just backups of production data, but also of configuration files, which are a form of data that makes your environment run smoothly.
To ensure HIPAA compliance for containers, your data should be backed up automatically and you should test backups regularly to make certain that they will do what you need when recovery is necessary.