Best Practices for HIPAA Compliance in a Containerized Environment

The HIPAA compliance framework is somewhat infamous for setting high-level requirements regarding healthcare data and privacy without recommending specific ways of meeting those requirements. That tendency leaves many developers, admins and DevOps engineers wondering how, exactly, to comply with HIPAA.

If you find yourself in that situation, keep reading. This blog post identifies best practices for HIPAA compliance on one of today’s most common types of environments—those built with containers. It draws on the NIST’s Cybersecurity Framework recommendations for addressing the high-level compliance requirements that HIPAA includes.

The tips below are drawn from Twistlock’s Guide to HIPAA Compliance for Containers, a 38-page resource that walks through best practices for HIPAA compliance in a containerized environment with the help of the Twistlock platform. Additionally, the requirements leverage NIST SP 800-190, the Container Security Guide, that Twistlock helped author, which is an important component related to the official “crosswalk” between HIPAA Security Rule and NIST Cybersecurity Framework.

Lock Down Remote Access

As cloud-native technology, containers are unlikely to run on a single server that is administered onsite. Instead, you likely host your containers in a cloud environment that is administered remotely.

Since the NIST framework requires remote access to be managed, locking down remote access to container environments is a crucial basic step if you are using the NIST recommendations as the foundation for your HIPAA compliance efforts.

Manage Access Permissions

The NIST recommends managing access control by adhering to the principle of least privilege. This means that all accounts and components in your containerized environment should have the fewest privileges necessary to achieve their intended goal.

In practice, this means taking steps such as limiting which commands can be run inside a container environment, limiting account access and blocking certain commands altogether if they are not necessary for your mission.

Secure Container Data in Transit

Since the data governed by HIPAA includes not just at-rest data that lives in a database but also data in transit, securing all of the data moving within your container environment (or between the environment and external storage services) is important.

A good strategy for securing container data in transit is to use a service mesh, such as Istio, to provide TLS for all inter-container communications. Istio automatically manages key distribution and rotation and takes much of the friction out of doing TLS broadly across your services.

Whitelist Trusted Data Sources

The NIST cybersecurity framework mentions using “integrity mechanisms” to ensure that the software, firmware and data in your environment are secure.

What this means in practice in a containerized environment (among other things) is verifying that the sources you use for container images are trusted. You can do this by whitelisting repositories so that they are permitted to supply images to your environment, while automatically blocking the rest.

Establishing trusted repositories in this way is especially important given the ease with which a Docker container image can be pulled in seconds from a variety of publicly available repositories. All those repositories may be convenient, but downloading images from ones you don’t trust is a bad idea if you want to ensure HIPAA compliance.

Separate Development from Testing

Keeping development environments separate from testing environments is a basic best practice for ensuring that security problems from one environment don’t spill over into another. It’s also one of the NIST’s recommendations.

That means that when you are setting up your CI/CD chain for containerized apps, it’s important to ensure that you keep development isolated from testing to the extent possible.

Backups

A NIST recommendation that can be easy to overlook if you are focused on HIPAA compliance is backups.

This includes not just backups of production data, but also of configuration files, which are a form of data that makes your environment run smoothly.

To ensure HIPAA compliance for containers, your data should be backed up automatically and you should test backups regularly to make certain that they will do what you need when recovery is necessary.

John Morello

John Morello is the Chief Technology Officer at Twistlock. As CTO, John leads the work with strategic customers and partners and drives the product roadmap. Prior to Twistlock, John was the CISO of Albemarle, a Fortune 500 global chemical company. Before that, John spent 14 years at Microsoft, in both Microsoft Consulting Services and product teams. He ran feature teams that shipped security technologies in Windows, Azure, and Office 365 and served as the Lead Architect of the hybrid cloud consulting team for the Americas. A self-proclaimed "public school guy," John is passionate about building out more modern curricula for cybersecurity. In fact, in May 2018 he established a Twistlock outpost at Lousiana State University’s Innovation Park in order to pay off this vision. John lives in Louisiana with his wife and two young sons. A passionate fisherman and scuba diver, he also serves as Chairman of the Coalition to Restore Coastal Louisiana.

John Morello has 3 posts and counting. See all posts by John Morello