Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Architecting Applications for HIPAA Compliance

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Frank Macreery Frank Macreery
May 21, 2015
Technology
0
220

Architecting Applications for HIPAA Compliance

Originally presented at "Cloud Computing & Healthcare with AWS."

Avatar for Frank Macreery

Frank Macreery

May 21, 2015
Tweet

More Decks by Frank Macreery

See All by Frank Macreery
Docker for Ruby Developers
Avatar for Frank Macreery fancyremarker
3
660
Aptible + TelePharm: HIPAA for Startups
Avatar for Frank Macreery fancyremarker
0
1.4k
Containerization and Compliance
Avatar for Frank Macreery fancyremarker
0
550
HIPAA Dev Ops: Architecting Layers of Responsibility
Avatar for Frank Macreery fancyremarker
0
76
Garner: Anatomy of a Ruby Gem
Avatar for Frank Macreery fancyremarker
0
350

Other Decks in Technology

See All in Technology
クラウド × シリコンの Mashup - AWS チップ開発で広がる AI 基盤の選択肢
Avatar for Hiroshi Tokoyo htokoyo
2
260
今のWordPress の制作手法ってなにがあんねん?(改) / What’s the Deal with WordPress Development These Days?
Avatar for tbshiki tbshiki
0
490
(Test) ai-meetup slide creation
Avatar for Oikon oikon48
3
420
OCHaCafe S11 #2 コンテナ時代の次の一手:Wasm 最前線
Avatar for oracle4engineer oracle4engineer
PRO
2
140
20260311 技術SWG活動報告(デジタルアイデンティティ人材育成推進WG Ph2 活動報告会)
Avatar for OpenID Foundation Japan oidfj
0
360
NewSQL_ ストレージ分離と分散合意を用いたスケーラブルアーキテクチャ
Avatar for hacomono Inc. hacomono
PRO
4
370
Scrumは歪む — 組織設計の原理原則
Avatar for Daisuke Ashihara dashi
0
200
Kubernetesにおける推論基盤
Avatar for ry ry
1
400
組織全体で実現する標準監視設計
Avatar for Yuto Obayashi yuobayashi
3
490
わたしがセキュアにAWSを使えるわけないじゃん、ムリムリ!(※ムリじゃなかった!?)
Avatar for cm-usuda-keisuke cmusudakeisuke
1
760
コンテキスト・ハーネスエンジニアリングの現在
Avatar for Hirosato Gamo hirosatogamo
PRO
3
240
身体を持ったパーソナルAIエージェントの 可能性を探る開発
Avatar for yoko / Naoki Yokomachi yokomachi
1
130

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
87
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
Avatar for Akihiro Kokubo akihiro_kokubo
PRO
67
37k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.2k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
96
14k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
210
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
89
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
260

Transcript

  1. Architecting Applications for HIPAA Compliance Frank Macreery CTO, Aptible @fancyremarker

  2. None

  3. HIPAA The Health Insurance Portability and Accountability Act of 1996

  4. HIPAA: What?

  5. Protected Health Information (PHI)

  6. Protected Health Information (PHI) "is created or received by a

    health care provider or health plan…"

  7. Protected Health Information (PHI) "relates to the health or condition

    of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"

  8. Protected Health Information (PHI) "identifies the individual"

  9. HIPAA: Who?

  10. Covered Entities Health plans, health care clearinghouses, health care providers

  11. Business Associates An entity which "creates, receives, maintains, or transmits

    protected health information"
  12. None
  13. None
  14. None
  15. None

  16. Omnibus Final Rule Published January 2013 Effective Date: March 2013

    Compliance Date: September 2013

  17. HIPAA: Why?

  18. Office of Civil Rights (OCR) The enforcement agency for HIPAA

  19. 14,300 Enforcement Cases in 2014

  20. 14,300 Enforcement Cases in 2014 Up 300% since 2004

  21. 14,300 Enforcement Cases in 2014 24% of cases resulted in

    corrective action

  22. $200 Direct breach response and remediation costs average $200/record

  23. $1000 Damages sought in class action suits average $1000/record

  24. $1.5 Million HHS can levy up to $1,500,000 in fines

    for each provision violated

  25. Implementing Security Delegate, automate, standardize

  26. What Does HIPAA Require?

  27. Physical Safeguards

  28. Physical Safeguards Facility Management

  29. Physical Safeguards Physical Contingency Plans

  30. Physical Safeguards

  31. General Technical Safeguards

  32. General Technical Safeguards Encryption

  33. General Technical Safeguards Data Backups

  34. General Technical Safeguards Instance Access (SSH) Controls

  35. General Technical Safeguards

  36. Specific Technical Safeguards

  37. Specific Technical Safeguards Authentication

  38. Specific Technical Safeguards PHI Record Access Controls (Authorization)

  39. Specific Technical Safeguards

  40. Administrative Safeguards

  41. Administrative Safeguards Policies & Procedures

  42. Administrative Safeguards Risk Assessments

  43. Administrative Safeguards Workforce Training

  44. Administrative Safeguards

  45. Physical General Technical Specific Technical

  46. Delegation

  47. Delegation Aptible delegates physical safeguards to AWS

  48. Delegation Customers delegate administrative and (many) technical safeguards to Aptible

  49. How does Aptible implement technical safeguards?

  50. OpsWorks Chef CloudTrail CFN

  51. OpsWorks Chef CFN General Technical Safeguards Specific Technical Safeguards

  52. Unique SSH User Identification OpsWorks + IAM

  53. §164.312(a)(2)(i) (Required) "A covered entity must… assign a unique name

    and/or number for identifying and tracking user identity."

  54. Unique SSH User Identification OpsWorks + IAM

  55. Unique SSH User Identification EC2 SSH key pair?

  56. Unique SSH User Identification EC2 SSH key pair

  57. Unique SSH User Identification Manual authorized_keys management?

  58. Unique SSH User Identification Manual authorized_keys management

  59. OpsWorks + IAM

  60. IAM Identity and Access Management: Service for programmatically managing user

    identities
  61. None

  62. OpsWorks Chef-based deployment platform

  63. OpsWorks + IAM Gives visibility into current SSH permissions across

    all EC2 instances
  64. None

  65. OpsWorks + IAM Makes it easy to rotate keys or

    revoke access

  66. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail

  67. End-to-end Encryption ELB—NGiNX—applications

  68. §164.312(a)(2)(i) (Addressable) "A covered entity must… implement a mechanism to

    encrypt electronic protected health information whenever deemed appropriate"

  69. AWS "Approved" Services

  70. AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

  71. EC2 Must use dedicated instances for PHI

  72. EBS All PHI volumes must be encrypted

  73. ELB End-to-end encryption in transit

  74. None

  75. TCP OR HTTPS HTTP HTTP TCP OR HTTPS

  76. https://github.com/aptible/docker-nginx https://quay.io/repository/aptible/nginx

  77. Standardized SSL Termination Container Deployed everywhere we require encryption in

    transit

  78. Configurable via ENV $UPSTREAM_SERVERS

  79. Configurable via ENV $UPSTREAM_SERVERS
 $FORCE_SSL $HSTS_MAX_AGE (…)

  80. Configurable via ENV Makes testing easier

  81. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }

  82. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }

  83. Configurable via ENV Abstracts implementation details: could be NGiNX, HAProxy,

  84. ENV configuration Simplifies configuration management: central store doesn’t need to

    know parameters in advance

  85. Auditing Implementation is not enough

  86. Auditing means… Logging SSH access to instances

  87. OpsWorks + IAM

  88. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail

  89. OpsWorks + IAM Works for new authorizations, but how can

    we log individual SSH sessions?

  90. Deny by Default

  91. https://github.com/aptible/opsworks-cli

  92. Deny by Default Periodically disable all SSH permissions: opsworks iam:lockdown

    --stack foobar

  93. Deny by Default SSH permissions last only one hour, and

    must be renewed opsworks iam:allow alice --stack foobar

  94. Deny by Default Every SSH session gets logged to CloudTrail

    (with 1 hour granularity)

  95. Auditing means… Documenting a mitigation for every vulnerability

  96. Heartbleed

  97. Heartbleed POODLEbleed

  98. Heartbleed POODLEbleed xBleed???

  99. How do we prove that PHI was unaffected by xBleed?

  100. Integration Tests Document every security response

  101. https://github.com/sstephenson/bats

  102. # Dockerfile # Install and configure NGiNX... # ... ADD

    test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx

  103. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

  104. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

  105. @test "It should pass an external Heartbleed test" { #

    ... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }

  106. @test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx

    run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }

  107. Integration tests happen during each image build

  108. Integration tests happen during each image build Images are built

    and tests run automatically
  109. None

  110. Integration tests happen during each image build Security test status

    is easy to verify at a glance
  111. None

  112. HIPAA Regulates PHI, and any vendor handling PHI needs to

    comply

  113. Implementing Security Delegate low-level or general security details to providers

    like AWS and Aptible

  114. Implementing Security Automate management of technical safeguards (e.g., through OpsWorks

    + IAM for SSH access)

  115. Implementing Security Standardize implementation and deployment of key security infrastructure

  116. Auditing Use AWS services (OpsWorks, CloudTrail, etc.) to automate PHI

    access logging

  117. Auditing Audit all PHI access and document all responses to

    security incidents

  118. Thank you

  119. @fancyremarker [email protected]