Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Architecting Applications for HIPAA Compliance
Search
Frank Macreery
May 21, 2015
Technology
0
210
Architecting Applications for HIPAA Compliance
Originally presented at "Cloud Computing & Healthcare with AWS."
Frank Macreery
May 21, 2015
Tweet
Share
More Decks by Frank Macreery
See All by Frank Macreery
Docker for Ruby Developers
fancyremarker
3
650
Aptible + TelePharm: HIPAA for Startups
fancyremarker
0
1.4k
Containerization and Compliance
fancyremarker
0
550
HIPAA Dev Ops: Architecting Layers of Responsibility
fancyremarker
0
73
Garner: Anatomy of a Ruby Gem
fancyremarker
0
340
Other Decks in Technology
See All in Technology
5分でカオスエンジニアリングを分かった気になろう
pandayumi
0
250
AI時代を生き抜くエンジニアキャリアの築き方 (AI-Native 時代、エンジニアという道は 「最大の挑戦の場」となる) / Building an Engineering Career to Thrive in the Age of AI (In the AI-Native Era, the Path of Engineering Becomes the Ultimate Arena of Challenge)
jeongjaesoon
0
200
Evolución del razonamiento matemático de GPT-4.1 a GPT-5 - Data Aventura Summit 2025 & VSCode DevDays
lauchacarro
0
210
Terraformで構築する セルフサービス型データプラットフォーム / terraform-self-service-data-platform
pei0804
1
190
自作JSエンジンに推しプロポーザルを実装したい!
sajikix
1
180
Django's GeneratedField by example - DjangoCon US 2025
pauloxnet
0
150
RSCの時代にReactとフレームワークの境界を探る
uhyo
10
3.5k
これでもう迷わない!Jetpack Composeの書き方実践ガイド
zozotech
PRO
0
1k
2025年夏 コーディングエージェントを統べる者
nwiizo
0
180
ハードウェアとソフトウェアをつなぐ全てを内製している企業の E2E テストの作り方 / How to create E2E tests for a company that builds everything connecting hardware and software in-house
bitkey
PRO
1
160
LLMを搭載したプロダクトの品質保証の模索と学び
qa
0
1.1k
「Linux」という言葉が指すもの
sat
PRO
4
140
Featured
See All Featured
Making the Leap to Tech Lead
cromwellryan
135
9.5k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
The Pragmatic Product Professional
lauravandoore
36
6.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
920
The Cost Of JavaScript in 2023
addyosmani
53
8.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
Balancing Empowerment & Direction
lara
3
620
Building Flexible Design Systems
yeseniaperezcruz
329
39k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
We Have a Design System, Now What?
morganepeng
53
7.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.5k
Transcript
Architecting Applications for HIPAA Compliance Frank Macreery CTO, Aptible @fancyremarker
None
HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA: What?
Protected Health Information (PHI)
Protected Health Information (PHI) "is created or received by a
health care provider or health plan…"
Protected Health Information (PHI) "relates to the health or condition
of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"
Protected Health Information (PHI) "identifies the individual"
HIPAA: Who?
Covered Entities Health plans, health care clearinghouses, health care providers
Business Associates An entity which "creates, receives, maintains, or transmits
protected health information"
None
None
None
None
Omnibus Final Rule Published January 2013 Effective Date: March 2013
Compliance Date: September 2013
HIPAA: Why?
Office of Civil Rights (OCR) The enforcement agency for HIPAA
14,300 Enforcement Cases in 2014
14,300 Enforcement Cases in 2014 Up 300% since 2004
14,300 Enforcement Cases in 2014 24% of cases resulted in
corrective action
$200 Direct breach response and remediation costs average $200/record
$1000 Damages sought in class action suits average $1000/record
$1.5 Million HHS can levy up to $1,500,000 in fines
for each provision violated
Implementing Security Delegate, automate, standardize
What Does HIPAA Require?
Physical Safeguards
Physical Safeguards Facility Management
Physical Safeguards Physical Contingency Plans
Physical Safeguards
General Technical Safeguards
General Technical Safeguards Encryption
General Technical Safeguards Data Backups
General Technical Safeguards Instance Access (SSH) Controls
General Technical Safeguards
Specific Technical Safeguards
Specific Technical Safeguards Authentication
Specific Technical Safeguards PHI Record Access Controls (Authorization)
Specific Technical Safeguards
Administrative Safeguards
Administrative Safeguards Policies & Procedures
Administrative Safeguards Risk Assessments
Administrative Safeguards Workforce Training
Administrative Safeguards
Physical General Technical Specific Technical
Delegation
Delegation Aptible delegates physical safeguards to AWS
Delegation Customers delegate administrative and (many) technical safeguards to Aptible
How does Aptible implement technical safeguards?
OpsWorks Chef CloudTrail CFN
OpsWorks Chef CFN General Technical Safeguards Specific Technical Safeguards
Unique SSH User Identification OpsWorks + IAM
§164.312(a)(2)(i) (Required) "A covered entity must… assign a unique name
and/or number for identifying and tracking user identity."
Unique SSH User Identification OpsWorks + IAM
Unique SSH User Identification EC2 SSH key pair?
Unique SSH User Identification EC2 SSH key pair
Unique SSH User Identification Manual authorized_keys management?
Unique SSH User Identification Manual authorized_keys management
OpsWorks + IAM
IAM Identity and Access Management: Service for programmatically managing user
identities
None
OpsWorks Chef-based deployment platform
OpsWorks + IAM Gives visibility into current SSH permissions across
all EC2 instances
None
OpsWorks + IAM Makes it easy to rotate keys or
revoke access
OpsWorks + IAM Creates an audit log of all SSH
permission changes, through CloudTrail
End-to-end Encryption ELB—NGiNX—applications
§164.312(a)(2)(i) (Addressable) "A covered entity must… implement a mechanism to
encrypt electronic protected health information whenever deemed appropriate"
AWS "Approved" Services
AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift
EC2 Must use dedicated instances for PHI
EBS All PHI volumes must be encrypted
ELB End-to-end encryption in transit
None
TCP OR HTTPS HTTP HTTP TCP OR HTTPS
https://github.com/aptible/docker-nginx https://quay.io/repository/aptible/nginx
Standardized SSL Termination Container Deployed everywhere we require encryption in
transit
Configurable via ENV $UPSTREAM_SERVERS
Configurable via ENV $UPSTREAM_SERVERS $FORCE_SSL $HSTS_MAX_AGE (…)
Configurable via ENV Makes testing easier
@test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true
wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }
@test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true
wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }
Configurable via ENV Abstracts implementation details: could be NGiNX, HAProxy,
…
ENV configuration Simplifies configuration management: central store doesn’t need to
know parameters in advance
Auditing Implementation is not enough
Auditing means… Logging SSH access to instances
OpsWorks + IAM
OpsWorks + IAM Creates an audit log of all SSH
permission changes, through CloudTrail
OpsWorks + IAM Works for new authorizations, but how can
we log individual SSH sessions?
Deny by Default
https://github.com/aptible/opsworks-cli
Deny by Default Periodically disable all SSH permissions: opsworks iam:lockdown
--stack foobar
Deny by Default SSH permissions last only one hour, and
must be renewed opsworks iam:allow alice --stack foobar
Deny by Default Every SSH session gets logged to CloudTrail
(with 1 hour granularity)
Auditing means… Documenting a mitigation for every vulnerability
Heartbleed
Heartbleed POODLEbleed
Heartbleed POODLEbleed xBleed???
How do we prove that PHI was unaffected by xBleed?
Integration Tests Document every security response
https://github.com/sstephenson/bats
# Dockerfile # Install and configure NGiNX... # ... ADD
test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
#!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external
Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
@test "It should pass an external Heartbleed test" { #
... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }
@test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx
run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }
Integration tests happen during each image build
Integration tests happen during each image build Images are built
and tests run automatically
None
Integration tests happen during each image build Security test status
is easy to verify at a glance
None
HIPAA Regulates PHI, and any vendor handling PHI needs to
comply
Implementing Security Delegate low-level or general security details to providers
like AWS and Aptible
Implementing Security Automate management of technical safeguards (e.g., through OpsWorks
+ IAM for SSH access)
Implementing Security Standardize implementation and deployment of key security infrastructure
Auditing Use AWS services (OpsWorks, CloudTrail, etc.) to automate PHI
access logging
Auditing Audit all PHI access and document all responses to
security incidents
Thank you
@fancyremarker
[email protected]