Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Architecting Applications for HIPAA Compliance

Architecting Applications for HIPAA Compliance

Originally presented at "Cloud Computing & Healthcare with AWS."

Avatar for Frank Macreery

Frank Macreery

May 21, 2015
Tweet

More Decks by Frank Macreery

Other Decks in Technology

Transcript

  1. Protected Health Information (PHI) "is created or received by a

    health care provider or health plan…"
  2. Protected Health Information (PHI) "relates to the health or condition

    of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"
  3. §164.312(a)(2)(i) (Required) "A covered entity must… assign a unique name

    and/or number for identifying and tracking user identity."
  4. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail
  5. §164.312(a)(2)(i) (Addressable) "A covered entity must… implement a mechanism to

    encrypt electronic protected health information whenever deemed appropriate"
  6. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }
  7. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }
  8. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail
  9. Deny by Default SSH permissions last only one hour, and

    must be renewed opsworks iam:allow alice --stack foobar
  10. # Dockerfile # Install and configure NGiNX... # ... ADD

    test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx
  11. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
  12. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

    Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }
  13. @test "It should pass an external Heartbleed test" { #

    ... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }
  14. @test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx

    run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }