Architecting Applications for HIPAA Compliance

Transcript

1. Architecting Applications for HIPAA Compliance Frank Macreery CTO, Aptible @fancyremarker

2. None

3. HIPAA The Health Insurance Portability and Accountability Act of 1996

4. HIPAA: What?

5. Protected Health Information (PHI)

6. Protected Health Information (PHI) "is created or received by a

   health care provider or health plan…"

7. Protected Health Information (PHI) "relates to the health or condition

   of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual…"

8. Protected Health Information (PHI) "identifies the individual"

9. HIPAA: Who?

10. Covered Entities Health plans, health care clearinghouses, health care providers

11. Business Associates An entity which "creates, receives, maintains, or transmits

    protected health information"
12. None
13. None
14. None
15. None

16. Omnibus Final Rule Published January 2013 Effective Date: March 2013

    Compliance Date: September 2013

17. HIPAA: Why?

18. Office of Civil Rights (OCR) The enforcement agency for HIPAA

19. 14,300 Enforcement Cases in 2014

20. 14,300 Enforcement Cases in 2014 Up 300% since 2004

21. 14,300 Enforcement Cases in 2014 24% of cases resulted in

    corrective action

22. $200 Direct breach response and remediation costs average $200/record

23. $1000 Damages sought in class action suits average $1000/record

24. $1.5 Million HHS can levy up to $1,500,000 in fines

    for each provision violated

25. Implementing Security Delegate, automate, standardize

26. What Does HIPAA Require?

27. Physical Safeguards

28. Physical Safeguards Facility Management

29. Physical Safeguards Physical Contingency Plans

30. Physical Safeguards

31. General Technical Safeguards

32. General Technical Safeguards Encryption

33. General Technical Safeguards Data Backups

34. General Technical Safeguards Instance Access (SSH) Controls

35. General Technical Safeguards

36. Specific Technical Safeguards

37. Specific Technical Safeguards Authentication

38. Specific Technical Safeguards PHI Record Access Controls (Authorization)

39. Specific Technical Safeguards

40. Administrative Safeguards

41. Administrative Safeguards Policies & Procedures

42. Administrative Safeguards Risk Assessments

43. Administrative Safeguards Workforce Training

44. Administrative Safeguards

45. Physical General Technical Specific Technical

46. Delegation

47. Delegation Aptible delegates physical safeguards to AWS

48. Delegation Customers delegate administrative and (many) technical safeguards to Aptible

49. How does Aptible implement technical safeguards?

50. OpsWorks Chef CloudTrail CFN

51. OpsWorks Chef CFN General Technical Safeguards Specific Technical Safeguards

52. Unique SSH User Identification OpsWorks + IAM

53. §164.312(a)(2)(i) (Required) "A covered entity must… assign a unique name

    and/or number for identifying and tracking user identity."

54. Unique SSH User Identification OpsWorks + IAM

55. Unique SSH User Identification EC2 SSH key pair?

56. Unique SSH User Identification EC2 SSH key pair

57. Unique SSH User Identification Manual authorized_keys management?

58. Unique SSH User Identification Manual authorized_keys management

59. OpsWorks + IAM

60. IAM Identity and Access Management: Service for programmatically managing user

    identities
61. None

62. OpsWorks Chef-based deployment platform

63. OpsWorks + IAM Gives visibility into current SSH permissions across

    all EC2 instances
64. None

65. OpsWorks + IAM Makes it easy to rotate keys or

    revoke access

66. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail

67. End-to-end Encryption ELB—NGiNX—applications

68. §164.312(a)(2)(i) (Addressable) "A covered entity must… implement a mechanism to

    encrypt electronic protected health information whenever deemed appropriate"

69. AWS "Approved" Services

70. AWS "Approved" Services EC2 ELB EBS S3 Glacier Redshift

71. EC2 Must use dedicated instances for PHI

72. EBS All PHI volumes must be encrypted

73. ELB End-to-end encryption in transit

74. None

75. TCP OR HTTPS HTTP HTTP TCP OR HTTPS

76. https://github.com/aptible/docker-nginx https://quay.io/repository/aptible/nginx

77. Standardized SSL Termination Container Deployed everywhere we require encryption in

    transit

78. Configurable via ENV $UPSTREAM_SERVERS

79. Configurable via ENV $UPSTREAM_SERVERS
 $FORCE_SSL $HSTS_MAX_AGE (…)

80. Configurable via ENV Makes testing easier

81. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }

82. @test "It should send a Strict-Transport-Security header with FORCE_SSL" FORCE_SSL=true

    wait_for_nginx run curl -Ik https://localhost 2>/dev/null [[ "$output" =~ "Strict-Transport-Security: max-age=31536000" ]] }

83. Configurable via ENV Abstracts implementation details: could be NGiNX, HAProxy,

    …

84. ENV configuration Simplifies configuration management: central store doesn’t need to

    know parameters in advance

85. Auditing Implementation is not enough

86. Auditing means… Logging SSH access to instances

87. OpsWorks + IAM

88. OpsWorks + IAM Creates an audit log of all SSH

    permission changes, through CloudTrail

89. OpsWorks + IAM Works for new authorizations, but how can

    we log individual SSH sessions?

90. Deny by Default

91. https://github.com/aptible/opsworks-cli

92. Deny by Default Periodically disable all SSH permissions: opsworks iam:lockdown

    --stack foobar

93. Deny by Default SSH permissions last only one hour, and

    must be renewed opsworks iam:allow alice --stack foobar

94. Deny by Default Every SSH session gets logged to CloudTrail

    (with 1 hour granularity)

95. Auditing means… Documenting a mitigation for every vulnerability

96. Heartbleed

97. Heartbleed POODLEbleed

98. Heartbleed POODLEbleed xBleed???

99. How do we prove that PHI was unaffected by xBleed?

100. Integration Tests Document every security response

101. https://github.com/sstephenson/bats

102. # Dockerfile # Install and configure NGiNX... # ... ADD

     test /tmp/test RUN bats /tmp/test https://github.com/aptible/docker-nginx Image: quay.io/aptible/nginx

103. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

     Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

104. #!/usr/bin/env bats # /tmp/test/nginx.bats @test "It should pass an external

     Heartbleed test" { install_heartbleed wait_for_nginx Heartbleed localhost:443 uninstall_heartbleed }

105. @test "It should pass an external Heartbleed test" { #

     ... install_heartbleed # ... } install_heartbleed() { export GOPATH=/tmp/gocode export PATH=${PATH}:/usr/local/go/bin:${GOPATH}/bin go get github.com/FiloSottile/Heartbleed go install github.com/FiloSottile/Heartbleed }

106. @test "Its OpenSSL client should support TLS_FALLBACK_SCSV" { FORCE_SSL=true wait_for_nginx

     run local_s_client -fallback_scsv [ "$status" -eq "0" ] } @test "It should support TLS_FALLBACK_SCSV by default" { FORCE_SSL=true wait_for_nginx run local_s_client -fallback_scsv -no_tls1_2 [ "$status" -ne "0" ] [[ "$output" =~ "inappropriate fallback" ]] }

107. Integration tests happen during each image build

108. Integration tests happen during each image build Images are built

     and tests run automatically
109. None

110. Integration tests happen during each image build Security test status

     is easy to verify at a glance
111. None

112. HIPAA Regulates PHI, and any vendor handling PHI needs to

     comply

113. Implementing Security Delegate low-level or general security details to providers

     like AWS and Aptible

114. Implementing Security Automate management of technical safeguards (e.g., through OpsWorks

     + IAM for SSH access)

115. Implementing Security Standardize implementation and deployment of key security infrastructure

116. Auditing Use AWS services (OpsWorks, CloudTrail, etc.) to automate PHI

     access logging

117. Auditing Audit all PHI access and document all responses to

     security incidents

118. Thank you

119. @fancyremarker [email protected]