A Guide to HIPAA Compliance for Containers and the Cloud
You don’t need to be a cloud compliance or security expert to have heard of HIPAA, the major healthcare privacy regulation in the United States. Virtually anyone who has received healthcare in the United States has heard of HIPAA and has a general understanding of what it does.
And yet, achieving HIPAA compliance in modern, cloud- or container-based environments remains a challenge, even for experienced developers and IT teams. Despite – or, perhaps, because of – the fact that HIPAA is more than two decades old, it offers few specific guidelines for how organizations should ensure the privacy of healthcare data they manage in the cloud or via containers. But it does impose a variety of high-level security and compliance mandates that businesses must meet if they use containers or the cloud.
To help teams navigate the complex HIPAA landscape in the context of modern, cloud-native computing, this article explains what HIPAA is and which best practices to follow for ensuring HIPAA compliance in the cloud and in containerized environments.
As we’ll see, although the ambiguity of HIPAA’s technical requirements means that there are no hard-and-fast rules for exactly how to design and configure cloud and container environments, it’s easy enough to devise compliance strategies that enforce HIPAA’s security and privacy standards in most modern cloud-native environments.
What Is HIPAA?
The Health Insurance Portability and Accountability Act, or HIPAA, is a U.S. federal law designed to protect the privacy of sensitive healthcare data. It requires businesses to protect the privacy of personal data associated with healthcare.
HIPAA came into effect in 1996, but it has been extended several times since then by the introduction of additional “rules” that define mandates not included in the original HIPAA law. For IT teams and developers, the most important HIPAA rule is the Privacy Rule, which took effect in 2003. The Privacy Rule defines specific types of “Personal Health Information,” or PHI, which organizations need to protect in order to meet HIPAA data privacy requirements.
PHI (and electronic PHI, or ePHI, the term most often used to refer to PHI that is stored digitally) includes data such as patient names and physical addresses, IP addresses, account numbers, and (most notably) “any other unique identifying number, characteristic, or code.” The latter terminology implies that HIPAA privacy protections extend broadly to include any type of digital data – like user agent strings, browsing history data, or log entries – that could potentially be linked to individual users.
Who Does HIPAA Apply To?
Determining which organizations HIPAA applies to is a complex question. HIPAA has received some criticism for lacking a precise definition of which entities it covers, and which types of media (electronic, oral, or paper-based) are subject to HIPAA regulations if they involve PHI. Assessing HIPAA applicability is even more complicated in situations that include partner organizations or vendors who may have access to healthcare data that was collected by a different organization.
Due in part to this ambiguity, it’s a best practice to interpret HIPAA as having very broad implications. If your business stores or processes any type of data that could reasonably be interpreted as constituting PHI, it’s best to err on the side of assuming that HIPAA applies to you. Even if your business is not itself in the healthcare industry, or the data you collect or manage doesn’t have a purpose that explicitly relates to healthcare, it’s better to implement HIPAA compliance than to ignore HIPAA, only to discover later that regulators deem you subject to HIPAA and fine you as a result of your non-compliance.
Note, too, that although HIPAA is a U.S. law and technically does not apply to organizations based outside of the United States, the federal government states that HIPAA regulations remain in force in situations where organizations store data outside of the United States if the organizations are based in the U.S.
What Are the Costs of HIPAA Non-Compliance?
HIPAA fines for non-compliance range widely, from $100 to up to $50,000 per violation. The maximum yearly fine is $1.5 million, but regulators may assess fines for multiple years.
There is no shortage of HIPAA enforcement actions that have cost violators large amounts of money. To date, the largest has been a $16 million fine, which was assessed against Anthem in 2018.
HIPAA Compliance Best Practices for the Cloud
Again, HIPAA was introduced in the 1990s, and most of the major extensions of the framework date to the early 2000s. HIPAA was therefore written before cloud computing became widespread, and it offers virtually no specific technical guidance for achieving compliance in cloud-based environments. The federal government does offer some high-level guidelines for achieving HIPAA compliance in the cloud, but they focus mostly on how to interpret a cloud provider’s role in managing HIPAA PHI rather than spelling out exactly how to configure and secure cloud services for HIPAA compliance.
Nonetheless, a variety of best practices have emerged to help businesses comply with HIPAA mandates. The following are the most important to consider for modern cloud environments.
Use a HIPAA-Compliant Cloud
First and foremost, organizations should be sure to use a public cloud provider that complies with HIPAA. All of the major public clouds today are generally HIPAA-compliant, although you should be sure that the specific cloud services you use comply with HIPAA.
Expect bread-and-butter cloud services, like VMs and storage, to be HIPAA-compliant. But more obscure services, or those that involve complex hybrid architectures, may not come with a guarantee of full HIPAA compliance (especially if most security responsibilities fall to customers, which is the case with hybrid cloud environments in particular).
However, no matter how HIPAA-compliant your cloud provider is, remember that cloud shared responsibility models dictate that customers are responsible for ensuring compliance for any data or applications that customers deploy in the cloud. In most cases, cloud providers certify only that their underlying cloud infrastructure is HIPAA-compliant; they don’t guarantee (or even imply) that any workloads you choose to run in their clouds will be automatically HIPAA-compliant.
Choose the Right Cloud Region
Although HIPAA doesn’t forbid the storage of PHI on cloud servers located outside of the United States, the federal government has issued guidance suggesting that if businesses choose to store data in geographic locations where there are “documented increased attempts at hacking or other malware attacks,” they must take steps to address these risks.
The guidance is not specific about which locations are subject to these risks. Still, the simplest approach from a HIPAA compliance perspective is simply to store data in cloud regions that are based in the U.S.
Use Cloud Access Control
An essential best practice for securing PHI in the cloud is to use cloud access control frameworks, such as your cloud’s IAM tools, to restrict which users and applications can access the data.
Anonymize Cloud PHI
Data anonymization is another useful technique for mitigating HIPAA privacy risks. Anonymization doesn’t completely eliminate privacy risks because data that is nominally anonymous can sometimes be un-anonymized. Still, anonymizing cloud data mitigates some HIPAA risks.
Use Cloud Data Lifecycle Management and Versioning
Most cloud providers offer data lifecycle management tools that can automatically delete data based on rules you provide. Consider using lifecycle management to remove data after a specific period of time in order to limit the amount of PHI you store in the cloud.
You can also configure data versioning on some cloud storage services. This is helpful from a compliance perspective because it makes it easy to revert to earlier versions of data in the event that PHI is corrupted for some reason.
HIPAA Container Compliance
If you use containers to deploy applications, you may want to consider some additional best practices for achieving HIPAA compliance.
Scan Container Images
Container image scanning helps you detect malware and vulnerabilities inside container images, which attackers could use to gain unauthorized access to PHI data that may exist in a containerized environment.
Use Container RBAC Tools
Cloud IAM tools can restrict access controls to cloud container services in general, but they are not as granular or extensible as container-specific RBAC tools, such as Kubernetes RBAC and security contexts. Use the latter types of resources if they are available to apply additional security protections to your containerized environments.
In Kubernetes environments, audit logging can alert you to breaches. Audit logs also help you demonstrate compliance with security mandates, which may be useful for certain HIPAA compliance purposes. Collect and analyze audit log data regularly – or, even better, continuously.
Secure Container Data
In some cases, PHI within containerized environments may exist in multiple places. It may originate inside the containers that collect or process it, but then move to storage volumes or host file systems. It’s also possible that data defined as PHI could end up inside logs, which may also originate inside containers but then be moved to an external location by a log aggregator.
What this means is that, in containerized environments in particular, you must understand the complexities of your storage architecture and ensure that PHI is encrypted and protected via access controls no matter where it is stored. You don’t want to secure PHI inside containers but forget to protect your data volumes, or vice versa.
HIPAA compliance is a complicated subject, especially in the age of the cloud. Regulators have left much up to interpretation when it comes to how to translate HIPAA principles into practice in cloud-native environments.
However, the good news is that HIPAA has been around long enough that a number of best practices have emerged for the cloud and containers regarding HIPAA compliance. Even if regulators won’t tell you exactly how to achieve HIPAA compliance in the cloud, the basic best practices for doing so are clear enough once you understand which types of data HIPAA protects and how to manage that data most securely within cloud and container-based environments.