Kubernetes and Security: 6 Keys for HIPAA Compliance
by Stephen Trout
When it comes to deploying applications and services at scale, the ability to use efficient, containerized pieces of software has clearly changed the game.
Containers are highly valued for their portability and ability to run on various environments — including local desktops, virtual and physical servers, test and production environments, and in private or public clouds. As widespread adoption of containers continues, Gartner’s prediction that more than “70% of global organizations will run containerized applications by 2022” certainly seems accurate.
But what about security, particularly for healthcare applications? The good news is that container systems like Kubernetes can be HIPAA Compliant, with the right security measures applied. (If you paused reading the last sentence and thought Kuber-what?, here’s a quick overview):
What is Kubernetes?
Kubernetes is an open-source container system originally launched by Google, and comes from a Greek word meaning helmsman or pilot. It provides a unique platform for “automating deployment, and scaling operations of application containers across clusters of hosts.”
In contrast to the old-school method of spinning up a whole new virtual machine for one application — an underutilization of the machine’s total resources — each container possesses all the self-contained applications (code and system tools) needed to run them.
In addition, the strength of Kubernetes is also seen in its ability to choreograph these stand-alone, containerized applications (as well as groups of resource-sharing containers known as “pods”) from a single interface in various cloud deployments, utilizing a system of Master and Worker nodes.
Containers therefore give far more economy and flexibility to the development process, as they “provide developers the ability to run the entirety of an exact copy of a production app locally on a development laptop system” (see NIST 180–190).
That said, what’s involved in making containers HIPAA compliant? Here’s 6 principles to keep in mind:
6 Keys for HIPAA Compliance
- HIPAA compliance for containers first depends on a company-wide, security culture.
Specifically, this means that DevOps teams must become DevSecOps, supported by an administration that embraces a security mindset as the new normal.
Practically, this means that all new builds should design-in security from the start, with robust, secure access policies (including strong passwords) in play.
2. HIPAA compliance for containers is best served by separate development and testing environments to isolate any security concerns.
These environments should be managed with careful access controls, including:
- least privilege access
- careful control over what commands can be run
3. HIPAA compliance for containers requires knowing where your data (including software) resides, and making sure it’s safe and protected.
This is critical because:
Container images contain software (executable code that allows the container to run), which may have malware attached. For this reason, using only up-to-date images from whitelisted, trusted repositories is critical.
4. HIPAA compliance for containers requires reducing risk, through vulnerability scanning and monitoring.
Automated scanning of containers at all stages of deployment will ensure images and registries are safe from vulnerabilities. Monitoring at the container level can also help identifying issues impacting application performance.
5. HIPAA compliance for containers requires in-transit and at-rest data protections. This will require you to:
Secure (encrypt) all data moving in and out of your containers
6. HIPAA compliance for containers, like all HIPAA compliant environments, will include regular, automated backups.
Containers typically provide high availability, but may not survive a disaster. Replicating images, attached databases, deployments, persistent storage in pods, and resources, is the only way to ensure your environment is available in a catastrophic disaster.
Summary
Healthcare organizations are benefitting from Kubernetes’ vast open-source community of collaborators, years of R&D, and excellent security innovations. Still, Kubernetes’ complexity may make harnessing these benefits impossible for most organizations.
HIPAA Vault has the expertise to manage Kubernetes for you, so you can focus on your business. We’ll optimize your environment and allow you to reap the benefits, while keeping your sensitive data safe and protected.
Questions about Kubernetes? Give us a call (760–290–3460), or chat with us online at www.hipaavault.com.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, or to schedule a penetration test, call us at: 760–290–3460, or visit our website at www.hipaavault.com
