HIPAA Compliance for Containers: Impact Analysis and Best Practices
Since 1996, the HIPAA act has mandated how personal health information (PHI) should be secured and protected from prying eyes. HIPAA requirements changed how companies in the healthcare industry treat patient data, as well as the processes governing it, the applications that handle it, and the infrastructure that runs those applications. In the U.S, following HIPAA rules is mandatory, carrying stiff penalties for infractions, but even outside the U.S. HIPAA has had an effect on local legislation and is used as a yardstick for handling healthcare data.
When a significant new technology comes into play, it has implications for regulatory compliance - if the technology affects how PHI data is stored, or how applications that handle PHI are architected, developed and run, there are bound to be many changes that affect compliance, both negatively and positively.
How Do Containers Impact HIPAA Compliance?
31% of enterprise cloud developers are using containers during design and testing, according to a recent Forrester report on container security. Where applications are being developed on containers, they are likely to also be deployed on containers, so the days where containers dominate application architecture are approaching fast.
There are several key areas in which containers may fundamentally change HIPAA compliance posture:
- Application Development: Application development practices of container-based applications often rely on continuous integration and delivery (CI/CD) practices, which completely change the governance and security of applications, and render many tools obsolete.
- Introduction of Vulnerabilities: Container images that are built using open-source components and assembled code may contain vulnerabilities, which must be discovered and mitigated.
- Network Security: Since containers are often ephemeral and their networking depends on application context rather than where they run, traditional network security controls that rely on IP addresses or even VM networking are not effective in controlling container network connections.
- User Access Control: User access to containers is managed independently from host access, and often done via orchestrators. This creates a parallel track to existing controls which can be bypassed.
- Segregation of Duties: Containers may change how credentials and secrets, such as access keys and tokens, are managed and used.
- Logging and Auditing: Existing tools for collecting events such as login attempts, data access and start/stop events are “blind” to containers, and these gaps must be addressed.
The good news is that, done right, containers can actually make it easier to achieve HIPAA compliance, and Aqua helps to meet many of the requirements and automate the process, reducing the effort required and maintaining compliance posture on an ongoing basis. Aqua operates across orchestration environments, whether Docker, Kubernetes, OpenShift or Mesos/Marathon.
How Aqua Can Help
Aqua’s Container Security Platform enables and automates many capabilities that help comply with the HIPAA security rule, including:
- Vulnerability management: Scanning images, identifying vulnerabilities, continuously monitoring for new vulnerabilities, and facilitating mitigation and acknowledgment of vulnerabilities.
- Managing credentials for authorized devices and users: Role-based user access control at the container level, preventing unauthorized access.
- Maintaining network integrity: Nano-segmentation at the container level, preventing security events from spreading.
- Containing and mitigating incidents: Behavioral container profiles and cyber threat mitigation defenses that act as IDS/IPS for containers.
- Aggregating event data, collecting audit/log records: Full audit trail of container-related events including start/stop, user access, etc., integrated with 3rd party SIEM and analytics.
To learn more and see how you can meet HIPAA compliance, requirement by requirement, download our full guide.