by John Bloom
Principal Engineer
ClearDATA
While it’s true that Microsoft provides what you need to create compliant workloads on Azure, having a good technology partner alone cannot ensure absolute compliance. As a developer, I know I’m typically heads down, focused on an application that delivers optimal experience; however, it’s important to keep compliance in sight throughout the entire development process. Here are a few tips I found work best when working in Azure.
1. Know a Thing or Two About Regulatory Frameworks
As a developer, you speak and can interpret Javascript, .Net, C++, or Python, which transforms a concept into a tangible application. However, when a HIPAA or GDPR regulation is referenced as criteria for your application, you may feel like you’re in a foreign country, unable to speak or understand the language. Not to worry—it’s okay that you’re not an expert at interpreting these regulations; but it is important to have some knowledge of adhering to these regulations to ensure your work can in fact be put into practice within the healthcare industry. Protecting sensitive healthcare information is critical, and fines for non-compliance can exceed $100 million. Here are a few things you can do to help ensure compliance without having to become an expert on regulatory frameworks.
- Learn where your data is stored
- Be aware of where and how it’s encrypted
- Know where temporary data resides
- Be aware of how you are naming APIs
- Be conscious of the various layers between your application and various connection points between them
- Know if you have appropriate encrypted transport between the various layers
Being mindful of these things will help protect your organization’s sensitive data from loss or breach. You can also explore the following concise guides that provide an overview of these different frameworks. Understanding how these apply to healthcare IT will improve your practice and probably win you points with your boss:
2. Think “Cradle to Grave” When It Comes to the Data in Your Application
It’s important to think about the entire lifecycle of the data in your application. For example, the GDPR regulation mentioned earlier puts emphasis around Erasure, or each citizen’s right to be forgotten. Essentially, it enforces that all personal data can be erased by request of that individual without undue delay. With this type of regulation in place, it’s imperative that applications are designed to allow for an easy process of retrieving and removing data, if necessary. The best way to account for this is to build this in at the design level.
There is a tremendous amount of PHI or PII data flowing on the backend of any application and with that comes frequent back-ups to be restored later. However, there’s not an easy way to get this data completely out of your solution which can make it difficult to “erase data”. Hence, the importance to approach your application with a “cradle to grave” mentality and build a strategy that’s long-term, allowing you to both access and remove data, if ever needed.
3. Use Application Insights to Understand Gaps in your Workload
As you’re making the journey to the cloud, Application Insights will give you just that: insight you need into your application hosted in Azure—something that can be difficult or expensive to do on-prem. Application Insights helps you identify problems and failures that can cause security holes. If you’re developing with .Net, it can be enabled with just a click of a button. (Note: there are other packages available if you’re using a different language.)
Application Insights provides a continuous integration pipeline that provides release management and monitoring tools for developers. Additionally, Application Insights also feeds into some of Azure’s machine learning services which opens up opportunities for you to take advantage of predictive analytics.
Any good development team should be using a continuous integration pipeline that lets you know the path is secure. Rather than building it yourself or using a third-party tool, the seamless integration of Application Insights with Azure is one you will want to take advantage of.
4. Do Not Store Keys Inside your Application
If you are not already using Azure Key Vault, or have not considered it, it’s time to. More than likely your applications are connected to a database and often the credentials to the database are stored in a config as plain text. Azure Key Vault ensures these passwords are encrypted, preventing people from accessing them directly. Developers can call to Key Vault which has the protected information, but the keys are not exposed to unnecessary eyes. This enhances your security and protection of PHI and PII which is paramount with any sort of healthcare application.
5. Adopt an Image Hardening Standard like CIS
With some applications in the cloud, developers leverage virtual images (Azure calls them Virtual Machines) that deliver some of the core benefits of the cloud. This includes giving you computing operations in a virtual environment—eliminating the cost and resources of hardware and software. When using Virtual Machines, it is a best practice to harden these images so that you protect your application and reduce the risk of cyber threats or attacks. CIS provides community-driver guidelines called CIS Benchmarks that will help you implement best practices.
These are just some of the actions we take at ClearDATA when helping our customers migrate their workloads over to Azure while keeping them compliant. We are security and compliance experts and we eliminate the burden and stress of interpreting the different regulatory frameworks and apply them to your environment so that you can focus on developing your application. For example, hardening an image manually can take time even if you are using the CIS hardening guidelines. ClearDATA takes it one step further and automates hardened images so that they’re consistently secure and compliant whenever a new workload is spun up.
And, our Compliance Dashboard gives you visible insight into your compliance posture to prove your compliance within your environment—whether you need to show it to a customer, internal stakeholder, or even an auditor. Contact us today if you’d like to learn more about how we can help.
