Working in a highly regulated industry like healthcare and life sciences brings an additional amount of complexity to any sort of development organization. Regulations and standards like HIPAA, GDPR, GxP, and NIST put forth requirements of how sensitive data can be used; however, they are vague and non-prescriptive and definitely not written in the perspective of cloud. But at the end of the day, these regulations are in place to protect the privacy of patients—something we can all relate to. So while you’re focused on building out your application, here are some best practices to protect PHI when using the public cloud that are sure to impress your compliance organization.
1. Be proactive: Ensure PHI is secure and compliance mechanisms are in place before production
The earlier you start enforcing compliance, the more likely you are to hit your timelines. If you find out you’re out of compliance in production, you’ll have to go back through the development cycle and figure out what went wrong and how to go about it differently, which could put you at risk for meeting your delivery date.
2. When working with virtual compute, harden the operating system according to CIS standards and keep it up to date regularly
Build your images with the lowest number of administrative permissions and privileges and services and ports that are necessary [so that…..] tip: the Center for Internet Security (CIS) provides some guidelines to help you to get started. Update these images regularly and don’t forget to implement a patching schedule, too.
3. Maintain the same services configuration across all phases of development
Variance in configurations—even minor ones that you might not catch, like changing the version of a dependency or of libraries for a containerized application—could cause you to fall out of compliance without even knowing it. Take a compliance-first approach starting in your test or development phases.
4. Treat De-identified or anonymized data as if it’s PHI
Not only do the sets still have value, but there is always a chance of malicious reidentification; therefore, it’s best to treat those data sets as if they’re made up of sensitive healthcare information.
5. Secure both the input and output of data used with PaaS and Machine Learning services
These types of services typically involve large amounts of data to manipulate. Ensure the data is secure in terms of both how you are inputting the data as well as how you secure the output.
6. Make sure you can prove your compliance
Audits are unavoidable. Whether it’s mapping the appropriate technical controls to the healthcare standard or documenting how each service and resource is configured, plan ahead to think about what you will tell or show your Security Engineer or Compliance team to prove the application is safe and secure.
7. When using serverless and emerging technologies, make sure the serverless environment doesn’t create a compliance gap
Serverless and other emerging technologies like Kubernetes allow for enhanced application design, but it’s important to understand that these new technologies can often be hidden from traditional compliance tools. Developers should verify that any technology used has an appropriate control in place so it doesn’t create a gap in visibility or allow vulnerable software to be exploited, such as a vulnerable library in a container. This can be mitigated either with security tools that are developed to ensure you have visibility at the software and data planes, or by performing vulnerability analysis early in the software pipeline to help close any potential gaps.
8. Stay up to date on changes and new features coming from the public cloud
The public cloud vendors release hundreds of updates every month. Subscribe to the blogs so you can stay up to date on any changes or new features that your public cloud releases. Monitor your deployments continuously to be sure changes or features don’t impact your compliance posture. Be sure to monitor closely in case you need to make any adjustments to your current configurations of services. Pro Tip: pay close attention during the week of their annual conferences, where there are hundreds of releases in one month alone. Note these months for future:
- December = AWS (Re:Invent)
- April = Google Cloud (Google Next)
- July = Microsoft (Inspire)
One of the biggest challenges in adhering to compliance within a healthcare organization, while also wanting to use the latest technology, is understanding how the law or policy for a regulation applies to the latest technology. It’s important to have expertise not just in the law, and not just in cloud technology, but to have complementary expertise such that both of those groups collaborate together. That’s where having a trusted partner like ClearDATA comes in.
ClearDATA can help you and your development team enforce compliance in the public cloud throughout the lifecycle of your application and demonstrate compliance with real-time reporting. As a healthcare-exclusive, HITRUST certified organization, we understand the importance of keeping PHI safe and secure and the risks associated with it if it’s not. We also understand the pressure you’re facing to transform rapidly and get to market faster to remain competitive. You don’t need to be an expert in standards and regulations like HIPAA and GDPR—your expertise lies in your cloud skills (and your certifications probably prove that) and building state of the art applications. We understand how the law is written and how constantly-evolving technology like the cloud needs to be configured appropriately to adhere to the different regulations and standards.
Our SaaS offering, ClearDATA Comply™, gives you:
- Direct access to the cloud, AWS, Azure, and Google Cloud, while our software runs in the background to keep PHI safe and secure
- Automated Safeguards, which enforce more than 180 technical controls across more than 70 multi-cloud services, based upon our interpretation of how the service must be configured in order to keep PHI secure
- Insight into services that were remediated automatically based upon non-compliant actions
- ClearDATA hardened images, based upon CIS benchmarks
- Available for multiple enterprise operating systems
- New images are patched and built nightly, and released monthly
- Numerous reports that provide details of your compliance status across your full environment, or specific to a certain control that can pull data over time and display current state