Automated Safeguards: Innovating with Guard Rails
by Matt Ferrari
Co-Founder & Former CTO
Our customers have been hearing some exciting news this year about Automated Safeguards, part of our SaaS solution, ClearDATA Comply™.
Automated Safeguards are how ClearDATA provides guard rails around AWS that allow a healthcare customer to use native public cloud tooling to develop within their own environment, all while keeping them compliant against GDPR, HIPAA, SOC2, GxP, GmP and other regulatory and compliance frameworks.
It’s a really important addition to the value ClearDATA brings to the healthcare industry, because most healthcare customers want to use native tooling but worry about how to remain compliant. The public clouds have great white papers on to how to utilize and provision compliant platforms, but how does a customer not just get compliant to begin with, but also remain compliant throughout the lifecycle of the application? So many actions can change the compliance stature, from change management to incident management. Every time a new clinic opens, or a new employee is hired, that organization’s compliance can shift. The reality is that healthcare organizations do not typically staff for this - they don’t have an eye on all of the public cloud services and map to the compliance frameworks.
Automated safeguards are an exciting offering to developers across the healthcare industry who want to explore, expand and innovate in the cloud, but need to remain compliant.
ClearDATA’s Automated Safeguards cover five services today on the Amazon Platform. Let’s look at each and what they mean to you as a public cloud user in healthcare.
RDS is a cloud service that makes it easier for you to set up, operate, and scale relational databases in the cloud. It is one of the fastest growing services that ClearDATA offers. RDS is designed to let you set-up, operate, and scale with a few clicks, rather than old school methodology of provisioning a database server, paying for the hardware, enabling the set-up, managing continuous patching, and performing back-ups and maintenance of the application. Instead, you have the RDS service that supports multiple database types (i.e., MySQL, Oracle, Aurora, PostgreSQL, Microsoft SQL, and more). You’ll use this for memory and performance without having to manage all of that database infrastructure that database administrators used to have to manage.
Here are some ways ClearDATA is keeping RDS compliant:
- Providing the ability to use private subnets
- Making sure the storage is forcing encrypted network protocols
- Enabling RDS backups at all times
- Enabling multi-availability zones at all times
When anything deviates from being in compliance, two things happen. First, the checks inside our compliance dashboard turn red, and alert our support organizations to remediate. Second, a ticket is opened inside the ClearDATA incident management system, so that we can respond appropriately, inform you, and make sure that they you compliant at all times.
The second service that is getting automated safeguards is ELB – that’s Elastic Load Balancing. It’s the ability to achieve fault tolerance for any application by automatically distributing incoming traffic across multiple targets. Maybe it’s Amazon EC2, or containers, or IP addresses, but you will be able to distribute load from a traffic perspective, which is exciting because you can use this in a compliant environment as it relates to PHI. AWS is set up with multi-availability zones, so you can push traffic across multiple data centers. If one has a latency issue or a data outage – which frankly is incredibly rare on AWS – the ELB will automatically pick up the traffic without interruption of services.
Here are some examples of what ClearDATA is doing with safeguards for ELB to make sure all traffic is encrypted and all logs are collected:
- HTTPS or secure protocol over port 443
- Access logging for ELB is always enabled (important for compliance)
- Appropriate TLS version inside of ELB – this is Transport Layer Security which provides cryptographic protocols providing communications security over the network
The third automated safeguard is for S3. Everyone working in the cloud today knows S3 well – it’s the object store inside of AWS that retrieves any amount of data from anywhere. It has incredible up-time and is used for medical devices, IoT, and mobile apps, to name a few examples. It is a massive, growing market from both an AWS and healthcare perspective. As we think about automating safeguards for S3 here are some things we provide you:
- Making sure S3 encryption is turned on at the bucket level (think of a bucket like a folder in Box or Dropbox)
- Making sure all traffic to and from the S3 bucket is encrypted
- Providing authenticated user access
The automated S3 authenticated user access is important because it prevents a misconfigured bucket from being open to the world. This provides you additional security against one of the more common misconfigurations that users create causing compliance and security risks.
4. Security Groups
In AWS, we’re working to provide security groups to add rules for inbound and outbound traffic. Today, you can assign up to 500 security groups to an instance, and up to five per network interface. This lets you build out defaults for very specific security groups per VPC (virtual private cloud), as well as by regions. This way, when you launch an instance, it automatically associates with the defined group that was created. This enables you to have repeatable security groups. Previously, one of the biggest challenges to scaling your app or your organization was maintaining security groups over time. Every time you grew your organization, you had to redeploy security groups from scratch, and now ClearDATA has automated that. Here’s what we’ve built in for this safeguard:
- Checking for ports in standard ClearDATA white-labelled ports available to our customers to use while protecting from ports that are insecure
- Checking for port ranges in the preapproved customer white list. Say your EMR needs 10 ports open for doctor offices and urgent care facilities. ClearDATA stores your pre-approved white lists inside of your automation platform, and at the time of provision, if those are the ports that are selected, those security groups will automatically be set up for you.
The fifth, and final important safeguard I want to discuss is IAM, or Identity and Access Management. IAM enables you to manage access to AWS services and resources securely. You’ll have the ability to manage AWS users in groups. But more specifically, you will be able to allow permission only to the resources each user or group needs to access. IAM also allows for multi-factored authentication and provides amazing integration into federated access or corporate directories inside a healthcare system. This all works with the best practice of minimum privilege – you want to be sure you grant the minimum access that allows each user to still do their job successfully, never granting more than any person needs. As it relates to IAM, ClearDATA is offering these automated safeguards:
- Providing you with User Admin-capable users so that you can leverage IAM to set up users in a compliant fashion that can be tracked.
- Create these users and assign groups and policies, but only within our best practices, or the ClearDATA Path. This may sound onerous at the onset, but it’s powerful protection because you can only create permissions approved by ClearDATA. By rolling out users with permissions that already have been approved, your organization can use IAM natively, and as you add new users you have the assurance that it’s in a best practices model.
Learn more about our AWS solution here.
Learn more about ClearDATA Comply Automated Safeguards here.