Automating HIPAA Compliant Hosting By Using DevOps

Source: gigaom.com

DevOps is no longer just an industry buzzword. It has become the standard development practice irrespective of the size of the business and across a range of industry verticals. The healthcare industry which historically has been a laggard when it comes to adopting new technologies is quickly catching pace and has started to see the advantages of hosting healthcare data in the cloud using DevOps.

Managing compliance in healthcare software

There has been a huge surge in the amount of healthcare data being generated in recent times. Apart from the EMRs and EHRs, there has been a tremendous increase in the amount of healthcare-related data produced by the health monitoring devices and other health applications as well.
Compliance with the regulations is a must when storing health data. The sensitive patient data is subject to several laws and regulations like HIPAA, HITECH, GDPR and so on. With new and stringent compliance norms being rolled out and increasingly aware consumers who are alert about their privacy and data safety, adherence to the data compliance norms decidedly takes the main stage when dealing with healthcare software development.

What is HIPAA?

HIPAA or the Health Insurance Portability and Accountability Act is a legislation by the government of the United States that provides provisions for data privacy and security of sensitive patient data and safeguarding medical information.
The act aims at modernizing the flow of healthcare information and protecting any personally identifiable information maintained by healthcare providers, insurers or any associated organization.

Why take the DevOps approach for ensuring HIPAA compliance?

The benefits of DevOps for organizations are multifold. By correctly applying the DevOps principles, you ensure that your organization starts off on the right foot for ensuring compliance. Instead of worrying about compliance after the application development phase is completed, following the DevOps practices necessitates the incorporation of compliance into the pipeline right from the beginning of the development process.
Since DevOps breaks down the silos that exist between the development and operations teams, it brings everyone together to think of compliance to norms. Unlike traditional processes where the only people worrying about HIPAA compliance are the members of the security team and possibly the lawyers, DevOps offers the opportunity to every team member from developers to testers to the IT ops guys, to work collaboratively and become stakeholders for ensuring compliance to the HIPAA norms.

Automating the process to ensure HIPAA compliance has the potential to improve the speed, security and reliability to the norms stated. Moving data and workflows to the cloud gives you accessibility to data and promotes interoperability but the security of cloud-hosted data remains a challenge. Ensuring that the data stored on cloud stays HIPAA compliant is a challenge that DevOps can make manageable.

How to automate HIPAA compliant hosting using DevOps

Automating a secure cloud-based healthcare organization has much more to it than simply choosing a HIPAA compliant cloud service provider. In addition to covering the prerequisites for HIPAA compliant hosting, you also need to ensure that the security of the sensitive patient data is given due importance. Taking the DevOps approach in software development can facilitate compliance by design.

Design the process for incorporating security

In the traditional development practices, the security team’s role came into the picture at the end of the development cycle which lasted for months or even years. The healthcare applications that work on the DevOps principles have a much higher development velocity than the traditional development cycles. The security review at the end of the development cycle no longer suffices. It has to be baked into the process itself.
Infusing an aspect of security into the DevOps process, popularly termed as DevSecOps, requires a shift in the mindset when developing healthcare applications. Security needs to become a shared responsibility with an end to end integration approach.

Security needs to be considered right from the beginning when designing the application infrastructure. Automation of the security gateways is another important component for ensuring that the DevOps workflows do not slow down.

Secure coding
Developers have access to tools such as open-source code vulnerability scanners and static code analyzers which are capable of testing the code for security lapses as soon as the changes are manifested. With secure coding in place, the errors are caught earlier and rectified sooner resulting in greater compliance and a more secure database.

Version control
Application development with version control requires the developers to periodically check in the changes they made to a common repository. This ensures that every member of the team has access to the latest version of the application. It also helps with automated deployments and DevOps results in a more secure development process. This also brings transparency into the process by ensuring that the changes made to the application are clearly reflected in the system.

Continuous Integration
Once version control is established, continuous integration results in an automated build as the code changes get checked in. Unit tests and early feedback ensures that the code and its related resources are integrated regularly and the teams can detect problems, if any, at an earlier stage. In case any particular build fails, the teams can fix the errors and re-test it allowing a stable build to be always available.

Release management
The deployment and release of the artifacts need to be done against a staging database. A database architect needs to review it to determine its production readiness. The actual deployment may be manual, automated using a release management tool or managed using a staging environment depending on the level of control required in the project.

Ensure security of cloud-hosted data

There are two aspects of security that need to be looked out for- security of the data and security of the CI/CD pipeline. The development and operations environment need to be scrutinized individually.

Cloud-native technologies like microservices and containers are a major part of the DevOps initiatives and these need to be covered under security to ensure that the cloud-hosted data remains compliant to HIPAA. Containers allow for a dynamic infrastructure at a larger scale. Static security policies aren’t sufficient to ensure the security of sensitive data. The security needs to be continuous and ingrained into every stage of the healthcare app life cycle.

Standardization of the environment
Standardization and automation of the environment is essential to minimize the chances of unauthorized access. In the case of microservices, tight access control and centralized authentication mechanisms are required for ensuring security.

Data encryption and secure API gateways
A container orchestration platform with the required security features like encryption of data between apps and services reduces the chances of damage as a result of any unauthorized access. Secure API gateways increase routing visibility and promote authorized access. By limiting the number of exposed APIs, the security of the data increases.

Isolate the containers
Containers are a target for valuable data, both in transit and at rest. These need to be isolated from one another as well as from the network to address the security concerns. Additionally, integrating security scanners for the containers is a measure in the right direction to amp up the security.

Automate the testing
Security analysis tools should be incorporated as a part of the build. The input validation tests, authentication and authorization need to be automated. Automation of security updates via a DevOps pipeline results in formation of a well-documented change log that is beneficial during the audit process as well.

Monitor for compliance

Monitoring of the performance and availability of the application is crucial in DevOps. This not only ensures that the features are released to the users at a faster pace, but it also makes sure that the quality and security standards are upheld and in compliance with the regulatory guidelines.

Any unusual blockage or deadlock into the process has to be resolved in real-time. The effect the deployments have on the performance also has to be communicated during the ongoing production cycle. Healthcare organizations are required to monitor and manage access to data.

The sensitive data stored within the database has to be available and identifiable and breaches if any have to be reported promptly. You also need to have access to the records of data management and server use so that any inherent performance issues can be quickly resolved.
Closing words
HIPAA compliance is a mandatory requirement if your organization stores database, infrastructure or workflows on the cloud. Irrespective of whether you are building a web application or mobile app, DevOps has the potential to help you with seamless application delivery.

The application developed need to give full visibility for audits and maintaining regulatory adherence to the norms. Integration of security in DevOps requires an upheaval in the mindsets, processes and tools being used for it to be effective in the cloud environments.