When it comes to personal data, an individual's health records are right up there as being amongst the most sensitive of data. Protecting it from being accidentally or purposely leaked or misused, is of the highest importance; both from an individual's perspective, but also from a governmental perspective.
HIPAA is designed to establish policies, procedures and safeguards through the implementation of a set of rules for compliance. The rules cover privacy, security, breach notification, enforcement, and an omnibus rule that deals with recent HIPAA updates.
Compliance with the requirements of HIPAA's privacy and security rules seeks to prevent identity theft and health insurance-related fraud. To that end, HIPAA compliance is required of all organizations that handle Protected Health Information (PHI), including; hospitals, pharmacies, health insurance providers, and so on.
Alcide now enables the healthcare community to run a free scan of their Kubernetes deployments and generate a report that lists out vulnerabilities and compliance risks that are related to protected health information.
The below checks are drawn from Alcide’s eBook Achieving HIPAA Compliance with Alcide Kubernetes Security that we recently published.
- Visual Mapping for fast identification
What this means is that organizational communication and data flows need to be mapped, and that software platforms and applications within the organization are inventoried.
An automatic discovery of cloud and Kubernetes workloads, with a graphical representation of infrastructure and applications (services) is therefore in need. It should show all Kubernetes workloads and their respective connections in real-time. HIPAA environments can be classified using Kubernetes native tags (annotations), to pinpoint and identify HIPAA designated connections to any network (internal or external). This aids the secure management of HIPAA-related data flows.
- Identify and document asset vulnerabilities
This requirement ensures that Kubernetes environments are hardened to conform to best practices. Checks can be configured to test for compliance with standards, such as the Center for Internet Security (CIS) Benchmark for Kubernetes, as well as scans for Common Vulnerabilities and Exploits (CVEs).
- Access Control
Access permissions need to be managed, incorporating the principles of least privilege and separation of duties.
Monitoring and alerting on access to all designated HIPAA workloads is a must. Ensuring proper Kubernetes RBAC rules should be configured to limit access to HIPAA-related resources.
- Data-in-transit is protected
HIPAA requires that Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
This means that Kubernetes resources that expose HIPAA data to open, public networks, are configured with Transport Layer Security (TLS).
- Risk Assessment
HIPAA requires that threat and vulnerability information is received from information sharing forums and sources.
This highlights the fact that threat intelligence and CVE data should be periodically updated from well-known repositories, such as open-source lists, commercial vendors.
- Review and document Audit logs
An organization should maintain an event log to establish an audit trail of all user activity, including any actions performed on HIPAA workloads. It should also be able to detect abusive, and abnormal activity by building a profile of user behavior, using machine learning capabilities.
- Free HIPAA Security Checks Package
To help companies in these trying times, Alcide now offers a free HIPAA security checks package for the healthcare community.
Alcide's security SaaS platform helps healthcare organizations that deploy containerized applications on Kubernetes, to secure their development to production deployments. Whether it's scanning for vulnerabilities in Kubernetes clusters, detecting anomalous behavior, or defining policy for firewalling microservices, Alcide has it covered.
To start scanning and generate a report, click here.