Approaching HIPAA compliance. When taking first steps in approaching HIPAA compliance one quickly finds an overwhelming amount of information. The purpose of this article is to help get you started. This is not meant to be a HIPAA compliance guide, and only certain aspects of HIPAA compliance are addressed. Crucially, this article will provide you with insights on how Ikigai thinks about HIPAA compliance in relation to overall security posture.

‍

Why become HIPAA compliant? Achieving HIPAA compliance is an arduous and ever-evolving process that leaves you questioning if it’s worthwhile in the first place. It is worthwhile, let me tell you why.

‍

Firstly, the healthcare big data market is expected to grow over $68bn by 2025 with tailwinds due to remote health tracking and personalized health. If you are an established organization considering growth opportunities or a start-up, like Ikigai, looking to capitalize on the evolving health information landscape, becoming HIPAA compliant is a necessary first step in entering this potentially lucrative space. That’s the business case for HIPAA compliance.

‍

Secondly, the HIPPA compliance process requires you to complete a full evaluation of your organization’s data management lifecycle. It requires you to understand how user data flows into and through your application. Additionally, the HIPAA compliance process is a people process. Everyone in your organization must recognize user data flows and how they are safeguarded.

‍

Going through HIPAA compliance will force your team to reduce your systems’ technical debt, improve observability and ultimately give you confidence in your systems’ availability, reliability and security. Now that we’ve covered the technical case for HIPAA compliance, let us delve into HIPAA and how Ikigai approaches it.

‍

HIPAA Compliance Overview

‍

A baseline of technical safeguards that must be in place to ensure HIPAA Compliance include:

• Access control
• Encryption in transit
• Encryption at rest
• Activity logs
• Audit controls

‍

Comprehensive HIPAA compliance requires many additional organizational, technical and physical safeguards. Learn more here.

‍

Architecture-driven HIPAA compliance. Depending on your tech stack, the process of becoming HIPAA compliant will look entirely different. At Ikigai, we run a gRPC, microservices architecture on Kubernetes on our cloud service provider. In this section, I will delve into a handful of tools used in order to enable confidence in one’s security posture. Some of these tools are public cloud provider specific, though the general principles and rationale behind using them will help you better understand what you should look for when filling in the gaps in your own system. Lastly, similar technology services for each highlighted tool are provided.

‍

Tools used for HIPAA Compliance

‍

Encryption in transit

‍

Internal data in-transit for Ikigai consists of packets of data sent between Kubernetes microservices using gRPC. In order to encrypt this data with as little overhead as possible and without placing additional burden on our application codebase, Ikigai uses the Linkerd service mesh. Linkerd service mesh enables mutual transport layer security (mTLS) between all microservices with additional features including ingress, blue/green deployment, latency-based routing and more.

‍

Similar services: Open Service Mesh, AWS App Mesh, Google Cloud Traffic Director, Itsio, Hashicorp Consul

‍

Logging

‍

Major public cloud providers offer logging, log storage and log analysis as a service. In this example we will use AWS. AWS Cloudtrail is used to standardize logging across all AWS services. Cloudtrail collects all API calls within an AWS environment and stores them in an S3 bucket. These logs can be evaluated for unauthorized access events, they can assist in troubleshooting and used for auditing purposes.

‍

Similar services: Azure Log Analytics, Google Cloud Logging

‍

Access Control

‍

Sticking with AWS as our example public cloud provider, AWS Identity and Access Management (IAM) is a powerful tool for managing team permissions with accessible best practices. Logging of IAM related API calls is achieved by Cloudtrai,l and adherence to compliance standards are ensured using AWS Config (more on AWS Config below).

‍

Ikigai uses infrastructure as code (Iac) language Terraform to maintain and make changes to IAM policies. At Ikigai, we use bash scripts for common repeated actions such as adding a user. This allows us to ensure that every AWS user maintains HIPAA compliant security settings such as password length, rotation and MFA. In addition to providing IAM versioning and automation through bash scripts, Terraform allows for our access control policies to be analyzed for best practice adherence before applying IAM changes to our cloud setup.

‍

Similar services: Azure IAM, GCP IAM

Encryption at rest

‍

Public cloud providers offer centralized management of encryption keys. Data storage solutions on AWS are encrypted through rotating AWS Key Management System (KMS) keys. A list of certifications and standards that KMS encryption is assessed for through third-party auditors can be found here.

‍

Similar services: GCP Key Management, Azure Key Vault

‍

Automating compliance checks

‍

As public cloud providers have expanded their public offerings, and the technology stacks hosted by a single cloud provider have multiplied in complexity, they have added services to systematically audit one’s cloud resources according to compliance standards.

‍

AWS Config is Amazon’s service for automated compliance checks across cloud resources. AWS Config’s built-in HIPAA conformance pack, for example, runs 129 automated checks of compliance over one’s AWS environment. These checks encompass everything from IAM policies to database snapshot encryption. These rules are marked non-compliant if the underlying resources are not adhering to AWS best practices for HIPAA compliance.

‍

If your application runs on AWS and you want to know what technical changes you should focus on to become HIPAA compliant, AWS Config is a good place to start. HashiCorp, the creators of Terraform, offer HashiCorp Sentinel which falls into the realm of Compliance-as-Code and uses functional compliance checks across cloud platforms (public/private).

‍

Similar services: Azure Security Control, GCP Cloud Asset Inventory, CloudCheckr, HashiCorp Sentinel

‍

Conclusion

‍

HIPAA compliance can often feel like an overwhelming and never-ending process. This guide is meant to give you insight into how Ikigai approaches some technical aspects of HIPAA compliance. Ikigai’s approach to compliance and security is rooted in our desire to achieve the highest level of trust for data operators using our platform.

‍

HIPAA compliance is not an end-state but an on-going commitment of intentional design and internal and external auditing. The best way to approach HIPAA compliance is with a company-wide alignment towards data integrity, observability and security.

‍

Does this excite you? Dying to build such systems?

‍

Interested in joining our team at Ikigai to work on engineering problems in the ML/AI distributed computation space? Take a look at openings at Ikigai here.

‍

About the Author

‍

Camil Blanchet (Software Engineer — Cloud architect)

‍

Based out of Ikigai’s Cambridge, MA offices, Camil is a backend developer at Ikigai with a focus on cloud infrastructure. He completed his Bachelors in Science at Bowdoin College while majoring in Neuroscience and his Master’s in Computer Science with a specialization in Machine Learning from Northeastern University.

‍

Originally posted on medium.com