HIPAA compliance in container and Kubernetes environments

The Health Information Portability and Accountability Act of 1996 created the HIPAA compliance framework to govern patient privacy related to any and all health records. The Security Rule, added in 2003, governs digital health records. Any organization that handles electronic protected health information ( ePHI) that is individually identifiable has to comply with HIPAA requirements. This includes applications used directly by healthcare providers for care, communications, or billing.

The primary challenge for HIPAA compliance is that the security framework provides only high-level guidance rather than specifics on how organizations should meet those guidelines in containers and Kubernetes. In addition, the difference between what is and what is not protected health information is often less obvious than, for example, what is and is not credit card information that must be protected under PCI compliance.

In addition to healthcare providers themselves, any organizations that provide services like storage or billing to healthcare providers have to meet HIPAA requirements if the services they provide involve handling electronic personal health information (ePHI).

The HIPAA Security Rule standards are broken into administrative, physical, and technical safeguards. The technical safeguards, which relate to the IT infrastructure, include the following standards:

  • Access control
  • Audit controls
  • Integrity
  • Authentication
  • Transmission security

The HIPAA Security Rule doesn’t provide specifics on how organizations should secure ePHI, and is not specific to containerized applications. Often, the best place to start working towards HIPAA compliance is by applying the NIST SP 800-190 framework, which provides guidelines and best practices for container security. Unlike HIPAA, NIST SP 800-190 provides a framework that is specific to containers and can therefore be easier to demonstrate compliance. However, meeting HIPAA requirements involves implementing additional data segregation controls to protect ePHI and keep it separate from other types of data.

HIPAA also requires that organizations keep backups of not just data but also configuration files, so that the application can be fully recovered to demonstrate continual compliance.

Last updated: May-29-2020