Utilizing Containers for HIPAA Compliant Applications
Containers are becoming increasingly popular in software development, with many companies containerizing their applications. Docker Containers offer the ability to develop software on any platform, build microservices, run a wide array of services, and cluster and scale applications as you grow. But as with any technology or deployment process, your team must decide on configuration and hosting. Is there such a thing as a HIPAA compliant container?
Containers by themselves are not “HIPAA compliant”. That said, some cloud services offer container services that can be configured in a compliant manner.
HIPAA Eligible Container Options for Amazon Web Services (AWS)
Utilizing AWS container services is a great way to leverage the scaling power of Amazon. Container orchestration on Amazon costs 70% less annually, over proprietary HIPAA platforms. The below services can be used in coordination with Amazon’s Business Associates Agreement (BAA):
Elastic Container Services (ECS) – Amazon ECS is a high-performance container orchestration service that can be used to add containers. ECS allows your team to instantly scale containerized applications and add additional containers as needed. ECS can be used in coordination with the EC2 Container Registry (ECR), which as a fully-managed Docker container registry to store, manage, and deploy Docker container images. ECS integrates other AWS platform services, including IAM, ECR, CloudWatch, CloudFormation, and CloudTrail and a native AWS API experience for containers, similar to EC2 and virtual machines.
Pros: Easy to scale, wide application availability, easy to maintain once configured
Cons: ECS learning curve
Elastic Compute Cloud (EC2) – Amazon EC2 offers organizations the option to manually configure virtual machines (VMs), install Docker, and manage containers on their own. With this configuration your team can install any variety of operating systems, software, or orchestration processes. Your organization can leverage DockerHub or setup a private container registry for storing and managing Docker container images.
Pros: More options on specifications, familiarity for many users, simpler pricing
Cons: Requires more DevOps configuration
Compliance Configuration
Required administrative and technical controls for compliance
Unfortunately, just using the services listed above does not make your organization or your application HIPAA compliant. Under Amazon’s Shared Responsibility Model and Amazon Business Associates Agreement (BAA), AWS is responsible for managing physical safeguards, but the cloud platform client is responsible for implementing technical and administrative safeguards required by HIPAA.
Organizations must develop and maintain administrative policies and procedures including:
- Employee Training Policy
- Disaster Recovery Policy
- Incident Response Policy
- Intrusion Detection and Vulnerability Scanning Policies
Technical solutions must be implemented to address HIPAA/HITECH requirements including:
- Backup and Recovery
- Data Encryption
- Firewall and Network Settings
- Audit Logging
- Intrusion Detection
These technical services can be configured using AWS services, but must be setup and maintained by your team. Dash offers one deployment for configuring and monitoring HIPAA compliance within your AWS account.