Containers and Healthcare Security: Why Kubernetes and GCP SCC are Key Players
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources, Security

HIPAA Vault’s enhanced cloud for healthcare leverages Google Cloud’s cutting-edge technologies to achieve superior performance at a significantly reduced cost. 

Application modernization is key: current baseline costs and performance are assessed, with a view toward improved resource utilization. Security, scaling of resources, and refactoring of code for ongoing application implementations and enhancements are all designed in.

HIPAA Vault undertakes these critical application assessments (known as application rationalizations) as a strategic approach for all enterprise healthcare organizations and their developers.

To this end, containers and Kubernetes are essential technologies.   


How Containers Can Benefit Healthcare

Containers are extremely resource-efficient software packages, capable of running in almost any environment. Container technology alleviates the need to spin up a new virtual machine for each application since the operating system is virtualized and each container possesses all the self-contained code and system tools needed to run it. 

Migrating critical applications from virtual machines to containers, therefore, is a smart move; they’re highly portable and can be run on local desktops, virtual and physical servers, test and production environments, and in private or public clouds. 

Containers can also be easily cloned for updates, alleviating downtime. For example, developers can run the entirety of an exact copy of a production app locally on a development laptop system, providing a far more efficient development process.

In this way, containers also speed up application deployment and time to market. Containers, then, have many advantages, including:

  • Agile Creation and Deployment of Applications
  •  Reliable and Frequent build of images with easy rollback
  •  Portability to various cloud environments and OS types
  •  Isolation of Resources
  •  Optimal Utilization of Resources

This advanced efficiency and ability to deploy applications and services at scale has led Gartner to predict that by 2025, 85% of organizations will embrace a cloud-first principle and use cloud-native architectures. 

The ability to apply automation and orchestration to containers is a key driver, made possible with Kubernetes.    

What is Kubernetes?

Kubernetes – or K8s as it is called – is an open-source container system originally launched by Google. It derives its name from the Greek word for helmsman, or pilot.  

HIPAA Vault employs Kubernetes to deploy and choreograph these stand-alone, containerized applications and groups of resource-sharing containers known as “pods,” from a single interface in various cloud deployments, utilizing a system of Master and Worker nodes. 

The need for manual intervention is eliminated, minimizing human error and boosting efficiency. 

What might this look like for a typical organization? Consider the following example: 

One of our enterprise hosting customers required a significant expansion of their infrastructure. Instead of opting for a traditional, “single server solution,” K8s allowed us to provide a far more elegant system – one that enabled continuous development, testing, and deployment of web applications. All of this was possible without having to take their website offline or deal with downtime. 

Since K8s also provides seamless load balancing based on traffic, we were able to set parameters so that the auto-scaling of their servers won’t go beyond preferred limits. Better utilization of resources led to significant cost savings. 

Still, the question might be asked: since healthcare applications and sensitive patient data require strong protections, can Kubernetes be sufficiently secured and made HIPAA compliant?  

Kubernetes Security

The good news is that with the right measures, container systems like Kubernetes – combined with Google Cloud Platform’s Security Command Center (GCP SCC) – can help organizations achieve superior security as well as HIPAA compliance. 

For starters, container technology possesses an innate security benefit when it comes to resisting malware in the infrastructure. Rather than following a schedule of security patching and trusting it to get done, existing container clusters are destroyed and new secure nodes and clusters are deployed in their place. 

To ensure Kubernetes HIPAA compliance for containerized healthcare applications, organizations should also follow the key principles outlined by NIST 180-190. In addition to using separate development and testing environments with careful access controls, the following managed services are necessary to help secure containers:

  • Automated scanning of containers at all stages of deployment helps ensure that images and registries are safe from vulnerabilities.
  • Kubernetes Security monitoring at the container level also helps to identify issues impacting application performance.
  • Containers need securing through in-transit and at-rest data protections. This means that all data moving in and out of your containers must be encrypted.

 
What is GCP SCC?

Google Cloud Platform’s Security Command Center is a centralized security management system that provides real-time visibility into an organization’s security and compliance posture across Google Cloud. 

GCP SCC helps organizations identify and manage security risks by aggregating and analyzing data from various sources such as Google Cloud Platform resources, network infrastructure, and third-party security tools.

With SCC, enterprise web hosting organizations can achieve HIPAA compliance by continuously monitoring their containerized applications and the infrastructure they run on. 

SCC provides automated vulnerability scanning of container images and registries to ensure that they are safe from vulnerabilities. 

SCC can also help with managing access control by providing insights into who has access to specific resources, detecting suspicious activity, and alerting administrators of any security incidents.


6 Keys for HIPAA Compliance

To achieve HIPAA compliance with Kubernetes and GCP SCC then, healthcare organizations should prioritize the following six principles:

1. Establish a company-wide, security culture.

  • Specifically, this means that DevOps teams must become DevSecOps, supported by an administration that embraces a security mindset as the new normal. 
  • Practically, this means that all new builds should design in security from the start, with robust, secure access policies (including strong passwords) in play. 

2. Separate development & testing environments to isolate security concerns.

These environments should be managed with careful access controls, including:

  • least privilege access 
  • careful control over what commands can be run   

3. Know where your container software & data reside & protect them

This is critical because:

  • Container images contain software (executable code that allows the container) to run, which may have malware attached. For this reason, using only up-to-date images from whitelisted, trusted repositories is critical. 

4. Reduce risk through vulnerability scanning and monitoring.

  • Automated scanning of containers at all stages of deployment will ensure images and registries are safe from vulnerabilities. 
  • Monitoring at the container level can also help to identify issues impacting application performance.

5. HIPAA compliance for containers requires in-transit and at-rest data protections.

This will require you to:  

  • Secure (encrypt) all data moving in and out of your containers. 

6. Ensure regular, automated backups. 

  • Containers typically provide high availability, but may not survive a disaster. Replicating images, attached databases, deployments, and persistent storage in pods, and resources are the only way to ensure your environment is available in a catastrophic disaster. 


Cutting-Edge Technology to Benefit You

Enterprise healthcare organizations will benefit from Kubernetes’ vast, open-source community of collaborators, years of R&D, and excellent security innovations. Still, Kubernetes’ complexity may make harnessing these benefits impossible for most organizations. 

As a proven Google Cloud Partner, HIPAA Vault will manage Kubernetes for you. Even if your applications aren’t containerized initially, we’ll provide our Containers as a Service (CaaS) for you and maintain Kubernetes HIPAA compliance so you can focus on your business. 

Want to see how we can help you realize these benefits for your organization? Let HIPAA Vault optimize your enterprise hosting environment, and allow you to reap the benefits of reduced cost,  greater security, and greater efficiency.  

Talk to one of our cloud experts today! 760-394-6920 or chat us at hipaavault.com.

HIPAA Vault is a leading provider of HIPAA-compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that their systems stay online at all times.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.