by James Emerson
VP Engineering
ClearDATA
James is joining the ClearDATA blogging team in 2021 to share insights for those working in engineering, operations, and DevOps/DevSecOps roles.
My job requires a lot of daily phone calls with our customers, and those considering becoming customers. I usually come across two groups of people in engineering/ops roles: (1) those who are very cloud savvy but may be new to healthcare and its strict compliance frameworks; or (2) those who have been in healthcare for a long time and are making the leap from their data center. The latter has a deeper understanding of compliance and security but doesn’t necessarily feel confident about how that translates to cloud. Both groups can have increased frustration when compliance conversations surface. It’s often perceived as a nuisance factor.
Frequently I hear them say “We could do this ourselves,” referring to the risk-based approach to privacy, security and compliance ClearDATA offers our customers on their choice of cloud. They are not wrong, in that ClearDATA uses a lot of the same tools they would, though we’ve created a significant number of automations and services into and around those native cloud offerings.
But here’s the crux of where problems occur: having the tools to implement compliance does not mean that you have the extensive compliance knowledge to take the mapping for each facet of complex (and sometimes vague) compliance requirements and bring it down to the technical terms to understand exactly what it is you have to implement. Do you know which settings you need? Do you have a way to prove, when facing an audit, that you set those properly months ago? Do you have a process from design time to runtime to ensure that you not only deploy correctly, but that you can maintain compliance for the entire lifecycle of your app once deployed?
Just because AWS, Azure or GCP have offered up dozens of new HIPAA-eligible services doesn’t mean that as you fire up your next container or instance that it will be compliant out of the box. In fact, odds are it will not.
Here at ClearDATA, we offer products and services that address this. In fact, our engineering teams use our own products for this. Why? Because they work. ClearDATA has to meet the same compliance requirements you do, and I don’t want our engineers having to focus all of their time on every single compliance requirement they need to meet each and every time they deploy.
With ClearDATA Comply™ you don’t have to teach your engineers compliance; you teach them how to deploy on cloud and we make it compliant right behind you.
In a lot of my early conversations, the engineers I speak with aren’t always aware of HIPAA’s extensive requirements for sensitive healthcare data, and/or don’t fully understand how these specific requirements apply to the cloud. Adding to the challenge is most compliance frameworks are prescriptive, but that’s not the case with HIPAA. Take PCI for example. Someone technically skilled can read PCI requirements and, in general, they will likely know what they need to enable. HIPAA, on the other hand, requires interpretation. A lot of people assume that the encryption requirement is pretty basic, or they just need to manage permissions, but in the years since HIPAA was written we’ve evolved a more complicated scenario in the cloud, where a single application might run 10-15 services that all must be configured properly, each step of the way. It’s considerably different from the days when you might have been running a single server and you just had to focus on your network. But there are huge advantages to cloud – not the least of which are scaling, security, and speed.
It’s worth noting that as we protect you, we don’t change the way you deploy.
When you’re just starting out and you’re deploying things in the console, it’s possible your engineers may not be as informed on all of the cloud services and settings that they need because they’re still learning. That makes it easy to deploy a bucket or a database that’s not encrypted. But farther in their cloud journey it’s still easy to make mistakes. Say you are adopting a CI/CD workflow and using terraform infrastructure as code. Now you have sprawl, and you have so much more to manage that you need tools on top of tools. So, while you’ve solved the problem of deploying more quickly, you are now deploying 50 times a day. Are you sure they are all compliant? With us alongside you, you will be.
Working on your own in a DIY approach, a simple error can leave you prone to security incidents, breaches and fines. As one example, if you’re working with an RDS database in AWS and you don’t select encryption, you have to redeploy that whole database to meet compliance requirements. There is no toggle you can come back and set, which is why ClearDATA is catching it immediately – before you’ve ever added any data to that database so that mistake can’t happen, and you don’t have to go through migration again later on. That kind of redeployment adds no value to your organization’s offerings, it’s just taking your time and money. With ClearDATA Comply, our automation ensures configurations are right the first time, and if anything drifts as workloads change, our remediation steps in and corrects it. This is running behind the scenes 24/7, freeing your engineering team to focus on what matters for your customers. Think of how that changes what your team can get done.
I have found the best way to approach the topic of compliance is to simply show people their compliance status. Lately, I start my conversations by showing people their compliance status with Comply in evaluation mode. We take all of the safeguards and controls we’d be running, and actually evaluate their existing account. I’ve never seen anyone who wasn’t at least a little startled by the findings. From there, we have a compliance score, and then we look at the areas out of compliance that pose the highest risk to the organization. When customers are cloud beginners, we get a lot of questions about where to start. We recommend starting by looking at their existing environment and establishing where the highest areas of risk are and remediating those first. For example, I will show them the report that shows all of the S3 buckets they have that are public facing and ask if those are intentional, because we’ve all seen the headlines about how common it is to have misconfigured S3 buckets that unintentionally expose data. We look at data storage, and at databases, and run the list one by one.
I can’t tell you how many people believe they have all of their data encrypted, for example, and then discover it’s simply not.
Even the people who come into the evaluation saying, “Yeah, we think we have some problems” are surprised to see how much vulnerability they have.
Once the engineering and ops teams see this in action and see how Comply maps technical controls to all of the HIPAA requirements, they understand the scope of the daily burden we are taking off their plate. While we focus on the privacy, security and compliance of their data on the cloud, they can focus on building their apps.