HIPAA Compliance and Healthcare Workloads

2 min read Infrastructure & DevOps Security

HIPAA Compliance and Healthcare Workloads

Health Insurance Portability and Accountability Act (HIPAA) compliance focuses on protecting electronic protected health information (ePHI). Kubernetes environments processing healthcare data must implement administrative, physical, and technical safeguards. The technical safeguards translate into specific Kubernetes security controls.

Encryption requirements under HIPAA mandate protecting ePHI both at rest and in transit. In Kubernetes, this requires encrypted etcd storage, TLS for all communications, and encrypted persistent volumes. Application-layer encryption provides additional protection for sensitive fields within databases.

Audit logging for HIPAA compliance must capture all ePHI access. This includes Kubernetes API audit logs, application access logs, and database query logs. Log retention periods must meet HIPAA requirements, typically six years. Centralized log management with tamper protection ensures log integrity for compliance audits.

# HIPAA-compliant logging configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: hipaa-audit-config
  namespace: healthcare
data:
  audit-policy.yaml: |
    apiVersion: audit.k8s.io/v1
    kind: Policy
    rules:
    # Log all access to healthcare namespace at RequestResponse level
    - level: RequestResponse
      namespaces: ["healthcare", "patient-data"]
      omitStages:
      - RequestReceived
      
    # Log all secret access
    - level: Metadata
      resources:
      - group: ""
        resources: ["secrets"]
      
    # Log authentication failures
    - level: Request
      users: ["system:anonymous", "system:unauthenticated"]
      
    # Log all pod exec and attach operations
    - level: RequestResponse
      resources:
      - group: ""
        resources: ["pods/exec", "pods/attach"]
        
    # Default logging for other resources
    - level: Metadata
      omitStages:
      - RequestReceived

---
# HIPAA-compliant storage class with encryption
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: hipaa-encrypted-storage
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp3
  encrypted: "true"
  kmsKeyId: "arn:aws:kms:us-east-1:123456789012:key/abcd-1234-efgh-5678"
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer

---
# Business Associate Agreement tracking
apiVersion: v1
kind: ConfigMap
metadata:
  name: baa-registry
  namespace: healthcare
data:
  vendors.yaml: |
    business_associates:
    - name: "Cloud Provider Inc"
      services: ["IaaS", "KMS"]
      baa_date: "2023-01-15"
      review_date: "2024-01-15"
      
    - name: "Monitoring Corp"
      services: ["SIEM", "Log Management"]
      baa_date: "2023-03-20"
      review_date: "2024-03-20"
      
    - name: "Backup Solutions LLC"
      services: ["Backup", "Disaster Recovery"]
      baa_date: "2023-02-10"
      review_date: "2024-02-10"