DevSecOps Diary | HIPAA Compliance

HIPAA stands for Health Insurance Portability and Accountability Act. This act of 1996 is a United States federal statute enactment. It is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

But what this ACT has to do with DevOps..? Is it related to the Corona Virus..?

No alt text provided for this image

No, not at all..! Let me explain to you how I landed here.


On 8 November 2020 Virgin Hyperloop sent two passengers through its pneumatic maglev train for the first time. It represents a historical moment for hyperloop technology, as this is the first manned test of the technology to date.

No alt text provided for this image


“I can’t tell you how often I get asked ‘is hyperloop safe?,'” Jay Walder, CEO of Virgin Hyperloop, said in a prepared statement. “With today’s passenger testing, we have successfully answered this question, demonstrating that not only can Virgin Hyperloop safely put a person in a pod in a vacuum environment but that the company has a thoughtful approach to safety which has been validated by an independent third party named Certifier.”

But why am I telling you this..! The reason behind, “No technology can become great unless the people start believing in it and accept it”.But trust depends on validation, in such a scenario these independent unbiased third-party validation approach comes in handy, translating validation into trust for us.

No alt text provided for this image


Healthcare Providers are the exact target consumers who must take this into account before onboarding any new tool or migrating to any cloud.

If you are also involved like me in a Product Development & Designing role, being an architect you must consider these compliances if you are trying to create an impact on a wider section of the society, this not only gives your product the edge but also build trust in the masses. You can read more on AWS HIPAA compliance case-studies, one of the very popular public cloud providers.

No alt text provided for this image


Similarly, in Kubernetes, these pods and containers are the new definitions of Hyperloop pods, where the health-related confidential information is carried by these little pods and containers, within a highly dynamic and distributed Kubernetes ecosystem. As rightly said, “when there are too many moving parts, the risk of failure is also that high”. Security breaches are not new.

No alt text provided for this image


The above snippet is a good example of it. Docker says the hacker had access to their database only for a short moment, but data for approximately 190,000 users had been exposed. The company said this number is <5% of Docker Hub’s entire userbase.

So, what’s involved in making containers HIPAA compliant? Here are 6 basic principles to keep in mind:-

1. HIPAA compliance for containers first depends on a company-wide, security culture:

Specifically, this means that DevOps teams must become DevSecOps, supported by an administration that embraces a security mindset as the new normal.

2. HIPAA compliance for containers is best served by separate development and testing environments to isolate any security concerns:

  • least privilege access
  • careful control over what commands can be run

3. HIPAA compliance for containers requires knowing where your data (including software) resides and making sure it’s safe and protected.

This is critical because: Container images contain software (executable code that allows the container to run), which may have malware attached. For this reason, using only up-to-date images from whitelisted, trusted repositories is critical.

4. HIPAA compliance for containers requires reducing risk, through vulnerability scanning and monitoring.

Automated scanning of containers at all stages of deployment will ensure images and registries are safe from vulnerabilities. Monitoring at the container level can also help to identify issues impacting application performance.

5. HIPAA compliance for containers requires in-transit and at-rest data protection. This will require you to:

Secure (encrypt) all data moving in and out of your containers.

6. HIPAA compliance for containers, like all HIPAA compliant environments, will include regular, automated backups.

Containers typically provide high availability, but may not survive a disaster. Replicating images, attached databases, deployments, persistent storage in pods, and resources, is the only way to ensure your environment is available in a catastrophic disaster.

HIPAA benchmark, Dashboards:

No alt text provided for this image

HIPAA Violations & Enforcement:

No alt text provided for this image

HIPAA violation is followed under both Civil Proceedings as-well-as Criminal Proceedings.


Healthcare organizations are getting benefited from Kubernetes’ vast open-source community of collaborators, years of R&D, and excellent security innovations. Still, Kubernetes’ complexity may make harnessing these benefits impossible for most organizations.

Experts like us have the expertise to manage Kubernetes for you so that you can focus on your business. Optimize your environment to reap the benefits while keeping your sensitive data safe and protected.

Thanks a lot for following the article. Hope it adds some extra mile to your knowledge base.

Do follow me on Linkedin, and be my side-car and experience my professional journey together.

Image Source –

Image 1  Image 2  Image 3  Image 4  Image 5  Image 6 

Opstree is an End to End DevOps solution provider


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: