Best Practices for Creating a HIPAA-Compliant Docker Host

Docker is a popular container platform for running containerized applications and microservices. Docker provides a software-defined abstraction layer for developing, shipping, and running applications. Docker has a vast library of official docker images that enables users to download and run containerized and lightweight versions of their favorite applications and operating systems.

Out of the box, Docker is not HIPAA-compliant. However, with the correct HIPAA-compliant hosting infrastructure solution in place and by using well-constructed and security-defined Dockerfiles, it is possible to run a HIPAA-compliant Docker host.

What Are the Best Practices for Utilizing Docker Generally?

Docker Inc. is keen to make Docker a highly secure environment for production workloads, and this approach greatly benefits healthcare organizations. When using Official Docker Images, you can be sure that each image has passed Docker’s stringent security onboarding. Check here to discover the exacting requirements.

Docker Images are updated frequently, but it’s not always best practice to use the latest version. Instead, use specific Docker Image versions. This is important because the latest versions may break your setup or cause unpredictable behavior.

Always download lightweight Docker Images, the applications that have the absolute minimum installed to make the app work. This greatly reduces the attack surface of your application, improving security straight out of the box.

Another essential best practice is to use a specific user to start your Docker container. By default, the system will use root, but the root is never really necessary – instead, create a user account with the minimum permissions to perform Docker tasks.

Make sure you scan your Docker Images for vulnerabilities; this is a critical process if you build your own custom Docker images.

How Is Docker Different From Virtualization Hypervisors like VMware ESXi and Hyper-V?

This question can confuse those who are less familiar with Docker. Docker is a container-based technology that contains just the required files to complete the required processes of the task. Containers are run by sharing the host OS Kernel.

Virtual Machines running on ESXi or Hyper-V are made up of the complete operating system and any user files. VM images are much larger than containers, and the server hardware is virtualized, sharing resources from the host.

Best Practices for HIPAA Security

Any application that processes protected health information (PHI) is subject to HIPAA compliance requirements, and if the application runs on Docker then the application, Docker and the host infrastructure must all comply with a HIPAA compliance framework.

Several key design requirements must be at the forefront of the design process. These include:

Best Practices for Your Employees When Using Docker

User accounts, access, and authorization controls are critical for a Docker host. Docker containers must run on individual UserIDs and comply with the administrative requirements of HIPAA, such as complex passwords that are changed frequently and having Dockerfiles set to security roles to control unauthorized access to the application.

Containers should only be accessible by authorized personnel who have pre-approved to access ePHI. Only allow web access to PHI applications on a need-to-know basis (typically doctors, nurses, physicians, and other such personnel).

Backup and Restore Requirements

To be HIPAA compliant, Docker volumes must be encrypted and adhere to a stringent daily backup schedule. Regardless of compliance, backups are very important for Docker; regular snapshots preserve the runtime environment from immediate failure, but individual backup policies need to be defined for each Docker volume and each Docker host.

The backups must be completed at least daily and replicated offsite to an alternative location. The restore process must be tested regularly.

Software-Defined Disaster Recovery

Docker Swarm can be used for disaster recovery if configured correctly with multiple hosts in multiple regions, but be cautious of major network interruptions. Docker Swarm does not cope well with a transient network state. It is recommended to choose a hosting provider that can provide a disaster recovery solution at the host level, a service where a replica host is automatically powered up at an alternative location.

Automatic Logout

Another key design decision is to include an automatic logout function for Docker applications and a timeout for SSH connections. This may seem like common sense, but setting a timeout is required for compliance. Hospitals do not want strangers accessing PHI simply because a user forgot to log out of a web application.

A timeout of between 30 seconds and 3 minutes of inactivity is recommended, with the user needing to re-authenticate using Multi-Factor Authentication upon return.

What Common Mistakes Are Made with Docker?

Here are some classic mistakes made by inexperienced Docker users:

• Do not create a Docker Image that contains PHI – instead, mount an encrypted Docker volume from a protected source.
• Do not install unnecessary services to a Docker Image – Docker images should be lightweight, not only for performance but also for minimizing the attack surface of the container.
• Do not write Docker Secrets in plaintext Dockerfiles – it’s all too easy to pass a plaintext password to a Docker container; instead, use variables and consider creating a secrets vault.
• Do not run containers as the root user – this is a very simple mistake to make. Instead, use a dedicated user account and group following the principle of least privilege.

Atlantic.Net Containerization Capabilities

Docker support is currently available on Atlantic.Net as a one-click application that runs on Ubuntu 20.04 or through Windows 2016 Datacenter (with Containers/Docker as a server based-deployment). Both can be deployed in any of our eight data center locations in less than 30 seconds!

To ensure that your Docker implementation is HIPAA compliant, the environment must adhere to numerous administrative, physical, and technical safeguards. Thus the Docker host must meet these criteria; here are some of the key points to consider:

• Network encryption – Encrypt any ePHI to meet NIST cryptographic standards any time it is transmitted over an external network. This includes Docker virtual networks.
• Authenticate ePHI – Identify and authenticate ePHI, protecting it from corruption, unauthorized changes, and accidental destruction.
• Encrypt devices –  All end-point devices that interact with your Docker application should be able to encrypt and decrypt data; this is particularly important for mobile and laptop devices.
• Control activity audits – Detailed Container logging is needed to track all ePHI access attempts and to monitor how ePHI data is manipulated.
• Control facility access – Consider the location of your Docker host. You want to be capable of tracking access to the data center.
• Manage workstations – Write a policy that limits which workstations can access Docker containers processing health data.
• Risk assessment – the Docker environment requires a full risk assessment to identify, analyze, and put measures in place to resolve concerns raised.
• Train your staff – You need to train employees on all ePHI access protocols and how to recognize potential cybersecurity risks such as phishing, hacking, and deception. A record of these sessions must be kept.

These are just a few of the considerations when implementing a HIPAA-Compliant Docker Host. You can find additional information in the Atlantic.Net HIPAA-Compliance checklist – click here.

Altantic.Net is an industry-leading global cloud services provider with over 30 years of computing and networking experience. Our HIPAA Compliant Cloud Hosting is one of our most successful cloud-based services, offering the necessary tools and features to secure your infrastructure and streamline the workflow of your healthcare business.

Share your vision with us, and we will develop a hosting environment tailored to your needs! Contact an advisor at 888-618-DATA (3282) or email [email protected] today.