Security & Compliance
Security & Compliance
Healthcare Security Requirements and Compliance Standards
What's Covered: HIPAA compliance, secret management, security tooling, and monitoring
Healthcare Security Requirements
HIPAA Compliance Mandatory
**Required Controls:**
- **Encryption at Rest** - All data storage encrypted with AES-256
- **Encryption in Transit** - TLS 1.2+ for all communications
- **Access Logging** - Comprehensive audit trails for all PHI access
- **Data Residency** - PHI must remain in approved Azure regions
- **Access Controls** - Role-based access with multi-factor authentication
- **Data Integrity** - Checksums and validation for data accuracy
- **Backup Security** - Encrypted backups with access controls
Security Architecture Principles
**Identity and Access Management:**
- Azure Active Directory integration
- Conditional access policies
- Privileged Identity Management (PIM)
- Just-in-time (JIT) access for administrative tasks
- Service principals with minimal permissions
**Data Protection:**
- Azure Key Vault for secrets management
- Transparent Data Encryption (TDE) for databases
- Azure Storage Service Encryption
- Customer-managed encryption keys where required
Secret Management Standards
HashiVault Integration
# Good: Azure Key Vault integration
az keyvault secret show --vault-name kv-epic-prod --name db-password
# Good: Environment-specific secrets
export DB_PASSWORD=$(vault kv get -field=password secret/epic/dev/database)
```
Terraform Integration:
# Retrieve secrets from HashiVault
data "vault_generic_secret" "epic_db" {
path = "secret/epic/${var.environment}/database"
}
resource "azurerm_sql_server" "epic_db" {
name = "${var.environment}-epic-db"
resource_group_name = var.resource_group_name
location = var.location
version = "12.0"
administrator_login = data.vault_generic_secret.epic_db.data["username"]
administrator_login_password = data.vault_generic_secret.epic_db.data["password"]
tags = var.common_tags
}
Ansible Vault Integration:
---
# Use Ansible Vault for sensitive variables
- name: Deploy Epic application with secrets
hosts: epic_servers
vars:
epic_db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653238336464616130633965663736636335373532643430633939...
tasks:
- name: Configure database connection
template:
src: database.conf.j2
dest: /opt/epic/config/database.conf
mode: '0600'
vars:
db_connection_string: "Server={{ epic_db_host }};Password={{ epic_db_password }}"
Prohibited Security Practices
!!! failure "Never Do This" ```bash # Never: Hardcoded secrets in code DB_PASSWORD="SuperSecret123!"
# Never: Secrets in Git repositories
echo "password=secret123" > config.txt
git add config.txt
# Never: Plain text files
cat > .env << EOF
DATABASE_URL=postgres://user:password@server/db
EOF
# Never: Secrets in container images
ENV DB_PASSWORD=hardcoded-secret
# Never: Secrets in CI/CD logs
echo "Deploying with password: $SECRET_PASSWORD"
```
Security Tooling & Automation
Pre-commit Security Hooks
!!! example "Required Security Tools" Pre-commit Configuration: ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/trufflesecurity/trufflehog rev: v3.63.2 hooks: - id: trufflehog name: TruffleHog Secret Scanner description: Detect hardcoded secrets entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
name: Detect Secrets
args: ['--baseline', '.secrets.baseline']
- repo: https://github.com/bridgecrewio/checkov.git
rev: 2.4.9
hooks:
- id: checkov
name: Checkov IaC Security Scanner
args: [--framework, terraform, --framework, ansible]
- repo: https://github.com/aquasecurity/tfsec
rev: v1.28.1
hooks:
- id: tfsec
name: Terraform Security Scanner
```
Vulnerability Scanning Pipeline
GitHub Actions Security Pipeline:
name: Security Scanning Pipeline
on:
pull_request:
branches: [main]
push:
branches: [main]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
jobs:
secret-scanning:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified
infrastructure-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: terraform,ansible
output_format: sarif
output_file_path: checkov-results.sarif
- name: Run TFSec
uses: aquasecurity/[email protected]
with:
sarif_file: tfsec-results.sarif
- name: Upload SARIF files
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: checkov-results.sarif
dependency-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
Security Policy as Code
parameters = jsonencode({
effect = {
value = "Deny"
}
})
}
# Require SQL TDE encryption
resource "azurerm_policy_assignment" "sql_tde" {
name = "require-sql-tde"
scope = var.management_group_id
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12"
parameters = jsonencode({
effect = {
value = "Audit"
}
})
}
# Network security group rules
resource "azurerm_policy_assignment" "nsg_rules" {
name = "restrict-nsg-rules"
scope = var.management_group_id
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6"
}
```
Identity & Access Management
Azure Active Directory Integration
conditions {
applications {
included_applications = [data.azuread_application.epic_app.application_id]
}
users {
included_groups = [azuread_group.epic_users.object_id]
}
locations {
included_locations = ["AllTrusted"]
}
}
grant_controls {
operator = "AND"
built_in_controls = ["mfa", "compliantDevice"]
}
session_controls {
application_enforced_restrictions_enabled = true
sign_in_frequency = 8
sign_in_frequency_period = "hours"
}
}
```
Privileged Identity Management
schedule {
expiration {
duration_hours = 8
}
}
notification {
additional_recipients = ["[email protected]"]
default_recipients = true
notification_level = "All"
}
}
```
Service Principal Management
!!! example "Service Principal Best Practices" Minimal Permissions: ```hcl resource "azuread_application" "epic_automation" { display_name = "Epic Automation Service Principal"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
type = "Scope"
}
}
}
resource "azurerm_role_assignment" "epic_automation_contributor" {
scope = azurerm_resource_group.epic_automation.id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.epic_automation.object_id
condition = "((!(ActionMatches{'Microsoft.Authorization/*/Delete'})) AND (!(ActionMatches{'Microsoft.Authorization/*/Write'})))"
}
```
Monitoring & Security Observability
Security Metrics & Alerting
**Data Access Metrics:**
- PHI access patterns
- Large data downloads
- Unusual database queries
- File access outside business hours
- Cross-environment data movement
**Infrastructure Security:**
- Firewall rule changes
- Network security group modifications
- New resource deployments
- Configuration changes
- Certificate expiration warnings
Azure Sentinel Integration
resource "azurerm_sentinel_data_connector_azure_security_center" "epic_asc" {
log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
subscription_id = data.azurerm_client_config.current.subscription_id
}
resource "azurerm_sentinel_data_connector_azure_activity" "epic_activity" {
log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
subscription_id = data.azurerm_client_config.current.subscription_id
}
```
Security Incident Detection
resource "azurerm_sentinel_alert_rule_scheduled" "epic_suspicious_login" {
name = "Epic Suspicious Login Activity"
log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
display_name = "Suspicious Login Activity Detected"
severity = "High"
enabled = true
query = <<EOT
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != "0"
| where AppDisplayName contains "Epic"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
EOT
query_frequency = "PT1H"
query_period = "PT1H"
trigger_operator = "GreaterThan"
trigger_threshold = 0
tactics = ["CredentialAccess", "InitialAccess"]
incident_configuration {
create_incident = true
grouping {
enabled = true
reopen_closed_incident = false
lookback_duration = "PT1H"
entity_matching_method = "AllEntities"
}
}
}
Compliance & Audit Requirements
Audit Trail Configuration
!!! example "Comprehensive Logging" Azure Monitor Configuration: ```hcl resource "azurerm_monitor_diagnostic_setting" "epic_audit" { name = "epic-audit-logs" target_resource_id = azurerm_sql_server.epic_db.id log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
log {
category = "SQLSecurityAuditEvents"
enabled = true
retention_policy {
enabled = true
days = 2555 # 7 years for HIPAA compliance
}
}
log {
category = "DevOpsOperationsAudit"
enabled = true
retention_policy {
enabled = true
days = 2555
}
}
metric {
category = "AllMetrics"
enabled = true
retention_policy {
enabled = true
days = 90
}
}
}
```
Data Loss Prevention
Backup Security Requirements
# Encryption settings
encryption {
encryption_at_rest_type = "CustomerManaged"
key_uri = azurerm_key_vault_key.backup_key.id
infrastructure_encryption = true
}
backup {
frequency = "Daily"
time = "02:00"
timezone = "UTC"
}
retention_daily {
count = 90 # 90 days for operational recovery
}
retention_weekly {
count = 104 # 2 years for compliance
weekdays = ["Sunday"]
}
retention_monthly {
count = 84 # 7 years for HIPAA
weekdays = ["Sunday"]
weeks = ["First"]
}
retention_yearly {
count = 10
weekdays = ["Sunday"]
weeks = ["First"]
months = ["January"]
}
}
```
Incident Response & Security Operations
Security Incident Classification
**P1 - High (1 Hour Response):**
- Suspected data breach
- Privilege escalation detected
- Unusual administrative activity
- Security tool alerts
**P2 - Medium (4 Hours):**
- Policy violations
- Failed compliance checks
- Suspicious user behavior
- Certificate expiration warnings
Incident Response Playbook
!!! example "Response Procedures" Immediate Actions (First 15 minutes): 1. Assess and classify the incident severity 2. Notify security team and management 3. Isolate affected systems if needed 4. Begin evidence collection 5. Document all actions taken
**Investigation Phase (1-4 hours):**
1. Conduct forensic analysis
2. Determine scope of impact
3. Identify root cause
4. Assess compliance implications
5. Coordinate with legal team if PHI involved
**Recovery Phase:**
1. Implement containment measures
2. Apply security patches/fixes
3. Restore services safely
4. Monitor for recurring issues
5. Update security controls
**Post-Incident:**
1. Complete incident report
2. Conduct lessons learned session
3. Update response procedures
4. Implement preventive measures
5. Notify regulatory bodies if required
Security Contact Information
!!! question "Security Escalation" Emergency Contacts: - Security Incidents: +1-800-SOC-HELP - HIPAA Breaches: Privacy Officer (immediate notification) - Cyber Security Team: [email protected] - Legal Department: For PHI-related incidents
**Escalation Chain:**
1. Security Analyst → Security Manager
2. Security Manager → CISO
3. CISO → Chief Privacy Officer (PHI incidents)
4. Chief Privacy Officer → Legal Counsel
Getting Help with Security
!!! question "Security Questions" - HIPAA Compliance: Contact Privacy Officer and Security Team - Vault Access Issues: Check HashiVault documentation - Azure Security: Review Security Guidelines - Policy Questions: Engage with Compliance team
!!! question "Tool-Specific Help" - Pre-commit Hooks: Pre-commit Framework Documentation - Azure Sentinel: Microsoft Sentinel Documentation - Checkov: Bridgecrew Checkov Guide - TruffleHog: TruffleHog Documentation
Security & Compliance | Epic on Azure Team Guidelines
Healthcare security is non-negotiable. Every security measure protects patient data and ensures compliance with healthcare regulations.
Last updated: September 2025