Navigation
SecurityUpdated July 3, 2026

Security Development Guidelines

securitydevelopment-guidelineshipaacompliancezero-trustencryptioniamrbacphiepicazure

Security Development Guidelines

Overview

Comprehensive security practices and guidelines for developing applications on the Epic on Azure platform, ensuring compliance with healthcare regulations and industry best practices.

Core Security Principles

1. Defense in Depth

  • Multiple security layers - Network, application, and data security
  • Zero trust architecture - Never trust, always verify
  • Least privilege access - Minimum required permissions only

2. Data Protection

  • Encryption everywhere - At rest, in transit, and in processing
  • Data classification - PHI, PII, and business data handling
  • Data retention policies - Automated lifecycle management

3. Identity & Access Management

  • Multi-factor authentication - Required for all access
  • Role-based access control (RBAC) - Granular permission management
  • Just-in-time access - Time-limited elevated permissions

Development Security Practices

Secure Coding Standards

Input Validation

// ✅ Good: Proper input validation
function validatePatientId(patientId) {
  const sanitized = patientId.toString().replace(/[^a-zA-Z0-9-]/g, "");
  if (sanitized.length < 5 || sanitized.length > 20) {
    throw new ValidationError("Invalid patient ID format");
  }
  return sanitized;
}

// ❌ Bad: No validation
function getPatient(patientId) {
  return db.query(`SELECT * FROM patients WHERE id = '${patientId}'`);
}

Secret Management

# ✅ Good: Using Azure Key Vault
apiVersion: v1
kind: Secret
metadata:
  name: epic-db-credentials
spec:
  secretProviderClass: "azure-keyvault"
  parameters:
    keyvaultName: "epic-prod-vault"
    objects: |
      - objectName: "database-password"
        objectType: "secret"

Code Review Security Checklist

  • No hardcoded secrets - All credentials use Key Vault
  • Input validation - All user inputs are sanitized
  • SQL injection prevention - Parameterized queries only
  • XSS protection - Output encoding implemented
  • Authentication checks - Protected endpoints verified
  • Audit logging - Security events are logged
  • Error handling - No sensitive data in error messages

HIPAA Compliance Requirements

Technical Safeguards

Access Control (§164.312(a)(1))

  • Unique user identification - Individual accounts for each user
  • Emergency access procedure - Break-glass access for critical situations
  • Automatic logoff - Session timeout after inactivity
  • Encryption and decryption - PHI protection at all times

Audit Controls (§164.312(b))

// Audit logging example
const auditLog = {
  timestamp: new Date().toISOString(),
  userId: user.id,
  action: "PATIENT_DATA_ACCESS",
  resource: `patient/${patientId}`,
  ipAddress: req.ip,
  userAgent: req.get("User-Agent"),
  outcome: "SUCCESS",
};
await auditLogger.log(auditLog);

Integrity (§164.312(c)(1))

  • Data integrity controls - Checksums and digital signatures
  • Version control - Track all changes to PHI
  • Backup and recovery - Automated data protection

Transmission Security (§164.312(e)(1))

  • End-to-end encryption - TLS 1.3 for all communications
  • Network controls - VPN and private endpoints
  • Message authentication - Digital signatures for critical data

Security Tools & Automation

Pre-commit Security Hooks

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ["--baseline", ".secrets.baseline"]

  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.5
    hooks:
      - id: bandit
        args: ["-r", "."]

Vulnerability Scanning

Container Security

# ✅ Good: Security-focused Dockerfile
FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine AS base
RUN addgroup -g 1001 appuser && adduser -u 1001 -G appuser -s /bin/sh -D appuser
USER appuser
WORKDIR /app
EXPOSE 8080

# Use non-root user
USER 1001:1001
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

Infrastructure Scanning

# Azure DevOps pipeline security scanning
- task: AzureStaticWebApp@0
  inputs:
    azure_static_web_apps_api_token: $(deployment_token)
    app_location: "/src"
    api_location: "/api"
    skip_app_build: true

- task: SecurityCodeAnalysis@2
  inputs:
    toolName: "BinSkim"
    arguments: "--recurse --verbose"

Incident Response

Security Incident Classification

SeverityDescriptionResponse TimeExample
P0 - CriticalPHI breach or system compromise15 minutesPatient data exposed publicly
P1 - HighSecurity control failure1 hourAuthentication bypass discovered
P2 - MediumVulnerability in production4 hoursSQL injection in non-PHI system
P3 - LowSecurity policy violation24 hoursWeak password detected

Response Procedures

  1. Immediate Actions (0-15 minutes)

    • Isolate affected systems
    • Preserve evidence and logs
    • Notify security team
    • Document initial findings
  2. Investigation Phase (15 minutes - 4 hours)

    • Determine scope and impact
    • Identify root cause
    • Assess data exposure risk
    • Coordinate with legal/compliance
  3. Remediation Phase (4-24 hours)

    • Implement fixes and patches
    • Restore systems from clean backups
    • Update security controls
    • Conduct post-incident review

Monitoring & Alerting

Security Metrics Dashboard

# Azure Monitor alerts for security events
- name: "Failed Authentication Attempts"
  condition: "count > 10 in 5 minutes"
  severity: "High"
  action: "Page security team"

- name: "Unusual Data Access Patterns"
  condition: "Patient records accessed > 100 in 1 hour"
  severity: "Medium"
  action: "Alert security team"

- name: "Privilege Escalation Detected"
  condition: "Role changes outside business hours"
  severity: "Critical"
  action: "Immediately page on-call security"

Log Analysis Queries

// Detect potential PHI access violations
SecurityEvent
| where TimeGenerated > ago(24h)
| where Activity has "PatientDataAccess"
| summarize AccessCount = count() by Account, bin(TimeGenerated, 1h)
| where AccessCount > 50
| project TimeGenerated, Account, AccessCount
| order by AccessCount desc

Compliance Validation

Automated Compliance Checks

# Compliance validation script
def validate_hipaa_compliance():
    checks = [
        check_encryption_at_rest(),
        check_audit_logging_enabled(),
        check_access_controls(),
        check_data_retention_policies(),
        check_backup_encryption()
    ]

    failed_checks = [check for check in checks if not check.passed]

    if failed_checks:
        raise ComplianceViolation(f"Failed checks: {failed_checks}")

    return True

Regular Security Assessments

  • Quarterly vulnerability assessments - External penetration testing
  • Monthly code reviews - Security-focused peer reviews
  • Weekly security training - Team education and awareness
  • Daily automated scans - Continuous security monitoring

Getting Help

Security Support Channels

Escalation Path

  1. Level 1: Development Team Lead
  2. Level 2: Security Architecture Team
  3. Level 3: CISO Office
  4. Level 4: Legal and Compliance

Quick Reference

Essential Security Links

ResourcePurposeStatus
HIPAA GuidelinesHealthcare compliance requirementsSee HIPAA Compliance section above
Secret ManagementAzure Key Vault integrationSee Development Security Practices
Security ToolingAutomated security scanningSee Security Tools & Automation
Incident ResponseSecurity incident proceduresSee Incident Response section above

These security guidelines are regularly updated to reflect the latest threats and compliance requirements. For questions or suggestions, please contact the Security Team.

Last updated: September 2025 | Compliance: HIPAA, SOC 2 Type II, ISO 27001

Security Development Guidelines Structure

This section provides comprehensive security guidance for OHEMR Epic healthcare systems development and operations:

Core Security Areas

  • HIPAA Compliance: Healthcare-specific security requirements (coming soon)
  • Secret Management: Secure credential handling and storage (coming soon)
  • Security Tooling: Automated security scanning and validation (coming soon)
  • Incident Response: Security incident procedures and escalation (coming soon)

Implementation Standards

All development guidelines include Epic-specific security requirements and HIPAA compliance considerations.