7 Step Checklist to secure your healthcare data

Cloud

Use Different sub-account for each environment Least Privilege principle access for each user. Create the right IAM policies Use KMS to store and manage keys Use encryption for database, and s3 buckets for compliance End-to-end data encryption in transition state using SSL certificates

Strictly use Multi-Factor Authentication for all user login Separate database instances for each environment in the private subnet Enable cloudTrail for logging account activity Use secret managers to protect secrets needed to access your applications, services and IT resources

Must Have

Good To Have

Storage

Role-Based access control to storages Periodically storage backups

Use provided native encryption capabilities (KMS Keys) for encryption data at rest Enable logging and auditing to monitor storage activity

Must Have

Good To Have

Operating System

Automated Hardening/ secure configuration, self-healing Patch management of applications and libraries of the operating system Creating secure accounts with required privilege's only (i.e, user management)

Must Have

Logging And Monitoring

Role-based access control to monitoring tools

Must Have

Resource Monitoring System and application logs monitoring Automated security information and event alerting on slak and email etc

Good To Have

CI/CD Toolkit

Authorized login only Role-based access control for a user to give the only project-specific access to the user Developers can only see the logs Only admin can create a user No build runs on the master node to prevent programs from accessing the Jenkins home directory and other server files Use Docker containers as Linux agents (nodes) Jenkins pipeline for each environment has IAM users (with required access only) for accessing the AWS resources during the execution Only whitelisted IPs can connect to the Jenkins server using ssh Clean workspace directory (source code) as soon as build finishes Update Jenkins and plugins regularly

Must Have

Use credentials to store and mask sensitive data such as token or API keys

Good To Have

SCM Platforms

Only the account owner can create or delete the repository Only the project manager has the admin permission of repositories The only Project manager/lead should have written access to main branches Delete protection for main branches No secret or environment files should be pushed to the repository Only developers working on the project will have access to the repository Use ssh keys to access remote git repositories Update git periodically to keep safe from vulnerabilities

Must Have

The master branch has only the production code Require two-step authentication for every bitbucket/GitHub user account Static analysis tools detect Code-smells, bugs, and vulnerabilities. Use CodeGrip or a similar tool to scan repository code, generate reports, and notify over slack

Good To Have

Source Code

Follow OWASP Secure Coding Practices (Codegrip like tool can scan this) Strictly avoid the use of credentials in source code. AWS access key and secret key etc Use secure and updated IDE's and plugins

Must Have

Treat each activity as an event and log each event that happens Use static analysis security testing tools (SAST) like CodeGrip Code review for each pull request Dependency-check to identify any known vulnerable components

Good To Have

To Read More About Healthcare Data Security

Click on the below link

Arrow