Configuring Popular Managed Database Services To Comply with HITRUST CSF
Chief Product Officer and Chief Security Officer
Cloud compliance is complex — not because the configurations themselves are complex, or that the technology tooling doesn’t exist to achieve proper configuration; rather it takes time, knowledge, and even creativity to understand what exactly those configurations should be. This is especially true of healthcare compliance where no regime is going to tell you word for word how to configure your cloud environments. Instead, you’re going to have to spend time and money understanding each framework, what applies to your organization, and how your organization is going to solve specific controls. You’ll then have to implement, measure and manage that policy in perpetuity, a task made more difficult by the highly dynamic nature of cloud services.
At Datica we’ve spent the last five years working at the intersection of cloud computing and healthcare compliance — we’ve talked with thousands of developers and engineers — we’ve built a portfolio of products that addresses these concerns head on. However, even in a world where you’re using a product like Datica’s CKS, you’ll likely have services and systems that live outside of that management layer. Understanding how to bring these services up to par in terms of compliance is anything but clear.
In our pursuit of making healthcare compliance more accessible to all, we’re releasing configuration guides for popular cloud services like Amazon RDS, Azure Cosmos DB and Google Cloud SQL. These configuration guides are mapped to the HITRUST CSF 9.1, which can easily be crosswalked to multiple compliance regimes like HIPAA, SOC2, GDPR, NIST, etc, meaning these cloud configurations can easily be mapped to multiple compliance regimes. Our goal is to work with the community to eventually cover all cloud services available across these three major cloud providers.
These configurations provide a number of benefits
- Datica has been HITRUST certified for over four years and complies with HIPAA, HITRUST, GDPR and GxP. These configurations are part of our core system and adhere to our open source policies. Users can freely implement these configurations, adopt the open source policies and have a verifiable, audit ready environment in a very short amount of time.
- They work well with Datica’s existing products. If you’re a Datica customer or are considering becoming one, you can rest easy knowing that these configurations provide the same level of compliance coverage that Datica’s managed products offer. This produces unparalleled compliance continuity, ultimately improving the efficiency of compliance audits.
- They’re free. Whether you’re a Datica customer or not, you can take these guides, implement them across your fleet of cloud services, and have an audit-ready environment without paying a dime.
Why we chose to start with Databases
Managing stateful applications within Kubernetes is a notoriously difficult problem to solve. As a result, many organizations turn to cloud providers to offload this work. Services like AWS RDS, Azure Cosmos DB, and Google Cloud SQL are popular among developers for their ease of use, scale and reliability. The demand we’ve received to support these services has been tremendous. As a result, the initial release of Datica CCMS will come with support for these three services. The CCMS, coupled with these guides, will provide an end to end compliance management structure for your cloud environment.
Anatomy of the guides
These guides are intended to be step-by-step, opinionated tutorials that explain the relevance of a specific configuration within the context of HITRUST. For those unfamiliar with HITRUST (and its relationship to HIPAA), please read through this HITRUST guide.
In these database guides we’ll walk through configuring each database to be HITRUST CSF ready and then show how the CCMS will continuously check these configurations via REST APIs (which you could programmatically implement yourself). To understand the structure of how we think about compliance at Datica, which is important to grasp in order to take full advantage of these guides, see the visualization below.
The bridge between “Compliance Controls” and “Configurations” is policy, while the bridge between “Configurations” and “APIs” is measurement.
Dedicated compliance tools are often too focused on controls, that is, the specific requirements of regimes like HITRUST, HIPAA, GDPR and more. For developers this is an issue, because ultimately they need to understand exactly what a specific control means, and what configurations need to be in place in order to satisfy that requirement. Unfortunately these tools don’t provide such guidance. They assume knowledge of compliance and established policy.
The CCMS and these guides are different. By starting with the configurations, developers can immediately grasp and understand what needs to be done. Ex: “turn on encryption”. This configuration is very straight forward and not muddled in compliance jargon. Then, using the rest of the guide, developers can map that configuration back to a control, as well as an API call that would give them a programmatic way to ensure that configuration is in place (either at a point in time, or on a continuous basis).
Introducing the first three configuration guides
- AWS RDS Guide - How to configure RDS to comply with HIPAA and HITRUST
- Azure Cosmos DB Guide - How to configure Cosmos DB to comply with HIPAA and HITRUST
- Google Cloud SQL Guide - How to configure GCP Cloud SQL to comply with HIPAA and HITRUST `
What’s on your wish list?
We treasure feedback from developers like you and want to know which cloud services matter to you. Fill out a survey here to let us know which services you use as part of your product that need to be configured for HITRUST compliance.