OpenShift and HIPAA/PHI

Often we find ourselves having to deal with compliance for our workloads. In the healthcare space, we tend to have the added layer of Health Insurance Portability and Accountability Act of 1996 (HIPAA) and electronic Protected Health Information (ePHI) to consider, and as new technologies are introduced, especially transformative technologies like Kubernetes, containers, software defined networks (SDN), service mesh, OpenShift Virtualization, serverless, among many others. The up-front work is often placed on Ops and Engineering teams to ensure these solutions meet the current internal standards and external compliance requirements. Applications, regardless of technology or cloud, need to be something that can be supported, backed up, monitored,  secured, and have an RPO/RTO that aligns with business continuity and end-customer expectations, especially in healthcare. 

Why Enterprises Keep Picking OpenShift

It's no surprise to us when customers choose OpenShift since many of the features that align with what an enterprise expects are built into the platform. Things like encryption, high availability, multi-tenancy, predictable patch and security fixes, and long-term support are all core tenants of the platform.  Anyone who has spent any amount of time in IT knows that things fail, performance problems will occur at scale, and getting a technology in place is one thing, but making that technology secure, supportable, and built to scale for thousands or tens of thousands of workloads is another thing. 

When new technologies are introduced, the first questions are typically around features and implementation and how they will align with current standards. It is never a surprise when a customer has specific network segmentation requirements or they want to understand encryption at-rest/in-transit, or need to understand multi-tenancy, backup, or disaster recovery. These discussions are often handled in an ad-hoc manner, and some questions are not really explored until implementation time. 

In this link, we go through each of the core technologies and the various options for handling workloads in support of ePHI. We understand that even though we are all ensuring compliance with HIPAA, there is no one size fits all solution. Internal security and compliance standards may differ among organizations based on the technologies you currently use and the types of solutions you are building.  The model for OpenShift has been and continues to be one that broadly supports deployments across public and private clouds, traditional infrastructure, and  is flexible enough to align with existing storage, network, systems, security and infrastructure standards.