HIPAA Resources

Infrastructure as Code: A Dynamic Approach to Managing HIPAA Compliant Infrastructure

16Jun 2017

Some exciting new approaches in the world of infrastructure and server management have taken place in recent years. The advent of cloud computing and virtualization is fast transforming a process that once took days and even weeks to employ: hardware configuration and employment of new applications.

Infrastructure as Code (IaC), or “programmable infrastructure” as some are calling it, is drastically reducing the time and manpower involved to manage configurations and employ applications. Driven by the need for a more flexible infrastructure and secure cloud formation, IaC benefits from the tools of continuous delivery and integration, utilizing machine-processable definition files for more rapid implementation and updating of applications. In other words, infrastructure is essentially treated as software.

Martin Fowler of Thought Works says it this way: “This is a dynamic infrastructure where software commands are used to create servers (often virtual machines, but can be installations on bare metal), provision them, and tear them down, all without going anywhere near a screwdriver.” Version control, code review, continuous integration, and automated testing are all tools that developers are using in connection with IaC, and the approach is revolutionizing infrastructure management.

HIPAA Compliance and IaC

Orderly, predictable provisioning of resources also aids developers when building secure, HIPAA compliant cloud solutions. The ability to use cloud formation templates that can be configured and replicated for protecting sensitive PHI (protected health information) allows security and monitoring tools to be integrated at the development level. Providing for the latest, automatic updates is a vital aspect of managing the controls necessary to protect cloud security.

So let’s summarize. What are the benefits of an IaC approach to infrastructure, that leverages these important tools? Here are a few:

  • Rapid deployment: systems can be automatically built, managed, and provisioned through code, vastly reducing or eliminating tedious scripting or manual processes.
  • Configuration: large clusters of servers can be effectively scaled with IaC.
  • Security: implementing monitoring tools and code review as an integral part of IaC and HIPAA Compliance helps identify and prevent potentially disruptive errors in code that can lead to breaches in security, and costly service downtimes.
  • Compliance: utilization of version-controlled code means infrastructure changes can be logged, helping to maintain compliance and clarify audits.

Implementing a dynamic, IaC approach to managing infrastructure is fast becoming accepted DevOps practice. To the extent that it is embraced by both management and developers, it can significantly reduce errors (risk), time (execution), and man hours (costs), while providing greater flexibility and scalability for HIPAA compliant, cloud-based infrastructures.

Our Certifications