More now than ever before, healthcare entities are moving their patient data into the cloud. This creates new challenges as legislative bodies mandate regulatory compliance of the IT infrastructure.
Kubernetes has become the de facto platform for managing and orchestrating containerized workloads and services. In this article we explain how you can use Kubernetes to facilitate compliance with Danish healthcare law.
Regulatory Context
The Danish health and medicine data board (Sundhedsdatastyrelsen) issued a guide entitled “guidance regarding information security in the health service” (Vejledning om informationssikkerhed i sundhedsvæsenet). It states how the legal framework for processing of personal data should be implemented by all Danish healthcare providers. It also explains how to establish an adequate level of information security.
The guide were published in 2016. In the meanwhile, the Act on Processing of Personal Data (Persondataloven) has been replaced by the Data Protection Act (Databeskyttelsesloven). This was done to harmonize with the EU General Data Protection Regulation (GDPR). As of 2020, the Danish health and medicine data board issued no new updates to the guide. Fortunately, the structural concepts from the Act on Processing of Personal Data remain in the Data Protection Act. Hence, the guide should still be a valid benchmark for the deployed solution.
Key Provisions of the Guide
First and foremost, all Danish government institutions must implement the ISO/IEC 27001 standard. Though not a requirement, the guide recommends that private operators implement their IT solutions with ISO 27001 in mind. This ensures that private operators have sufficient information security coverage.
When it comes to supply management, the Data Protection Act operates between the roles of the data controller (dataansvarlige) and data processor (databehandler). The data controller is liable with ensuring that personal information is processed consistently with the Data Protection Act. The data processor is an entity that processes the personal information on behalf of the data controller.
The guide mandates for the data controller to enter into a written agreement with the data processor. The agreement should contain which information the data processor handles for the data controller. Furthermore, the data controller must ensure that the data processor takes the necessary technical and organizational security measures.
According to the document, a specific data processor instruction can be made as an appendix to the agreement. The instructions must describe the requirements in a concrete and sufficiently detailed manner. The data processor instructions must describe requirements for:
- Authentication and access control
- Physical security
- (possibly) Logging requirements
- Log follow-up / audit
- Encryption
- Handling of output material
- Request for audit log
- Procedures for handling security incidents
It is important to ensure that the data processing requirements remains the same across the health system. To this end, the Danish health and medicine data board has created a set of templates for data processing agreements. These templates are somewhat mandatory to use, unless the parties of the contract agree to use another template.
Is Kubernetes usable under these conditions?
Yes and no. For practical reasons, Kubernetes must carefully balance “works by default” with “secure by default”. As such, a default installation of Kubernetes does not readily comply with the provisions stated in the Danish healthcare law. For example, Kubernetes does not offer functionality such as intrusion detection, backups or encryption. Instead, the platform relies on other projects to solve those aspects.
However, an IT system that builds upon Kubernetes can be made compliant in three steps. The first step is to utilize a data center which complies with physical security requirements.
The second step is to security harden the Kubernetes cluster, among others, by:
- Configuring a single-sign-on solution, such as Dex. This ensures that each engineer or automation pipeline accessing the Kubernetes cluster can be individually identified.
- Enabling Kubernetes audit logs and forwarding them to a tamper-proof logging environment.
- Setting up Role-Based Access Control, to ensure that engineers only have the required access to the Kubernetes cluster.
- Enabling and configuring PodSecurityPolicy, to ensure that no Pods run privileged or more permissions than required.
If needed, more hardening can be performed, for example, by following the report output by tools such as kube-bench.
Third step is to configure additional services, such as:
- Falco for introduction detection
- cert-manager for encrypting public-facing Internet traffic, and
- Velero for backup and disaster recovery.
Compliant Kubernetes
To help Danish healthcare entities, Elastisys has carefully integrated all of the above in our open-source Compliant Kubernetes (CK8s) distribution. We offer CK8s as a managed service on top of ISO 27001 certified data centers. Elastisys also offers 24/7 support and enterprise-grade SLAs.
