Health Information Privacy
What is HIPAA?
PUBLIC LAW 104 – 191 – HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
“It is the purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”
This law attempts to address issues with the public Medicare program with respect to how information is handled, including electronic transmission. This law is now applied to include but not be limited to Electronic Privileged Health Information (ePHI).
The following are examples of where the HIPAA Security Rule for HIPAA Compliance of ePHI applies:
- ePHI encryption
- Auditing functions
- Backup and recovery routines
- Unique user IDs and strong passwords
- Role or user-based access controls
- Auto time-out
- Emergency access
- Amendments and accounting of disclosures
Additionally, holders of HIPPA information are required to monitor, audit, and update security on an ongoing vasis. In the unlikely event of a security breach, they are required to notify all affected users.
So to be fully HIPAA Compliant can be challenging without a holistic solution. So let us take a look at Hazelcast Enterprise Security features in the context of solving this daunting task.
Using Hazelcast to Facilitate HIPAA Compliance
First let us take a look at what security features are offered by Hazelcast.
Socket Interceptor
SocketInterceptor is a hook to the server-to-server and client-to-server connections. It can be used to perform custom connection procedures such as authentication. SocketInterceptor can be configured either programmatically or via xml-config. Socket Interceptor Example
Security Interceptor
SecurityInterceptor is a very flexible tool that intercepts and authorizes each API call from a client. Each API call from a client, such as IMap.put, will be intercepted. In order to prevent the execution of the call, one should throw AccessControlException. Security Interceptor Example
Symmetric Encryption and SSL
Hazelcast allows you to encrypt the entire socket-level communication among all Hazelcast members. Encryption is based on Java Cryptography Architecture. Symmetric Encryption is not yet supported for clients. You can use either symmetric encryption or ssl, but not both.
Hazelcast supports ssl encryption between members and clients. To be able to use it, one should implement SSLContextFactory and configure hazelcast accordingly. Symmetric Encryption Configuration Example
Authentication via LoginModules
Hazelcast supports standard Java Security (JAAS) based authentication between cluster members and clients. To implement it, you configure one or more LoginModules and an instance of ICredentialsFactory.
Hazelcast has an abstract implementation of LoginModule that does callback and cleanup operations and holds the resulting Credentials instance:
ClusterLoginModule public abstract class ClusterLoginModule implements LoginModule { protected abstract boolean onLogin() throws LoginException; protected abstract boolean onCommit() throws LoginException; protected abstract boolean onAbort() throws LoginException; protected abstract boolean onLogout() throws LoginException; }
You can define as many as LoginModules as you want in configuration. Those are executed in the order given in configuration. The usage attribute has 4 values:
- ‘required’
- ‘requisite’
- ‘sufficient’
- ‘optional’
These values are defined in javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.
Hazelcast also has a default implementation for ICredentialsFactory which uses group-name and group-password configured in hazelcast.xml to create credentials.
Authorization via Permissions
Hazelcast client authorization is configured by a client permission Policy. Hazelcast has a default permission policy implementation that uses permission configurations defined in the Hazelcast security Configuration.
Default policy permission checks are done against:
- instance types (map, queue, etc.)
- instance names (map, queue, name, etc.)
- instance actions (put, read, remove, add, etc.)
- client endpoint addresses
Client principal defined by the Credentials object Instance and principal names and endpoint addresses can be defined as wildcards(*) same as other options within the Hazelcast configuration.
Permissions Configuration Example
Simple JAAS Encryption example
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); byte[] encrypted = cipher.doFinal(value.getBytes()); System.out.println("encrypted string: " + Base64.encodeBase64String(encrypted));
Tie it all together
Here are a couple of excellent examples of using the Hazelcast Enterprise Security Features:
As you can see from the following output, the LoginModule demonstrates both Authorization as well as Auditing:
Nov 15, 2016 3:13:15 PM com.hazelcast.core.LifecycleService INFO: hz.client_1 [dev] [3.7] HazelcastClient 3.7 (20160817 - 1302600) is CLIENT_CONNECTED Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client INFO: Chris is performing get on the ImportantMap Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client INFO: Chris is performing put on the ImportantMap Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client SEVERE: Could not perform put operation, access denied java.security.AccessControlException: Permission ("com.hazelcast.security.permission.MapPermission" "importantMap" "put ") denied!
Performing an audit in Java is as simple as logging:
logger.log(Level.INFO, "Authenticating " + SecurityUtil.getCredentialsFullName(credentials));
Hazelcast Enterprise supports many types of credentials and in the following example we use simple UsernamePasswordCredentials:
if (credentials instanceof UsernamePasswordCredentials){ loginOk = doLoginCheck((UsernamePasswordCredentials) credentials); }
By using the security features of Enterprise Hazelcast along with JAAS you can satisfy all requirements of HIPAA Compliance for ePHI. For a more complete HIPAA example please refer to the OpenMRS.org project where they too employ Hazelcast for their scaling needs. Be sure to always check the Official Hazelcast Documentation for the latest in Security Features.