Health Information Privacy

What is HIPAA?

PUBLIC LAW 104 – 191 – HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

“It is the purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”

This law attempts to address issues with the public Medicare program with respect to how information is handled, including electronic transmission. This law is now applied to include but not be limited to Electronic Privileged Health Information (ePHI).

The following are examples of where the HIPAA Security Rule for HIPAA Compliance of ePHI applies:

  • ePHI encryption
  • Auditing functions
  • Backup and recovery routines
  • Unique user IDs and strong passwords
  • Role or user-based access controls
  • Auto time-out
  • Emergency access
  • Amendments and accounting of disclosures

Additionally, holders of HIPPA information are required to monitor, audit, and update security on an ongoing vasis. In the unlikely event of a security breach, they are required to notify all affected users.

So to be fully HIPAA Compliant can be challenging without a holistic solution. So let us take a look at Hazelcast Enterprise Security features in the context of solving this daunting task.

Using Hazelcast to Facilitate HIPAA Compliance

First let us take a look at what security features are offered by Hazelcast.

Socket Interceptor

SocketInterceptor is a hook to the server-to-server and client-to-server connections. It can be used to perform custom connection procedures such as authentication. SocketInterceptor can be configured either programmatically or via xml-config. Socket Interceptor Example

Security Interceptor

SecurityInterceptor is a very flexible tool that intercepts and authorizes each API call from a client. Each API call from a client, such as IMap.put, will be intercepted. In order to prevent the execution of the call, one should throw AccessControlException. Security Interceptor Example

Symmetric Encryption and SSL

Hazelcast allows you to encrypt the entire socket-level communication among all Hazelcast members. Encryption is based on Java Cryptography Architecture. Symmetric Encryption is not yet supported for clients. You can use either symmetric encryption or ssl, but not both.

Hazelcast supports ssl encryption between members and clients. To be able to use it, one should implement SSLContextFactory and configure hazelcast accordingly. Symmetric Encryption Configuration Example

Authentication via LoginModules

Hazelcast supports standard Java Security (JAAS) based authentication between cluster members and clients. To implement it, you configure one or more LoginModules and an instance of ICredentialsFactory.

Hazelcast has an abstract implementation of LoginModule that does callback and cleanup operations and holds the resulting Credentials instance:

ClusterLoginModule
    public abstract class ClusterLoginModule implements LoginModule {
     protected abstract boolean onLogin() throws LoginException;
     protected abstract boolean onCommit() throws LoginException;
     protected abstract boolean onAbort() throws LoginException;
     protected abstract boolean onLogout() throws LoginException;
    }

LoginModule Example

You can define as many as LoginModules as you want in configuration. Those are executed in the order given in configuration. The usage attribute has 4 values:

  1. ‘required’
  2. ‘requisite’
  3. ‘sufficient’
  4. ‘optional’

These values are defined in javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.

Hazelcast also has a default implementation for ICredentialsFactory which uses group-name and group-password configured in hazelcast.xml to create credentials.

Authorization via Permissions

Hazelcast client authorization is configured by a client permission Policy. Hazelcast has a default permission policy implementation that uses permission configurations defined in the Hazelcast security Configuration.

Default policy permission checks are done against:

  • instance types (map, queue, etc.)
  • instance names (map, queue, name, etc.)
  • instance actions (put, read, remove, add, etc.)
  • client endpoint addresses

Client principal defined by the Credentials object Instance and principal names and endpoint addresses can be defined as wildcards(*) same as other options within the Hazelcast configuration.

Permissions Configuration Example

Simple JAAS Encryption example

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); 
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); 
byte[] encrypted = cipher.doFinal(value.getBytes()); 
System.out.println("encrypted string: " + Base64.encodeBase64String(encrypted));

Tie it all together

Here are a couple of excellent examples of using the Hazelcast Enterprise Security Features:

As you can see from the following output, the LoginModule demonstrates both Authorization as well as Auditing:

Nov 15, 2016 3:13:15 PM com.hazelcast.core.LifecycleService
    INFO: hz.client_1 [dev] [3.7] HazelcastClient 3.7 (20160817 - 1302600) is CLIENT_CONNECTED
    Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client
    INFO: Chris is performing get on the ImportantMap
    Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client
    INFO: Chris is performing put on the ImportantMap
    Nov 15, 2016 3:13:15 PM com.craftedbytes.hazelcast.security.Client
    SEVERE: Could not perform put operation, access denied
    java.security.AccessControlException: Permission ("com.hazelcast.security.permission.MapPermission" "importantMap" "put ") denied!

Performing an audit in Java is as simple as logging:

logger.log(Level.INFO, "Authenticating " + SecurityUtil.getCredentialsFullName(credentials));

Hazelcast Enterprise supports many types of credentials and in the following example we use simple UsernamePasswordCredentials:

if (credentials instanceof UsernamePasswordCredentials){
        loginOk = doLoginCheck((UsernamePasswordCredentials) credentials);
    }

By using the security features of Enterprise Hazelcast along with JAAS you can satisfy all requirements of HIPAA Compliance for ePHI. For a more complete HIPAA example please refer to the OpenMRS.org project where they too employ Hazelcast for their scaling needs. Be sure to always check the Official Hazelcast Documentation for the latest in Security Features.