Navigation
Getting StartedUpdated July 3, 2026

Security & Compliance

standardssecuritycompliancehipaaphivaultsecrets-managementmonitoringhealthcare
<!-- Due to indented blocks for lists within admonition blocks --> <!-- markdownlint-disable MD046 -->

Security & Compliance

Healthcare Security Requirements and Compliance Standards

What's Covered: HIPAA compliance, secret management, security tooling, and monitoring


Healthcare Security Requirements

HIPAA Compliance Mandatory

**Required Controls:**

- **Encryption at Rest** - All data storage encrypted with AES-256
- **Encryption in Transit** - TLS 1.2+ for all communications
- **Access Logging** - Comprehensive audit trails for all PHI access
- **Data Residency** - PHI must remain in approved Azure regions
- **Access Controls** - Role-based access with multi-factor authentication
- **Data Integrity** - Checksums and validation for data accuracy
- **Backup Security** - Encrypted backups with access controls

Security Architecture Principles

**Identity and Access Management:**
- Azure Active Directory integration
- Conditional access policies
- Privileged Identity Management (PIM)
- Just-in-time (JIT) access for administrative tasks
- Service principals with minimal permissions

**Data Protection:**
- Azure Key Vault for secrets management
- Transparent Data Encryption (TDE) for databases
- Azure Storage Service Encryption
- Customer-managed encryption keys where required

Secret Management Standards

HashiVault Integration

# Good: Azure Key Vault integration
az keyvault secret show --vault-name kv-epic-prod --name db-password

# Good: Environment-specific secrets
export DB_PASSWORD=$(vault kv get -field=password secret/epic/dev/database)
```

Terraform Integration:

# Retrieve secrets from HashiVault
data "vault_generic_secret" "epic_db" {
  path = "secret/epic/${var.environment}/database"
}

resource "azurerm_sql_server" "epic_db" {
  name                         = "${var.environment}-epic-db"
  resource_group_name          = var.resource_group_name
  location                     = var.location
  version                      = "12.0"
  administrator_login          = data.vault_generic_secret.epic_db.data["username"]
  administrator_login_password = data.vault_generic_secret.epic_db.data["password"]

  tags = var.common_tags
}

Ansible Vault Integration:

---
# Use Ansible Vault for sensitive variables
- name: Deploy Epic application with secrets
  hosts: epic_servers
  vars:
    epic_db_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66386439653238336464616130633965663736636335373532643430633939...

  tasks:
    - name: Configure database connection
      template:
        src: database.conf.j2
        dest: /opt/epic/config/database.conf
        mode: '0600'
      vars:
        db_connection_string: "Server={{ epic_db_host }};Password={{ epic_db_password }}"

Prohibited Security Practices

!!! failure "Never Do This" ```bash # Never: Hardcoded secrets in code DB_PASSWORD="SuperSecret123!"

# Never: Secrets in Git repositories
echo "password=secret123" > config.txt
git add config.txt

# Never: Plain text files
cat > .env << EOF
DATABASE_URL=postgres://user:password@server/db
EOF

# Never: Secrets in container images
ENV DB_PASSWORD=hardcoded-secret

# Never: Secrets in CI/CD logs
echo "Deploying with password: $SECRET_PASSWORD"
```

Security Tooling & Automation

Pre-commit Security Hooks

!!! example "Required Security Tools" Pre-commit Configuration: ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/trufflesecurity/trufflehog rev: v3.63.2 hooks: - id: trufflehog name: TruffleHog Secret Scanner description: Detect hardcoded secrets entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        name: Detect Secrets
        args: ['--baseline', '.secrets.baseline']

  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 2.4.9
    hooks:
      - id: checkov
        name: Checkov IaC Security Scanner
        args: [--framework, terraform, --framework, ansible]

  - repo: https://github.com/aquasecurity/tfsec
    rev: v1.28.1
    hooks:
      - id: tfsec
        name: Terraform Security Scanner
```

Vulnerability Scanning Pipeline

GitHub Actions Security Pipeline:

name: Security Scanning Pipeline

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]
  schedule:
    - cron: '0 2 * * *'  # Daily at 2 AM

jobs:
  secret-scanning:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Run TruffleHog
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: main
          head: HEAD
          extra_args: --debug --only-verified

  infrastructure-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform,ansible
          output_format: sarif
          output_file_path: checkov-results.sarif

      - name: Run TFSec
        uses: aquasecurity/[email protected]
        with:
          sarif_file: tfsec-results.sarif

      - name: Upload SARIF files
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: checkov-results.sarif

  dependency-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

Security Policy as Code

  parameters = jsonencode({
    effect = {
      value = "Deny"
    }
  })
}

# Require SQL TDE encryption
resource "azurerm_policy_assignment" "sql_tde" {
  name                 = "require-sql-tde"
  scope                = var.management_group_id
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12"

  parameters = jsonencode({
    effect = {
      value = "Audit"
    }
  })
}

# Network security group rules
resource "azurerm_policy_assignment" "nsg_rules" {
  name                 = "restrict-nsg-rules"
  scope                = var.management_group_id
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6"
}
```

Identity & Access Management

Azure Active Directory Integration

  conditions {
    applications {
      included_applications = [data.azuread_application.epic_app.application_id]
    }

    users {
      included_groups = [azuread_group.epic_users.object_id]
    }

    locations {
      included_locations = ["AllTrusted"]
    }
  }

  grant_controls {
    operator          = "AND"
    built_in_controls = ["mfa", "compliantDevice"]
  }

  session_controls {
    application_enforced_restrictions_enabled = true
    sign_in_frequency                        = 8
    sign_in_frequency_period                 = "hours"
  }
}
```

Privileged Identity Management

  schedule {
    expiration {
      duration_hours = 8
    }
  }

  notification {
    additional_recipients = ["[email protected]"]
    default_recipients    = true
    notification_level    = "All"
  }
}
```

Service Principal Management

!!! example "Service Principal Best Practices" Minimal Permissions: ```hcl resource "azuread_application" "epic_automation" { display_name = "Epic Automation Service Principal"

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"  # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"  # User.Read
      type = "Scope"
    }
  }
}

resource "azurerm_role_assignment" "epic_automation_contributor" {
  scope                = azurerm_resource_group.epic_automation.id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.epic_automation.object_id

  condition = "((!(ActionMatches{'Microsoft.Authorization/*/Delete'})) AND (!(ActionMatches{'Microsoft.Authorization/*/Write'})))"
}
```

Monitoring & Security Observability

Security Metrics & Alerting

**Data Access Metrics:**
- PHI access patterns
- Large data downloads
- Unusual database queries
- File access outside business hours
- Cross-environment data movement

**Infrastructure Security:**
- Firewall rule changes
- Network security group modifications
- New resource deployments
- Configuration changes
- Certificate expiration warnings

Azure Sentinel Integration

resource "azurerm_sentinel_data_connector_azure_security_center" "epic_asc" {
  log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
  subscription_id            = data.azurerm_client_config.current.subscription_id
}

resource "azurerm_sentinel_data_connector_azure_activity" "epic_activity" {
  log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
  subscription_id            = data.azurerm_client_config.current.subscription_id
}
```

Security Incident Detection

resource "azurerm_sentinel_alert_rule_scheduled" "epic_suspicious_login" {
  name                       = "Epic Suspicious Login Activity"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id
  display_name               = "Suspicious Login Activity Detected"
  severity                   = "High"
  enabled                    = true

  query = <<EOT
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != "0"
| where AppDisplayName contains "Epic"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
EOT

  query_frequency   = "PT1H"
  query_period      = "PT1H"
  trigger_operator  = "GreaterThan"
  trigger_threshold = 0

  tactics = ["CredentialAccess", "InitialAccess"]

  incident_configuration {
    create_incident = true
    grouping {
      enabled                = true
      reopen_closed_incident = false
      lookback_duration      = "PT1H"
      entity_matching_method = "AllEntities"
    }
  }
}

Compliance & Audit Requirements

Audit Trail Configuration

!!! example "Comprehensive Logging" Azure Monitor Configuration: ```hcl resource "azurerm_monitor_diagnostic_setting" "epic_audit" { name = "epic-audit-logs" target_resource_id = azurerm_sql_server.epic_db.id log_analytics_workspace_id = azurerm_log_analytics_workspace.security.id

  log {
    category = "SQLSecurityAuditEvents"
    enabled  = true

    retention_policy {
      enabled = true
      days    = 2555  # 7 years for HIPAA compliance
    }
  }

  log {
    category = "DevOpsOperationsAudit"
    enabled  = true

    retention_policy {
      enabled = true
      days    = 2555
    }
  }

  metric {
    category = "AllMetrics"
    enabled  = true

    retention_policy {
      enabled = true
      days    = 90
    }
  }
}
```

Data Loss Prevention

Backup Security Requirements

  # Encryption settings
  encryption {
    encryption_at_rest_type = "CustomerManaged"
    key_uri                = azurerm_key_vault_key.backup_key.id
    infrastructure_encryption = true
  }

  backup {
    frequency = "Daily"
    time      = "02:00"
    timezone  = "UTC"
  }

  retention_daily {
    count = 90  # 90 days for operational recovery
  }

  retention_weekly {
    count    = 104  # 2 years for compliance
    weekdays = ["Sunday"]
  }

  retention_monthly {
    count    = 84   # 7 years for HIPAA
    weekdays = ["Sunday"]
    weeks    = ["First"]
  }

  retention_yearly {
    count    = 10
    weekdays = ["Sunday"]
    weeks    = ["First"]
    months   = ["January"]
  }
}
```

Incident Response & Security Operations

Security Incident Classification

**P1 - High (1 Hour Response):**
- Suspected data breach
- Privilege escalation detected
- Unusual administrative activity
- Security tool alerts

**P2 - Medium (4 Hours):**
- Policy violations
- Failed compliance checks
- Suspicious user behavior
- Certificate expiration warnings

Incident Response Playbook

!!! example "Response Procedures" Immediate Actions (First 15 minutes): 1. Assess and classify the incident severity 2. Notify security team and management 3. Isolate affected systems if needed 4. Begin evidence collection 5. Document all actions taken

**Investigation Phase (1-4 hours):**
1. Conduct forensic analysis
2. Determine scope of impact
3. Identify root cause
4. Assess compliance implications
5. Coordinate with legal team if PHI involved

**Recovery Phase:**
1. Implement containment measures
2. Apply security patches/fixes
3. Restore services safely
4. Monitor for recurring issues
5. Update security controls

**Post-Incident:**
1. Complete incident report
2. Conduct lessons learned session
3. Update response procedures
4. Implement preventive measures
5. Notify regulatory bodies if required

Security Contact Information

!!! question "Security Escalation" Emergency Contacts: - Security Incidents: +1-800-SOC-HELP - HIPAA Breaches: Privacy Officer (immediate notification) - Cyber Security Team: [email protected] - Legal Department: For PHI-related incidents

**Escalation Chain:**
1. Security Analyst → Security Manager
2. Security Manager → CISO
3. CISO → Chief Privacy Officer (PHI incidents)
4. Chief Privacy Officer → Legal Counsel

Getting Help with Security

!!! question "Security Questions" - HIPAA Compliance: Contact Privacy Officer and Security Team - Vault Access Issues: Check HashiVault documentation - Azure Security: Review Security Guidelines - Policy Questions: Engage with Compliance team

!!! question "Tool-Specific Help" - Pre-commit Hooks: Pre-commit Framework Documentation - Azure Sentinel: Microsoft Sentinel Documentation - Checkov: Bridgecrew Checkov Guide - TruffleHog: TruffleHog Documentation


Security & Compliance | Epic on Azure Team Guidelines

Healthcare security is non-negotiable. Every security measure protects patient data and ensures compliance with healthcare regulations.

Last updated: September 2025