Azure Policy Implementation Guide
Azure Policy Implementation Guide
Automated governance and compliance enforcement for OHEMR Azure infrastructure, ensuring HIPAA compliance and Epic integration requirements.
๐ฏ Executive Summary
Azure Policy provides automated governance across OHEMR's healthcare infrastructure, enforcing security standards, compliance requirements, and operational best practices. This implementation currently covers 6 Azure subscriptions with policy coverage for CIS benchmarks, mandatory tagging, diagnostic settings, and healthcare-specific controls.
Quick Facts
| Metric | Value | Impact |
|---|---|---|
| Subscriptions Covered | 6 Azure subscriptions | Broad policy coverage across OHEMR |
| Policy Initiatives | 8 comprehensive sets | Automated governance |
| Compliance Frameworks | CIS Benchmark v2.0, HIPAA | Healthcare regulatory alignment |
| Cost Optimization | Baseline tag enforcement | Resource traceability and patch governance |
๐ Quick Reference
Azure Policy Components
| Component | Purpose | OHEMR Implementation |
|---|---|---|
| Policy Definition | Single rule (if-then logic) | Custom healthcare policies |
| Initiative (Policy Set) | Grouped policy definitions | CIS Benchmark, Mandatory Tags |
| Policy Assignment | Applies policies to scope | Subscription-level enforcement |
OHEMR Subscription Coverage
| Subscription | CIS Benchmark | Mandatory Tags | Diagnostics | Zone Resilience |
|---|---|---|---|---|
| OHEMR-SUB-EPIC-PRO-001 | โ | โ | โ | โ |
| OHEMR-SUB-EPIC-NPD-001 | โ | โ | โ | โ |
| OHEMR-SUB-EPIC-TEST-001 | โ | โ | โ | โ |
| OHEMR-SUB-EPIC-SHARED-001 | โ | โ | โ | โ |
| OHEMR-SUB-CITRIX-SHARED-001 | โ | โ | โ | โ |
| OHEMR-SUB-CONNECTIVITY-PRO-001 | โ | โ | โ | โ |
๐ฅ Healthcare Compliance Framework
HIPAA Technical Safeguards Enforcement
Azure Policy implementations map directly to HIPAA 164.312 technical safeguards:
Access Control (164.312(a)(1))
- Network Security Groups: Flow log enforcement for audit trails
- Private Endpoints: Storage account public access denial
- Key Vault Access: RBAC permission model enforcement
Audit Controls (164.312(b))
- Diagnostic Settings: Automated deployment to Event Hubs
- Activity Monitoring: Security operations alert enforcement
- SQL Auditing: Database audit configuration requirements
Integrity (164.312(c)(1))
- SQL Transparent Data Encryption: Database encryption enforcement
- Storage Account Security: Secure transfer and TLS version requirements
- Key Management: Key Vault deletion protection and expiration policies
Transmission Security (164.312(e)(1))
- Network Security: Virtual network rules and private link enforcement
- Encryption in Transit: TLS 1.2+ requirements for all services
- Secure Protocols: HTTPS enforcement for web applications
Epic Integration Compliance
Clinical Data Protection
epic_requirements:
data_classification: "PHI handling with audit trails"
access_control: "Role-based Epic UserWeb integration"
audit_logging: "HL7 message transaction logging"
encryption: "TLS 1.3 for MLLP transport"
Regulatory Alignment
- SOX Controls: Financial data handling with segregation of duties
- Clinical Workflow: Provider access patterns and audit requirements
- Patient Privacy: PHI access controls and monitoring
๐ ๏ธ Implementation Architecture
Terraform-Based Policy Deployment
graph TD
A[Policy Definitions] --> B[Policy Sets/Initiatives]
B --> C[Policy Assignments]
C --> D[Subscription Scope]
D --> E[Resource Evaluation]
E --> F[Compliance Reporting]
F --> G[Remediation Actions]
H[Terraform Files] --> A
I[Managed Identity] --> G
J[Event Hub] --> F
Core Terraform Components
<details> <summary><strong>๐ Terraform File Structure (Click to expand)</strong></summary>| File | Purpose | Healthcare Impact |
|---|---|---|
CIS-Benchmark-Assignment2.0.tf | CIS security baseline | HIPAA technical safeguards |
Configure_Diagnostic_settings.tf | Centralized logging | Audit controls compliance |
Configure_RSV_disable_publicnetwork.tf | Backup security | Data protection requirements |
Mandatorytags_policy_set_def.tf | Baseline tag governance | Required Azure Policy tag enforcement |
enforce_vm_updates.tf | Patch management | Security update compliance |
zone_resilience_policies.tf | High availability | Business continuity requirements |
storageaccounts_policies.tf | Data security | PHI protection standards |
remediation.tf | Automated fixes | Continuous compliance |
๐ง Policy Implementation Details
1. CIS Benchmark Assignment
Healthcare Purpose: Establishes security baseline aligned with HIPAA technical safeguards.
# Key Implementation Aspects
resource "azurerm_subscription_policy_assignment" "cis_benchmark" {
name = "OHEMR-CIS-Benchmark-v2.0"
policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/cis-benchmark"
subscription_id = var.subscription_id
parameters = {
effect = "AuditIfNotExists" # Non-disruptive compliance monitoring
}
}
Clinical Impact: Ensures healthcare workloads meet industry security standards without disrupting Epic integration.
2. Diagnostic Settings Enforcement
Healthcare Purpose: Automated audit trail creation for HIPAA compliance.
Key Components
- Centralized Logging: All resource logs route to regional Event Hubs
- Managed Identity: Automated deployment without manual intervention
- Regional Coverage: EastUS, CentralUS, WestUS3 for disaster recovery
Epic Integration Benefits
- HL7 Message Auditing: Complete transaction logging for Epic interfaces
- Clinical Access Tracking: Provider authentication and data access patterns
- Compliance Reporting: Automated audit trail generation for regulatory reviews
3. Recovery Services Vault Security
Healthcare Purpose: Protects clinical data backups with enterprise-grade security.
Security Enforcements
backup_requirements:
storage_redundancy: "GeoRedundant" # Multi-region protection
network_access: "Private endpoints only" # No public exposure
zone_redundancy: "Required" # High availability
4. Mandatory Tagging Framework
Healthcare Purpose: Baseline resource governance, service traceability, and virtual machine patch orchestration.
Required Tags
<details> <summary><strong>๐ท๏ธ OHEMR Tagging Schema (Click to expand)</strong></summary>| Tag | Purpose | Example | Compliance Impact |
|---|---|---|---|
aide-id | Asset traceability | AIDE_0085665 | Governance traceability |
environment | Lifecycle management | prd, test, dev | Change management |
service-tier | Service criticality | p1, p2, p3 | Support prioritization |
PatchSchedule | Update management | ZWW0D6H02 | Security maintenance |
5. VM Update Management
Healthcare Purpose: Ensures clinical workstations and Epic servers maintain security patches.
Update Enforcement
- Patch Schedule Tags: Automated categorization based on clinical impact
- Azure Update Manager: Integration with maintenance windows
- Epic Coordination: Scheduled during clinical downtime windows
๐ Policy Coverage by Subscription
Production Environment (OHEMR-SUB-EPIC-PRO-001)
<details> <summary><strong>๐ฅ Production Policy Summary (Click to expand)</strong></summary>| Initiative | Policies | Effect | Clinical Impact |
|---|---|---|---|
| CIS Benchmark | 41 security policies | Audit | HIPAA technical safeguards |
| Azure Update Manager | 5 patch policies | Deploy/Modify | Epic server maintenance |
| Mandatory Tags | 3 governance tag references + 1 PatchSchedule policy definition | Inherit/Modify | Baseline governance and patch scheduling |
| Zone Resilience | 6 availability policies | Audit | Business continuity |
| Diagnostic Settings | 6 logging policies | Deploy | Audit trail compliance |
Total Policies: 62 active policies ensuring comprehensive governance
</details>Non-Production Environments
Test Environment (OHEMR-SUB-EPIC-TEST-001)
- Purpose: Epic testing and clinical workflow validation
- Policy Approach: Same security controls, relaxed availability requirements
- Tagging: Required for test data lifecycle management
Development Environment (OHEMR-SUB-EPIC-NPD-001)
- Purpose: Epic development and integration testing
- Policy Approach: Full security enforcement, automated resource cleanup
- Special Considerations: PHI surrogate data protection
๐ Monitoring & Compliance
Compliance Dashboard
Azure Policy compliance can be monitored through:
- Azure Policy Compliance Dashboard: Native Azure portal view of policy assignments and violations
- Azure Resource Graph: Query-based compliance reporting across subscriptions
- Log Analytics Workbooks: Custom dashboards for policy evaluation trends
- Event Hub Integration: Real-time policy violation alerts and automated remediation triggers
Epic Integration Monitoring
Clinical Workflow Impact
- Zero Epic downtime due to policy enforcement
- 100% audit trail coverage for HL7 transactions
- Real-time compliance for UserWeb authentication
๐จ Troubleshooting Guide
Common Policy Issues
Problem: Resource deployment blocked by policy
Diagnosis: Check policy assignment scope and exemption requirements Resolution:
- Verify resource configuration against policy rules
- Request exemption if legitimate business need
- Update deployment templates to meet compliance
Problem: Diagnostic settings deployment failure
Diagnosis: Managed identity permissions or Event Hub connectivity Resolution:
- Validate managed identity role assignments
- Check Event Hub namespace accessibility
- Verify regional Event Hub availability
Problem: Tagging policy not applying to VMs
Diagnosis: Resource group inheritance or VM patch-tag policy configuration Resolution:
- Verify the resource group has
aide-id,environment, andservice-tier - Confirm the VM receives or is corrected with
PatchSchedule - Validate the policy assignment scope
Escalation Procedures
| Issue Type | Contact | Response Time |
|---|---|---|
| Security Policy Violation | Security Team | 4 hours |
| Epic Integration Impact | Clinical Systems Team | 2 hours |
| Compliance Concern | Compliance Office | 24 hours |
| Infrastructure Policy | Platform Engineering | 8 hours |
๐ Related Documentation
Architecture Decisions
- ADR-0021: Selective Control Plane Egress: Network security architecture decisions
- Epic Architecture Requirements: Epic-specific compliance requirements
Compliance Framework
- HIPAA Technical Safeguards: Healthcare security controls and implementation guidance
- Epic Certification Standards: Epic compliance requirements and standards
Implementation References
- ohemr-ansible-playbooks: Automation and validation
- ohemr-epic-pro-001: Production Terraform configurations
- Azure Policy Documentation
Compliance Frameworks
- CIS Azure Benchmark v2.0
- HIPAA Technical Safeguards: Healthcare security controls and implementation guidance
- Epic Certification Requirements: Epic-specific compliance requirements and standards
- Epic Architecture Requirements: Epic-specific compliance requirements
๐ Support & Contacts
Team Responsibilities
| Team | Scope | Contact |
|---|---|---|
| Platform Engineering | Policy implementation, Terraform | [email protected] |
| Security Architecture | Policy rules, compliance | [email protected] |
| Clinical Systems | Epic integration, workflow | [email protected] |
| Compliance Office | Regulatory requirements | [email protected] |
Emergency Contacts
- Security Incident: [email protected]
- Epic Production Issue: [email protected]
- Platform Escalation: [email protected]
๐ก๏ธ Governance Excellence: Comprehensive Azure Policy implementation ensuring healthcare compliance, security, and operational efficiency across OHEMR infrastructure.