Security Development Guidelines
Security Development Guidelines
Overview
Comprehensive security practices and guidelines for developing applications on the Epic on Azure platform, ensuring compliance with healthcare regulations and industry best practices.
Core Security Principles
1. Defense in Depth
- Multiple security layers - Network, application, and data security
- Zero trust architecture - Never trust, always verify
- Least privilege access - Minimum required permissions only
2. Data Protection
- Encryption everywhere - At rest, in transit, and in processing
- Data classification - PHI, PII, and business data handling
- Data retention policies - Automated lifecycle management
3. Identity & Access Management
- Multi-factor authentication - Required for all access
- Role-based access control (RBAC) - Granular permission management
- Just-in-time access - Time-limited elevated permissions
Development Security Practices
Secure Coding Standards
Input Validation
// ✅ Good: Proper input validation
function validatePatientId(patientId) {
const sanitized = patientId.toString().replace(/[^a-zA-Z0-9-]/g, "");
if (sanitized.length < 5 || sanitized.length > 20) {
throw new ValidationError("Invalid patient ID format");
}
return sanitized;
}
// ❌ Bad: No validation
function getPatient(patientId) {
return db.query(`SELECT * FROM patients WHERE id = '${patientId}'`);
}
Secret Management
# ✅ Good: Using Azure Key Vault
apiVersion: v1
kind: Secret
metadata:
name: epic-db-credentials
spec:
secretProviderClass: "azure-keyvault"
parameters:
keyvaultName: "epic-prod-vault"
objects: |
- objectName: "database-password"
objectType: "secret"
Code Review Security Checklist
- No hardcoded secrets - All credentials use Key Vault
- Input validation - All user inputs are sanitized
- SQL injection prevention - Parameterized queries only
- XSS protection - Output encoding implemented
- Authentication checks - Protected endpoints verified
- Audit logging - Security events are logged
- Error handling - No sensitive data in error messages
HIPAA Compliance Requirements
Technical Safeguards
Access Control (§164.312(a)(1))
- Unique user identification - Individual accounts for each user
- Emergency access procedure - Break-glass access for critical situations
- Automatic logoff - Session timeout after inactivity
- Encryption and decryption - PHI protection at all times
Audit Controls (§164.312(b))
// Audit logging example
const auditLog = {
timestamp: new Date().toISOString(),
userId: user.id,
action: "PATIENT_DATA_ACCESS",
resource: `patient/${patientId}`,
ipAddress: req.ip,
userAgent: req.get("User-Agent"),
outcome: "SUCCESS",
};
await auditLogger.log(auditLog);
Integrity (§164.312(c)(1))
- Data integrity controls - Checksums and digital signatures
- Version control - Track all changes to PHI
- Backup and recovery - Automated data protection
Transmission Security (§164.312(e)(1))
- End-to-end encryption - TLS 1.3 for all communications
- Network controls - VPN and private endpoints
- Message authentication - Digital signatures for critical data
Security Tools & Automation
Pre-commit Security Hooks
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ["--baseline", ".secrets.baseline"]
- repo: https://github.com/PyCQA/bandit
rev: 1.7.5
hooks:
- id: bandit
args: ["-r", "."]
Vulnerability Scanning
Container Security
# ✅ Good: Security-focused Dockerfile
FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine AS base
RUN addgroup -g 1001 appuser && adduser -u 1001 -G appuser -s /bin/sh -D appuser
USER appuser
WORKDIR /app
EXPOSE 8080
# Use non-root user
USER 1001:1001
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/health || exit 1
Infrastructure Scanning
# Azure DevOps pipeline security scanning
- task: AzureStaticWebApp@0
inputs:
azure_static_web_apps_api_token: $(deployment_token)
app_location: "/src"
api_location: "/api"
skip_app_build: true
- task: SecurityCodeAnalysis@2
inputs:
toolName: "BinSkim"
arguments: "--recurse --verbose"
Incident Response
Security Incident Classification
| Severity | Description | Response Time | Example |
|---|---|---|---|
| P0 - Critical | PHI breach or system compromise | 15 minutes | Patient data exposed publicly |
| P1 - High | Security control failure | 1 hour | Authentication bypass discovered |
| P2 - Medium | Vulnerability in production | 4 hours | SQL injection in non-PHI system |
| P3 - Low | Security policy violation | 24 hours | Weak password detected |
Response Procedures
-
Immediate Actions (0-15 minutes)
- Isolate affected systems
- Preserve evidence and logs
- Notify security team
- Document initial findings
-
Investigation Phase (15 minutes - 4 hours)
- Determine scope and impact
- Identify root cause
- Assess data exposure risk
- Coordinate with legal/compliance
-
Remediation Phase (4-24 hours)
- Implement fixes and patches
- Restore systems from clean backups
- Update security controls
- Conduct post-incident review
Monitoring & Alerting
Security Metrics Dashboard
# Azure Monitor alerts for security events
- name: "Failed Authentication Attempts"
condition: "count > 10 in 5 minutes"
severity: "High"
action: "Page security team"
- name: "Unusual Data Access Patterns"
condition: "Patient records accessed > 100 in 1 hour"
severity: "Medium"
action: "Alert security team"
- name: "Privilege Escalation Detected"
condition: "Role changes outside business hours"
severity: "Critical"
action: "Immediately page on-call security"
Log Analysis Queries
// Detect potential PHI access violations
SecurityEvent
| where TimeGenerated > ago(24h)
| where Activity has "PatientDataAccess"
| summarize AccessCount = count() by Account, bin(TimeGenerated, 1h)
| where AccessCount > 50
| project TimeGenerated, Account, AccessCount
| order by AccessCount desc
Compliance Validation
Automated Compliance Checks
# Compliance validation script
def validate_hipaa_compliance():
checks = [
check_encryption_at_rest(),
check_audit_logging_enabled(),
check_access_controls(),
check_data_retention_policies(),
check_backup_encryption()
]
failed_checks = [check for check in checks if not check.passed]
if failed_checks:
raise ComplianceViolation(f"Failed checks: {failed_checks}")
return True
Regular Security Assessments
- Quarterly vulnerability assessments - External penetration testing
- Monthly code reviews - Security-focused peer reviews
- Weekly security training - Team education and awareness
- Daily automated scans - Continuous security monitoring
Getting Help
Security Support Channels
- Emergency Security Hotline: +1-800-SEC-HELP
- Security Team Teams channel: Security Incidents
- Compliance Questions: [email protected]
- Training Resources: Security Learning Portal
Escalation Path
- Level 1: Development Team Lead
- Level 2: Security Architecture Team
- Level 3: CISO Office
- Level 4: Legal and Compliance
Quick Reference
Essential Security Links
| Resource | Purpose | Status |
|---|---|---|
| HIPAA Guidelines | Healthcare compliance requirements | See HIPAA Compliance section above |
| Secret Management | Azure Key Vault integration | See Development Security Practices |
| Security Tooling | Automated security scanning | See Security Tools & Automation |
| Incident Response | Security incident procedures | See Incident Response section above |
These security guidelines are regularly updated to reflect the latest threats and compliance requirements. For questions or suggestions, please contact the Security Team.
Last updated: September 2025 | Compliance: HIPAA, SOC 2 Type II, ISO 27001
Security Development Guidelines Structure
This section provides comprehensive security guidance for OHEMR Epic healthcare systems development and operations:
Core Security Areas
- HIPAA Compliance: Healthcare-specific security requirements (coming soon)
- Secret Management: Secure credential handling and storage (coming soon)
- Security Tooling: Automated security scanning and validation (coming soon)
- Incident Response: Security incident procedures and escalation (coming soon)
Implementation Standards
All development guidelines include Epic-specific security requirements and HIPAA compliance considerations.