Weave Policy Library: Introducing HIPAA Policies

By Tony Chong
June 14, 2022

In our latest Weave GitOps release, we added trusted application delivery and policy-as-code capabilities to Weave GitOps. Part of this release is the Weave Policy Library, which includes HIPPA compliance standards among other compliance family policies such as CIS Benchmarks and PCI DSS. Read on to learn more about the Weave Policy Library and HIPAA policies.

Related posts

Watch Weave GitOps Release Features: Trusted Application Delivery with Policy as Code, VScode and Terraform extensions for Flux

Trusted Delivery with GitOps and Policy as Code

March Release - Weave GitOps 2022.03


An increasing number of Healthcare organizations are making the switch to Kubernetes, including a wide variety of use cases that push Kubernetes to the edge. This sudden surge of Kubernetes clusters means ensuring patient and privileged information must be done at scale, adding more complexity to your systems architecture and additional management responsibilities for you and your team.

Healthcare providers in the United States face another key obstacle: complying with a wide array of industry rules and regulations. Failure to fulfil the details of these mandates sometimes results in violations that are very costly, both financially and operationally.

In this article we will zoom in on HIPAA, a prominent healthcare regulation in the United States, and present how using policy as code can ensure compliance with the standard.

What is HIPAA Standard?

HIPAA stands for Health Insurance Portability and Accountability Act. Established in 1996, HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In the cloud-native world, this means those operating Kubernetes clusters that encounter protected patient information have a legal responsibility to ensure the safeguarding of this data.

For providers, complying with HIPAA means reducing risk to an appropriate and acceptable level. The ten most common HIPAA violations are:

  • Snooping on healthcare records.

  • Failure to perform an organization-side risk analysis.

  • Failure to manage security risks.

  • Denying patients access to health records.

  • Failure to enter into a HIPAA-compliant business associate agreement (BAA).

  • Insufficient ePHI (electronic protected health information) access controls.

  • Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices.

  • Exceeding the 60-day deadline for issuing breach notifications.

  • Impermissible disclosures of PHI.

  • Improper disposal of PHI.

Healthcare entities that create, receive, or transmit PHI are required to comply with the Security Rule of HIPAA and its administrative, physical and technical safeguards or risk costly civic and/or criminal penalties. PHI under HIPAA consists of 18 identifiers, including names, dates, geographic data, social security and account numbers, email addresses, fingerprints and internet protocol (IP) addresses.

HIPPA Violations Can Have Costly Consequences

Unfortunately, data breaches continue to be a costly occurrence in the U.S., especially those of data covered under HIPAA and Health Information Technology for Economic and Clinical Health (HITECH). This means more PHI is at risk, and, in cases where a HIPAA breach compromises PHI, the average cost is $7.79 million.

The Enforcement Rule sets civil financial money penalties for violating HIPAA rules. Criminal HIPAA violation penalties range from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Civil penalties vary from $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million. These violations don’t take into account the damaged reputation and decreased customer trust a healthcare provider often experiences when sensitive data is stolen.

Ensure HIPAA Compliance with Weave Policy and Trusted Delivery

In our latest product launch, Weave GitOps 2022.03, we introduced Trusted Application Delivery: adding policy as code capabilities to GitOps pipelines. Policy-as-code helps automate the deployment of best practices and Standards compliance throughout your Kubernetes environments. Policies are written in code to prohibit the deployment of non-conforming resources. Policy-as-code can be applied to all phases of the application development cycle, such as development, testing, and deployment, to ensure nothing slips through the cracks.

Because policies are defined as code we have enriched our policies with additional fields such as categories, tags, and in this case one of our standards, HIPAA so that you can organize and make sense of your policies through groupings.

The latest version of Weave GitOps includes a built-in library of security and compliance policies - we call them Weave Policies. These OPA policies are designed as “write-once, apply many”, meaning the same policy can be applied to one cluster, or all of your clusters, regardless of its hardware configuration or location. Policies scale as your infrastructure does.

How Does it Work with HIPAA Compliance and Auditing?

With Weave Policy, Kubernetes clusters are continuously scanned for any object violating a rule or standard. Weave Policy comes with dozens of predefined policies that cover just about every common use case we’ve come across. These use cases span security, compliance, coding standards, and best practices. A subset of these policies are pre-labelled with HIPAA so out of the box, you can view our HIPAA report to see just where your clusters stand from a HIPAA viewpoint.

With all your HIPAA Policies grouped, you can apply them to your Cluster’s Run-Time (audit mode), Deploy-Time (admission controller), and Commit-Time (shift left API) so that your entire team can move fast without the worry of something missed during a peer review, across your entire fleet. 


HIPAA Compliance with Weave GitOps

Weave Policy Library, as part of our latest Weave GitOps product release, has dozens of built-in security and compliance policies. Teams can use the policies as is or can customize them according to their specific use cases. Once you integrate these policies into your CI/CD pipelines, you can rest assured that newly introduced code will not violate the HIPAA standards and secure the privacy of Protected Health Information.

Weave Policy Library includes CIS Benchmarks for Kubernetes, MITRE ATT&CK policies, PCI DSS compliance policies, and many more. To learn more about Weave Policy Library and further its benefits, request a demo now.

Request a Demo

Related posts

Watch Weave GitOps Release Features: Trusted Application Delivery with Policy as Code, VScode and Terraform extensions for Flux

Trusted Delivery with GitOps and Policy as Code

March Release - Weave GitOps 2022.03

Whitepaper: Trusted Delivery with GitOps and Policy as Code

Download our latest whitepaper and learn how automated security and compliance checks, in the form of policy as code, make automated continuous deployments safe and secure.

Download your Copy