Healthcare Blocks virtual servers are security hardened and continuously maintained to eliminate vulnerabilities.
Virtual Machines are Generated and Tested by a Consistent Process
Virtual servers are based on a custom Linux Ubuntu machine image that is updated weekly and tested nightly. This image is configured in accordance with the industry-standard CIS Benchmarks and Security Content Automation Protocol (SCAP) recommendations. Build configurations and changes are persisted in a source control repository. If you need more specifics about our build process and security configuration, please contact us.
Security Updates are Applied When Available
Virtual servers are scanned nightly for security-related updates to kernels and official packages. During the following business day, the Healthcare Blocks DevOps team reviews the patch list, identifying any potential conflicts and issues, and schedules updates. In newer environments, kernel live patching is enabled, avoiding the need for an immediate reboot when patches are applied. For older environments that require a reboot in order for patches to take effect, the Healthcare Blocks DevOps team will either contact customers or proactively schedule an automated reboot during after hours or weekend.
Known Vulnerabilities are Reviewed Daily
The Healthcare Blocks DevOps team reviews common vulnerabilities and exposures (CVE) bulletins published by the National Institute of Standards and Technology (NIST) on a daily basis. These alerts are cross-referenced with the results of the daily security patching process described above to determine if any additional steps are required to rectify a vulnerability.
Virtual Machines are Continuously Monitored
Healthcare Blocks virtual servers include a Trend Micro OSSEC agent, which is responsible for intrusion detection, file integrity monitoring, log monitoring, rootcheck, and process monitoring. The agent communicates with an OSSEC server, whose configuration and rulesets are managed by the Healthcare Blocks DevOps team. Every 12 hours, OSSEC scans the filesystem of each virtual machine for malware, rootkits, and changes to executable and configuration files. OSSEC generates alerts for intrusion attempts and system issues - these are distributed to the Healthcare Blocks DevOps team via an internal communication platform. In addition, OSSEC activity is logged and permanently stored in a high-availability relational database that is also backed up nightly.
Intrusion attempts are immediately blocked. Tampering with authentication mechanisms results in the blacklisting of the associated IP address. Customers can add their IP address to a whitelist to avoid accidental blocking.
In addition, a weekly rootkit/malware scan using rkhunter is performed weekly as secondary verification on top of OSSEC's scanning capabilities.
Customers can request to add other A/V tools if they have an existing vendor license.
Data is Encrypted At Rest
Per NIST cryptographic standards, virtual server storage volumes automatically encrypt data at rest using full volume encryption and 256-bit AES encryption keys. Legacy "micro" virtual machines use dm-crypt/LUKS; whereas larger virtual machines ("small" and up) use Amazon Web Services EBS encryption backed by a FIPS 140-2 key management infrastructure. Storage volume snapshots are also encrypted at rest.
Healthcare Blocks Services Include Encrypted Endpoints
Managed database services and other platform add-ons use TLS certificates to encrypt data in transit. In addition, the default Web server configuration (e.g. Nginx) uses strong TLS ciphers, which are periodically assessed for vulnerabilities using third-party tools.
Docker Configuration and Maintenance
The Docker Engine is configured to persist container data and metadata to the encrypted storage volume.
For Dokku-enabled environments, the Dokku-specific Docker images are periodically updated. Buildpacks used by Dokku originate in publicly available open source projects, which are also periodically updated by their authors when vulnerabilities are found.