Healthcare Blocks virtual servers are security hardened and continuously maintained to eliminate vulnerabilities.
Virtual Machines are Generated and Tested by a Consistent Process
Virtual servers are based on a custom Linux Ubuntu machine image that is updated weekly and tested nightly. This image is configured in accordance with the industry-standard CIS Benchmarks and Security Content Automation Protocol (SCAP) recommendations. Build configurations and changes are persisted in a source control repository. If you need more specifics about our build process and security configuration, please contact us.
Security Updates are Applied When Available
Virtual servers are scanned nightly for security-related updates to kernels and official packages. During the following business day, the Healthcare Blocks DevOps team reviews the patch list, identifying any potential conflicts and issues, and schedules updates. Occasionally, an update requires the virtual server to be rebooted. When you establish an SSH connection to your machine, you can run the following command to determine if a reboot is required: ls /var/run/reboot-required. If a matching string is returned, you can run the command, sudo reboot, or coordinate with our support team. Downtime is approximately 30 seconds to 2 minutes depending on the performance characteristics of your machine.
Known Vulnerabilities are Reviewed Daily
The Healthcare Blocks DevOps team reviews common vulnerabilities and exposures (CVE) bulletins published by the National Institute of Standards and Technology (NIST) on a daily basis. These alerts are cross-referenced with the results of the daily security patching process described above to determine if any additional steps are required to rectify a vulnerability. Occasionally, this might require patching and rebooting a virtual server during business hours; the Healthcare Blocks DevOps team will contact the designated technical contact if needed.
Virtual Machines are Continuously Monitored
Healthcare Blocks virtual servers include a Trend Micro OSSEC agent, which is responsible for intrusion detection, file integrity monitoring, log monitoring, rootcheck, and process monitoring. The agent communicates with an OSSEC server, whose configuration and rulesets are managed by the Healthcare Blocks DevOps team. Every 12 hours, OSSEC scans the filesystem of each virtual machine for malware, rootkits, and changes to executable and configuration files. OSSEC generates alerts for intrusion attempts and system issues - these are distributed to the Healthcare Blocks DevOps team via an internal communication platform. In addition, OSSEC activity is logged and permanently stored in a high-availability relational database that is also backed up nightly.
Intrusion attempts are immediately blocked. Tampering with authentication mechanisms results in the blacklisting of the associated IP address. Customers can add their IP address to a whitelist to avoid accidental blocking.
Data is Encrypted At Rest
Per NIST cryptographic standards, virtual server storage volumes automatically encrypt data at rest using full volume encryption and 256-bit AES encryption keys. Legacy "micro" virtual machines use dm-crypt/LUKS; whereas larger virtual machines ("small" and up) use Amazon Web Services EBS encryption backed by a FIPS 140-2 key management infrastructure. Storage volume snapshots are also encrypted at rest.
Healthcare Blocks Services Include Encrypted Endpoints
Managed database services and other platform add-ons use TLS certificates to encrypt data in transit. In addition, the default Web server configuration (e.g. Nginx) uses strong TLS ciphers, which are periodically assessed for vulnerabilities using third-party tools.
Docker Configuration and Maintenance
The Docker Engine is configured to persist container data and metadata to the encrypted storage volume.
For Dokku-enabled environments, the Dokku-specific Docker images are periodically updated. Buildpacks used by Dokku originate in publicly available open source projects, which are also periodically updated by their authors when vulnerabilities are found.
For Docker Compose-enabled environments, customers may use the official Docker images maintained by Healthcare Blocks. These are updated on a regular basis. The corresponding Dockerfiles are stored in a centralized private repository. To get access, please create a ticket.