Solace are the makers of the Solace PubSub+ Platform which is used to event enable your enterprise. The core of the platform is the Solace PubSub+ Advanced Event Broker that comes in hardware, software, and messaging as a service in your favorite public cloud.
In the last few years, Solace has begun investing heavily into cloud based messaging solutions. Using tools like the Solace Cloud Console, you can quickly provision redundant and secure virtual solace appliances in any cloud you choose. But Solace messaging isn't just fast, it is reliable, extensible, and secure. Solace virtual routers can seamlessly be deployed as an HA pair in a single region and DR can be setup across regions to ensure availability constraints that your enterprise demands. Solace routers support nearly every major messaging protocol, the list of protocols not supported is shorter than list of protocols that are. Solace routers are also secure. Administrative access for a private cloud deployment is as secure as the EC2 instances in your Amazon console.
All of these built-in features, coupled with native cloud deployments with a very generous free-tier, make Solace an obvious option for businesses outside the financial space. Companies spend thousands of dollars and person-hours building reliable messaging deployments that are secure and cost-effective. Now you can have those features at the click of a button thanks to the cloud. (Check out my last article talking about exactly how easy it is to do this.) But not every business vertical is convinced cloud-based solutions like Solace fit their needs. One of those business verticals is healthcare and insurance. The real question for these verticals is around HIPAA. In this article we'll discuss what HIPAA is and why Solace is absolutely a viable choice for messaging in a HIPAA compliant environment. By taking the time to properly configure your PubSub+ services, achieving HIPAA compliance with Solace is quite straightforward. I'll show you how to get started in this article.
HIPAA, or Health Insurance Portability and Accountability Act, is a piece of legislation passed in 1996 that puts regulation around the security of Personal Health Information (PHI). Health insurance organizations deal with PHI all the time, this is the very nature of an insurance claim. In the 24 years since this legislation was made law, the digital world has changed drastically, but compliance requirements remain the same. For a full list of HIPAA compliance requirements, check out this website. The list of requirements are extensive, but they do boil down to the following short-list of absolute necessities.
This article is about defining a HIPAA compliant Solace implementation for companies dealing with PHI. Let's define what a typical environment would look like for a company like this.
This list of 5 assumptions about an organization trying to be HIPAA compliant is fairly general. Federated user login, application activity logging, intelligent access controls around data, and secure networking are all standard requirements for any business that makes money from data. PHI data and Insure-tech companies are no exception. Given the above mentioned general settings for an organization, we will discuss how the required aspects of HIPAA can be honored in a Solace Cloud deployment.
Access control in Solace is a built-in, out of the box component of Solace. Access control on Solace are baked in down to the underlying operating system. For cloud deployments however, the true HIPAA compliant access control comes from User Authentication/Authorization, ACLs, and Client-Profiles.
Authenticating against a Solace appliance can be done a number of ways. The simplest is with a username and password. This is the default setting for free-tier deployments. There are a number of other built-in authentication solutions used by Solace that are quite extensible; an entire series of blogs could be written on this topic alone. Concerning HIPAA compliance, Solace integrates easily with LDAP. By authorizing against LDAP, your Solace access controls have the same HIPAA compliance as your LDAP configuration. Configuring LDAP to be HIPAA compliant is a well-established and well-documented process; it suffices to say that if your LDAP configuration is HIPAA compliant, your Solace configuration is HIPAA compliant.
In addition to LDAP integration, Solace has some built-in configuration options that can supply fine-grained access control down to the topic level. Like most messaging systems, Solace has Access-Control Lists. ACLs in Solace define the topics a user can publish and subscribe to, without the user having to know ahead of time.
If the user attempts to pub/sub against a topic not on their ACL, an error will be thrown. Additionally, Solace ACLs can enforce IP whitelists or blacklists. This means a user is only allowed to pub/sub messages from a very specific network location.
Typically, this is a physical location in an office or the end of an encrypted VPN tunnel. This kind of control is not required by HIPAA, but it is a recommended step to take when trying to become HIPAA compliant.
Another great feature of Solace that provides fine-grained, HIPAA compliant access control are client profiles. Like the various methods of authentication to Solace, client profiles are an extensive topic in Solace configuration that require an in-depth knowledge of low-latency networking to fully grasp. Typically, these settings are worth modifying as a workaround for upstream networking issues. However, it's worth noting some of the less specific features that could be configured in a HIPAA compliant environment.
When configuring a client profile, it is important to remember that clients using this profile will be restricted to the actions and settings in that profile. There are some client specific settings that can configured, but general usability is restricted at the profile level. For example, if you never want a client to connect to a queue, you would not allow them to receive guaranteed messages. If you wanted to specify a service level user that could only create bridged connections (connections between different Solace Message VPNs or Services), you would enable "Connect as a Bridge." If you only want to publish messages when there is an active subscriber receiving them, you would enable the "Reject Messages to Sender on No Subscription Match Discard" setting. These are all standard, high-level settings that define the behavior for a set of clients using your Solace device. HIPAA compliance comes in with the "Downgrade Connection to Plain Text" setting. This is a setting you would immediately disable when configuring Solace. Under no circumstances should you downgrade the encryption on a connection in a HIPAA compliant environment. By disabling this setting, all users on that client profile will automatically follow this setting.
If you want to view logs on a Solace router, simply subscribe to the topic #LOG/>. This does require a small amount of configuration on the router side (see below), but once enabled, your configured log messages will be routed to the appropriate topic for consumption.
Instead of writing to log files, Solace will track activity by publishing messages to the internal logging topic #LOG. By setting up a queue or an always-on consumer bound to the #LOG/> topic, you will always have up to date logs for your app. Furthermore, log messages are broken out by topic hierarchy. This allows you to have very granular logging configurations across all of your consumers. In short, Solace's logging capabilities extends to meet your organization's HIPAA requirements; you just may have to think outside of the box about acquiring those logs. You no longer need to setup an FTP site or run a `tail -F logs/*`. If you think about logs as messages, it becomes very easy to acquire logs in a scalable manner to achieve HIPAA compliance.
Solace PubSub+ appliances come with the pre-configured option of establishing highly available routing, with the option to add a disaster recovery node. This triplet of appliances ensures always-on performance with no data loss in case of a disaster.
The rules governing third-party access to a PubSub+ service are as straightforward as restricting access to corporate e-mail. Secure passwords and proper network configuration make PubSub+ services quite secure from third-party access. This is true for any cloud deployment. Consider AWS's VPC construct. By default, it secures resources access through security groups, route tables and network access control lists. When deploying a Solace PubSub+ appliance inside a corporate VPC, your PubSub+ appliance is bound to the same access restrictions which protect all of your assets from third-party access.
Solace is a HIPAA compliant messaging solution. Solace appliances have always had this capability, even before the company released a cloud-native deployment of their messaging technology. By taking the time to properly configure your PubSub+ services, achieving HIPAA compliance is quite straightforward. Here's a short-list of recommendations to get your organization started. From here, use your organization's specific requirements to ensure PubSub+ services will assist you in all your messaging needs.
For more information on Solace's PubSub+ service, or if you have a specific question, check out https://solace.community/. This website is constantly monitored by Solace professionals looking to answer any question you may have.