Healthcare Blueprint
Purpose: For platform engineers and security officers, explains how the Healthcare blueprint provides the operational discipline and security controls to modernize without putting patients or compliance at risk.
Overview
Healthcare systems cannot go down and cannot leak data. This blueprint layers hard workload segregation, audit trails, and HIPAA-mapped controls on the platform foundation — delivering operational consistency that supports both reliability SLAs and evidence collection.
What You Get
- Hard Segregation — Clinical, administrative, and research workloads isolated at namespace, network, and node levels.
- Operational Consistency — Same deployment model and observability across environments, supporting reliability SLAs and evidence collection.
- Secure Delivery Pipelines — HIPAA-ready, not HIPAA-hopeful. Image scanning (Harbor), policy enforcement (Kyverno), encrypted secrets (SOPS).
HIPAA Technical Safeguard Mapping
| HIPAA Section | Requirement | openCenter Implementation |
|---|---|---|
| §164.312(a)(1) | Access control | Keycloak OIDC + RBAC Manager + namespace isolation |
| §164.312(b) | Audit controls | Kubernetes audit logs + Loki aggregation + Git commit trail |
| §164.312(c)(1) | Integrity | FluxCD drift detection + Kyverno image signature validation |
| §164.312(d) | Person/entity authentication | Keycloak with MFA support + OIDC for cluster access |
| §164.312(e)(1) | Transmission security | TLS everywhere (cert-manager) + mTLS via Istio (optional) |
| §164.312(e)(2)(ii) | Encryption at rest | SOPS for secrets in Git + Kubernetes encryption at rest (configured via Kubespray) |
Workload Segregation
| Zone | Purpose | Isolation Mechanism |
|---|---|---|
| Clinical | Patient-facing systems, EHR | Dedicated namespace + node taints + NetworkPolicies |
| Administrative | Billing, scheduling, back-office | Namespace isolation + restricted network egress |
| Research | Analytics, de-identified data | Separate namespace + no clinical network access |
Kyverno policies enforce zone boundaries — workloads cannot reference resources across zones without explicit policy exceptions.
Audit Trail
- Kubernetes audit logs → shipped to Loki with 90-day retention (configurable)
- Git history → every infrastructure and application change has commit, author, timestamp
- FluxCD events → reconciliation success/failure tracked and alerted
- SOPS key rotation → 90-day Age keys, 180-day SSH keys, with audit of rotation events
Operational Controls
| Control | Implementation |
|---|---|
| Backup | Velero scheduled backups with verified restore procedures |
| Disaster recovery | Cluster state in Git + infrastructure in Terraform state |
| Monitoring | kube-prometheus-stack with health check alerting |
| Incident response | Alertmanager routing + defined escalation paths |
| Change management | GitOps workflow — PR review required, FluxCD reconciles |
| Access review | Keycloak group membership + RBAC Manager audit |
Platform Controls (Inherited from Foundation)
All controls from the Platform Foundation apply:
- 17 Kyverno ClusterPolicies
- Pod Security Admission (baseline enforce, restricted audit/warn)
- SOPS Age encryption with automated rotation
- Full observability stack
- Air-gap support for isolated healthcare environments
Further Reading
- Platform Foundation — inherited services and security
- Finance Blueprint — similar approach for SOC2/PCI/NIST
- Blueprint Catalog — all blueprints