AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible for Healthcare: HIPAA Compliance, EHR Systems, and Medical Device Management

By Luca Berton · Published 2024-01-01 · Category: installation

Automate healthcare IT infrastructure with Ansible. HIPAA compliance, EHR system management, medical device configuration, and PHI data protection at scale.

Introduction

Healthcare IT operates under some of the strictest regulatory requirements in any industry. HIPAA mandates protection of Protected Health Information (PHI), while the FDA regulates software in medical devices. Manual compliance is unsustainable across modern healthcare networks with thousands of endpoints. Ansible automates HIPAA compliance, EHR system management, and medical device configuration while maintaining the audit trails regulators demand.

See also: Ansible Patch Management: Automated OS Patching Across Linux and Windows Enterprise Fleets

HIPAA Security Rule Automation

Administrative Safeguards

---
- name: HIPAA Administrative Safeguards
  hosts: healthcare_systems
  become: true
  tasks:
    # § 164.312(a)(1) — Access Control
    - name: "HIPAA-AC01: Unique user identification"
      ansible.builtin.shell: |
        awk -F: '($3 >= 1000 && $3 < 65534)' /etc/passwd | \
        awk -F: '{print $3}' | sort | uniq -d
      register: duplicate_uids
      changed_when: false

    - name: Assert no duplicate UIDs
      ansible.builtin.assert:
        that: duplicate_uids.stdout_lines | length == 0
        fail_msg: "HIPAA VIOLATION: Duplicate UIDs found: {{ duplicate_uids.stdout_lines }}"

    # § 164.312(a)(2)(i) — Unique user identification
    - name: "HIPAA-AC02: No shared accounts"
      ansible.builtin.shell: |
        lastlog -b 90 | awk 'NR>1 && $2 != "**Never" {print $1}' | \
        grep -E '^(shared|generic|admin|test)' || echo "CLEAN"
      register: shared_accounts
      changed_when: false

    # § 164.312(a)(2)(iii) — Automatic logoff
    - name: "HIPAA-AC03: Session timeout (15 minutes)"
      ansible.builtin.lineinfile:
        path: /etc/profile.d/hipaa-timeout.sh
        line: "{{ item }}"
        create: true
        mode: '0644'
      loop:
        - "TMOUT=900"
        - "readonly TMOUT"
        - "export TMOUT"

Technical Safeguards

    # § 164.312(a)(2)(iv) — Encryption
    - name: "HIPAA-TS01: Verify disk encryption"
      ansible.builtin.shell: lsblk -o NAME,FSTYPE | grep -c crypt
      register: encryption
      changed_when: false
      failed_when: encryption.stdout | int == 0

    # § 164.312(c)(1) — Integrity controls
    - name: "HIPAA-TS02: Install AIDE (file integrity)"
      ansible.builtin.package:
        name: aide
        state: present

    - name: "HIPAA-TS02: Initialize AIDE database"
      ansible.builtin.command: aide --init
      args:
        creates: /var/lib/aide/aide.db.gz

    # § 164.312(e)(1) — Transmission security
    - name: "HIPAA-TS03: Enforce TLS 1.2+ only"
      ansible.builtin.lineinfile:
        path: /etc/ssl/openssl.cnf
        regexp: '^MinProtocol'
        line: 'MinProtocol = TLSv1.2'

    - name: "HIPAA-TS03: Disable weak ciphers"
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^Ciphers'
        line: 'Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr'
      notify: restart sshd

Audit Controls

    # § 164.312(b) — Audit controls
    - name: "HIPAA-AU01: Configure comprehensive audit logging"
      ansible.builtin.template:
        src: hipaa-audit.rules.j2
        dest: /etc/audit/rules.d/hipaa.rules
      notify: restart auditd

    - name: "HIPAA-AU02: Log forwarding to SIEM"
      ansible.builtin.template:
        src: rsyslog-hipaa.conf.j2
        dest: /etc/rsyslog.d/hipaa-forwarding.conf
      notify: restart rsyslog

    - name: "HIPAA-AU03: Protect audit logs"
      ansible.builtin.file:
        path: /var/log/audit
        mode: '0700'
        owner: root
        group: root

    - name: "HIPAA-AU04: Log retention (6 years)"
      ansible.builtin.lineinfile:
        path: /etc/audit/auditd.conf
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^max_log_file_action', line: 'max_log_file_action = ROTATE' }
        - { regexp: '^num_logs', line: 'num_logs = 99' }
        - { regexp: '^max_log_file =', line: 'max_log_file = 100' }

EHR System Management

Deploy EHR Application Server

- name: Deploy EHR application servers
  hosts: ehr_servers
  become: true
  vars:
    ehr_version: "{{ vault_ehr_version }}"
    db_connection: "{{ vault_ehr_db_connection }}"
  tasks:
    - name: Install EHR prerequisites
      ansible.builtin.package:
        name:
          - java-17-openjdk
          - tomcat
          - postgresql-client
        state: present

    - name: Deploy EHR application
      ansible.builtin.copy:
        src: "builds/ehr-{{ ehr_version }}.war"
        dest: /opt/tomcat/webapps/ehr.war
        owner: tomcat
        group: tomcat
        mode: '0644'
      notify: restart tomcat

    - name: Configure database connection
      ansible.builtin.template:
        src: ehr-datasource.xml.j2
        dest: /opt/tomcat/conf/ehr-datasource.xml
        owner: tomcat
        mode: '0600'
      no_log: true
      notify: restart tomcat

    - name: Configure HL7 FHIR integration
      ansible.builtin.template:
        src: fhir-config.json.j2
        dest: /etc/ehr/fhir-config.json
        mode: '0640'

HL7/FHIR Interface Management

    - name: Configure HL7 message routing
      ansible.builtin.template:
        src: hl7-channels.xml.j2
        dest: /etc/mirth/channels/adt-feed.xml
      vars:
        hl7_source_port: 2575
        hl7_destination: "{{ ehr_hl7_endpoint }}"
        message_types:
          - ADT^A01  # Admit
          - ADT^A02  # Transfer
          - ADT^A03  # Discharge
          - ORU^R01  # Lab results
      notify: restart mirth

See also: Security Best Practices for Ansible Automation Platform 2.6

Medical Device Network Management

- name: Configure medical device network segmentation
  hosts: network_switches
  gather_facts: false
  tasks:
    - name: Create medical device VLAN
      cisco.ios.ios_vlans:
        config:
          - vlan_id: 100
            name: MEDICAL-DEVICES
            state: active
          - vlan_id: 101
            name: CLINICAL-WORKSTATIONS
            state: active
          - vlan_id: 102
            name: GUEST-NETWORK
            state: active
        state: merged

    - name: Isolate medical devices from guest network
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls:
              - name: MEDICAL-ISOLATION
                aces:
                  - sequence: 10
                    grant: permit
                    source:
                      address: 10.100.0.0
                      wildcard_bits: 0.0.0.255
                    destination:
                      address: 10.101.0.0
                      wildcard_bits: 0.0.0.255
                    protocol: tcp
                  - sequence: 20
                    grant: deny
                    source:
                      address: 10.102.0.0
                      wildcard_bits: 0.0.0.255
                    destination:
                      address: 10.100.0.0
                      wildcard_bits: 0.0.0.255
                    protocol: ip
                    log: true
        state: merged

PHI Data Protection

- name: PHI data protection controls
  hosts: phi_databases
  become: true
  tasks:
    - name: Enable transparent data encryption
      community.postgresql.postgresql_query:
        db: ehr_production
        query: "ALTER SYSTEM SET ssl = on"
      become_user: postgres

    - name: Configure database SSL
      ansible.builtin.template:
        src: pg-ssl.conf.j2
        dest: /etc/postgresql/16/main/conf.d/ssl.conf
      notify: restart postgresql

    - name: Enable row-level security for PHI tables
      community.postgresql.postgresql_query:
        db: ehr_production
        query: |
          ALTER TABLE patient_records ENABLE ROW LEVEL SECURITY;
          CREATE POLICY phi_access ON patient_records
            USING (department = current_setting('app.department'));
      become_user: postgres

    - name: Configure data masking for non-production
      community.postgresql.postgresql_query:
        db: ehr_staging
        query: |
          UPDATE patients SET
            ssn = 'XXX-XX-' || right(ssn, 4),
            first_name = 'Patient',
            last_name = 'Test-' || id,
            phone = '555-0' || lpad(id::text, 3, '0')
          WHERE environment = 'staging';
      become_user: postgres
      when: env != 'production'

See also: Ansible Automation Platform In-Platform Compliance Dashboard: DISA STIG, CIS, and OpenSCAP

Compliance Scanning Schedule

# AAP Schedule:
# - Daily: HIPAA technical controls scan (automated)
# - Weekly: Access review report (automated)
# - Monthly: Full compliance assessment (automated + human review)
# - Quarterly: Penetration test preparation (automated scan)
# - Annual: Risk assessment support (data collection)

Best Practices

  1. Encrypt PHI everywhere — At rest (disk encryption), in transit (TLS), in backups (encrypted)
  2. Minimum necessary access — RBAC in AAP mirrors HIPAA's minimum necessary standard
  3. Audit everything — 6-year retention for HIPAA audit logs
  4. Network segmentation — Medical devices on isolated VLANs
  5. No PHI in automation logsno_log: true on every task touching patient data
  6. Business Associate Agreements — Ensure cloud providers (Vault, AAP SaaS) have BAAs
  7. Incident response playbooks — Automated breach detection and notification workflows
  8. Regular access reviews — Automated quarterly reports of who has access to what

FAQ

Can Ansible manage FDA-regulated medical devices?

Ansible can manage the IT infrastructure around medical devices (networks, servers, monitoring). Direct device configuration depends on the device manufacturer's validation requirements. Always consult your quality/regulatory team.

HIPAA compliance for cloud-hosted AAP?

If AAP processes PHI metadata (hostnames of PHI systems, etc.), ensure your AAP hosting provider has a Business Associate Agreement. Self-hosted AAP on compliant infrastructure is preferred.

How to handle breach notification automation?

Automate the detection and evidence-gathering phases. The actual breach notification to HHS/patients requires human judgment on whether a reportable breach occurred.

Conclusion

Ansible brings systematic, auditable automation to healthcare IT — enforcing HIPAA controls continuously, managing EHR deployments safely, and protecting PHI through encryption, access controls, and network segmentation. In an industry where compliance isn't optional, automation ensures nothing falls through the cracks.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home