Design principles

Implement a strong identity foundation: Implementing the principle of least privilege is foundational to the security of life sciences workloads. Centralize identity management, and aim to avoid reliance on long-term static credentials.

Implement the principle of separation of duties: Avoid conflicts of interest, abuse, errors and detect control failures that include security breaches, information theft, and circumvention of security controls.

Be continually inspection-ready: Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to investigate and remediate issues automatically.

Apply security at each layer: Apply a defense in depth approach with multiple security controls. Security should apply to each layer, from the edge of the network to the application and code.

Automate security best practices: Automated software-based security mechanisms improve your ability to scale more securely, rapidly, and cost-effectively.

Encrypt data in transit and at rest: Classify your data to identify health data and other sensitive data. Use encryption, tokenization, and de-identification to decrease the sensitivity of data, and implement access controls.

Keep people away from data: Use mechanisms and tools to reduce the need for direct access or manual processing of health data, consistent with the principle of least privilege.

Prepare for security events: Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements and applicable regulatory frameworks.