Skip Navigation

Learn how Key Vault is used to secure the Healthcare AI Blueprint

Posted on September 10, 2018

Principal Systems Architect, Microsoft Azure

System security is a top priority for any healthcare organization. There are many types of security including physical, network, application, email and so on. This article covers the system security provided by Azure Key Vault. Specifically, we examine the Key Vault implementation used in the Azure Healthcare blueprint. The intent is to demonstrate how a Key Vault works by seeing it used with the blueprint.


Securing sensitive data in the real world

In a healthcare organization, there are potentially dozens (or hundreds) of users that need access to sensitive data from diverse sources. Doctors, technicians, receptionists — some need access to just x-rays, some to payment schedules, and doctors need patient records. The matrix of users and data stores can be large. Managing so many permissions could be a nightmare. For dashboards or other user interfaces, permission needs to be granted to service accounts. For example, in machine learning, a data scientist may need to query data from many data repositories to find correlations and will need appropriate rights to those data stores.

In the blueprint, a Key Vault stores data like passwords and secrets that system users need access to things like databases and Machine Learning studio (MLS).

What Key Vault provides

Most complex systems require a secure and reliable way to store various types of data. This is especially true in regulated environments like healthcare, where patient and other confidential information must be protected.

A Key Vault provides separation of the application from any cryptography needed by that application. For example, a custom application deployed to Azure can access any keys, secrets, or certificates it has permission to access from a URL at runtime.

When using Key Vault to provide reliable technical security, it stores keys, certificates and what are referred to as “secrets.” A secret may be any string that is sensitive, such as a database connection string or a password.

Keys stored in key vaults are safeguarded by hardware security modules (HSM), a special trusted network computer performing a variety of cryptographic operations like key storage and management. Key Vaults take advantage of the Federal Information Processing Standards (FIPS) 140-2 Level 2 validated HSMs. 

Using Key Vault

There may be more than one Key Vault in an Azure tenant. It is a good practice to dedicate one Key Vault to a single application or system and another to a different system. This ensures Key Vaults respect the single responsibility principal by separating application or system specific stored items. Single-purpose Key Vaults are easier to manage than storing data from all systems and applications in one vault.

Anyone with an Azure subscription can create and use Key Vaults. The person who creates the Key Vault is the owner for it. In the Healthcare for AI blueprint, the user Alex_siteadmin has full access to the information in the Key Vault created using her credentials during the initial installation.

Users may access data in the vault after the vault owner provides access permissions. The owner provides developers with URIs to call from their applications.

In the blueprint system, Alex_siteadmin may access the sensitive data (certificates, keys, secrets) in the vault. To do this via the portal, simply click the Key Vault resource and look under the “settings” section.


Click the type of setting you wish to see: keys, secrets or certificates. After clicking Secrets, one finds Sqldb-ConnectionString in the list shown below.

Clicking Sqldb-ConnectionString reveals the URL to the connection string secret. Although Alex_siteadmin can see the URL to access the connection string, she cannot see the connection string itself.

Using Key Vault from an application

URLs are provided by Key Vaults for resource access in applications running under authored accounts. PowerShell and Azure CLI commands are available to retrieve keys secrets from vaults but accessing the key from a running application is typically the primary intent for storing items in the vault.

Secrets, keys and certificates are all available via a URL, but only if the current user has permissions to the item in the vault. Access policies must be set for users and service accounts to access vault items.

Managing Key Vaults

As mentioned above, it is a recommended practice to have separate instances of Key Vaults for different applications. This makes managing a Key Vault much simpler than storing secrets from multiple applications in a single vault.

It is also important to manage access policies for the various items in the vault. Accounts should be configured to have access solely to those items they need — and nothing else. Permissions are set via access policies which provide fine-grained control of permissions to items in the vault.

Deleting and restoring Key Vaults

“Soft delete” is a Key Vault feature that may be enabled on a vault. When this is true, if a Key Vault is deleted, it is recoverable for 90 days. It disappears from the Azure portal and it looks like the Key Vault has been completely deleted, like any other resource or service in Azure. This isn’t the case, however. It is held by Azure for 90 days and can be restored for any reason. Because of this precaution, a new Key Vault with the same name cannot be added to the Azure subscription until the “soft deleted” vault is truly deleted.

Restoring a Key Vault

To restore a Key Vault, owners may turn to PowerShell or the Azure CLI. In PowerShell, execute the following command.

Undo-AzureRmKeyVaultRemoval -VaultName <vault name> -ResourceGroupName <resource group> -Location <location>

Deleting a soft delete Key Vault

PowerShell and the Azure CLI also provides commands for permanently deleting a soft-deleted vault. This can be used to delete the vault before the 90-day period has elapsed. This is the PowerShell command:

Remove-AzureRmKeyVault -VaultName <vault name> -InRemovedState -Location <location>

Wrapping up

The Azure Healthcare AI Blueprint makes extensive use of Key Vault. It helps to ensure HIPAA compliance and uphold HITRUST certification. Create a separate Key Vault to experiment with in your Azure environment. Do not change any items in the app’s Key Vault — otherwise, the application may stop working.

Key Vaults focus specifically on security. It is the central store for keys, certificates, and secrets like database connection strings, passwords, and other sensitive information. When looking to secure your data and security keys, start your journey with Key Vault.

Recommended next steps:

  1. Do the quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell. In this quickstart, you use PowerShell to create a key vault. You then store a secret in the newly created vault.
  2. Read the free solution guide Implementing the Azure blueprint for healthcare. Leverage the knowledge from this guide to deploy the Azure Healthcare AI Blueprint and explore how the blueprint is secured using key vault.