VMware 'SDDC'Product' Applicability'Guide'for' HIPAA/HITECH,'v1.0 '

Transcription

1 VMware SDDCProduct ApplicabilityGuidefor HIPAA/HITECH,v1.0 November2013 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the Framework and download the additional documents from the VMware HIPAA Compliance Resources on VMware Solution Exchange.

2 VMwareProductAvailability GuideforHIPAAandHITECH TableofContents Introduction...2 ScopeandApproach...3 VMwareSolutionScope...3 HIPAAandHITECHActScope...4 Approach...4 OverviewofHIPAA/HITECHSecurityRequirements...6 HIPAAProtectedHealthInformationandIdentifiers...9 HIPAA/HITECHComplianceGuidance...10 DefinitionofCloudComputing...12 WheretoStart ConsiderationsforCoveredEntities...14 Management/BusinessConsiderations...15 ITConsiderations...15 VMwareHIPAAComplianceStack...15 HIPAASecurityRuleSolutionApplicabilityMatrix...16 HIPAASecurityRuleSolutionApplicabilityDetails...20 vsphere...20 vclouddirector...22 vcloudnetworkingandsecuritysuite...24 vcentersiterecoverymanager...26 vcenteroperationsmanagementsuite...28 Acknowledgments...30 AboutAccuvant...30 TECHNICALGUIDE/1

3 VMwareProductAvailability GuideforHIPAAandHITECH Introduction Informationsecuritydesignandarchitecturalrequirements,drivenbyregulatorycompliance,arecommon butcriticalaspectsthatorganizationsshouldconsiderwhenmigratingfromtraditionalit environmentstocloudcomputingenvironments.helpingorganizationswiththearduoustasksof meetingandmaintaininghipaaandthehitechactregulatorycompliance,vmwareanditspartners providesuitesofindustry[leading,virtualizationsolutionswhichaddresstheconfidentiality,integrity andavailabilityrequirementsofhipaa/hitech.thisvmwaresolutionguidewillassistin answeringquestionssuchas HowCanOurOrganizationComplywithHIPAARequirements withinacloudcomputingenvironment byprovidinghelpfulinformationtovmwarearchitects, thehipaa/hitechcommunity,businessstakeholdersandthirdparties. VMwarevCloudSuiteisVMware scompletesoftware?defineddatacenter(sddc)solution, enablingcustomerstobuildandmanagetheirowncloudinfrastructure.thevcloudsuiteis offeredintothreeeditionsanddividedintoeightdiscretesoftwarecomponents: vsphere Virtualizedinfrastructurewithpolicy[basedautomation vclouddirector Virtualizeddatacenterswithmulti[tenancyandpubliccloudextensibility vcloudconnector Integratedviewinganddynamictransferofworkloadsbetweenprivateandpublic clouds vcloudnetworkingandsecurity Softwaredefinednetworking,securityandecosystemintegration vcentersiterecoverymanager Automateddisasterrecoveryplanning,testingandexecution vcenteroperationsmanagementsuite Integrated,proactiveperformancecapacity,and configurationmanagementfordynamiccloudenvironments.thevcenteroperations ManagementSuiteisbrokenintosevenfeaturesthatareoffereddependingonvCloudSuite editiontype.thesesevenfeaturesare: ApplicationMonitoring StorageAdaptersforEMC VMConfigurationCompliance HostConfigurationCompliance PerformanceandCapacityOptimization ApplicationAwareness Chargeback vfabricapplicationdirector Multi[tierapplicationservicecatalogpublishingand provisioning vcloudautomationcenter Self[serviceandpolicy[enabledcloudserviceprovisioning TECHNICALGUIDE/2

4 VMwareProductAvailability GuideforHIPAAandHITECH Figure1.VMwareCloudSuitecomponents ScopeandApproach DuetothebroadcontextoftheHIPAAandHITECHactsitisprudenttoproperlydefineand detailthescopeofthisdocumentandtheapproachthathasbeentakenindefiningsuch scope.thescopeisdividedbetweenthevmwarecomponentsthatareincluded,reviewedand consideredhighlyrelevantaspartofthisguideandthegoverningsectionsofthehipaaand HITECHActsthatpertaintoelectronicdata,informationtechnologyandthusnetworkand electronicinformationsecurity.whilethisguideprovidesspecifictechnicalopinionsregarding theapplicabilityofvmwaresolutionstohipaa sregulationstheguideisneither comprehensiveinitscoverageoftheentirehipaaregulationnorprescriptive.itdoesnot defineasingleimplementationstrategythatassurescompliance. VMwareSolutionScope UsingtheEnterpriseeditionofvCloudSuiteasthebasisfortheVMwaresolution,the componentsapplicabletothisguideanddetailedwithinthisguide( VMwareScope )include: vsphere vclouddirector vcloudnetworkingandsecurity(vcns) vcentersiterecoverymanager(srm) vcenteroperationsmanagementsuite(oms) VMConfigurationCompliance HostConfigurationCompliance TECHNICALGUIDE/3

5 VMwareProductAvailability GuideforHIPAAandHITECH ThosespecificVMwarecomponentsthatarenotwithinthescopeofthisdocumenthavebeen omittedeitherbecauseoftheirnon[applicability(i.e.applicationmonitoring,applicationawareness, PerformanceandOptimizationandChargebackcomponentsofvCenterOMS,vFabricApplication DirectorandvCloudAutomationCenter)orinterdependencyuponseparatetechnologynotin scope(i.e.storageadaptersforemc). HIPAAandHITECHActScope TheportionsoftheHIPAAandHITECHactsthatareconsideredtechnicalinnatureandthereforewithin scope( HIPAAScope )ofthisguideconsistofspecificcontrolswithinhipaa ssecurityrule, 45CFRPart160andSubpartsAandCofPart164.TheHITECHactandotherportionsof HIPAA,suchasthePrivacyRule,aswellasseveralsectionsofHIPAA ssecurityrulearenot addressablethroughtheuseofvirtualizationandcloudtechnology,includingvmware s solutionsandthereforearenotcoveredwithinthisdocument. VMwarerecognizesthelargerimpactthatthefullscopeofHIPAAandHITECHhasuponan organization.thissolutionsguideisintendedtohelpanorganizationunderstandtherolethat VMware ssolutionscanplaywithintheirlargercomplianceefforts.andduetotheflexiblenatureof HIPAAandsignificantimpactthatnon[compliancecanhaveuponanorganization,itisstrongly recommendedthatorganizationsestablishtheirhipaaandhitechcomplianceeffortsupona comprehensiveriskassessmentstrategy. Approach The HIPAASecurityRuleSolutionApplicabilityMatrix (foundlaterinthisdocument)mapsthe specificrequirementsofthehipaasecurityruletovmware sproductsolutionsuites,theirtechnology areasandinsomecasespartnersolutions.byunderstandinghowthetechnologysolutionsand technologyareasapplytothecompliancerequirementscustomersareabletosupporttheirbroader electronicgovernance,riskandcompliance(egrc)initiatives. Figure2.VMware+PartnerProductSolutionsforaTrustedCloud TECHNICALGUIDE/4

6 VMwareProductAvailability GuideforHIPAAandHITECH Whiletherearemanyvariationsofcloudenvironments,includingpublic,privateandhybrid clouds,andtherearemanypartnersolutionsthatenhanceanorganization sabilitytoaddress confidentiality,integrityandavailability,thevmwarevcloudsuitecanhelporganizations addressupto23%(asseeninfigure3below)ofthecompliancerequirementsofthehipaa SecurityRule. Figure3.HIPAASecurityRuleControlsCoverage TECHNICALGUIDE/5

7 VMwareProductAvailability GuideforHIPAAandHITECH OverviewofHIPAA/HITECHSecurityRequirements TheHealthInsurancePortabilityandAccountabilityActof1996(HIPAAePub.L.104[191,110Stat.1936) wasenactedbytheunitedstatescongressandsignedbypresidentbillclintononaugust21, 1996.TitleII:PreventingHealthCareFraudandAbuseFAdministrativeSimplificationFMedical LiabilityReformdefinespolicies,proceduresandguidelinesformaintainingtheprivacyandsecurity ofindividuallyidentifiablehealthinformationaswellasoutliningnumerousoffensesrelatingtohealth careandsetscivilandcriminalpenaltiesforviolations. AsrequiredbyCongressinHIPAAandHITECHcoverthefollowingtypesoforganizations: Healthplans Healthcareclearinghouses Healthcareproviderswhoconductcertainfinancialandadministrativetransactionselectronically. TheseelectronictransactionsarethoseforwhichstandardshavebeenadoptedbytheSecretary underhipaa, suchaselectronicbillingandfundtransfers. FailuretomeetHIPAAcompliancerequirementsandstandardscouldgiverisetobothcivilandcriminal penalties.section13410ofthehitechactamendssection1176ofthesocialsecurityact(42 U.S.C1320d[5)inordertoupdateenforcementofHIPAA.ThepenaltiesundertheSocial SecurityAct,andamendedintheHITECHactaredividedintocategoriesofclaimsand categoriesofpenaltiesthatareapplicabletoindividualsandorganizations. Civilmonetarypenaltiesaredividedasfollows: IncasesofunknowingviolationsofHIPAA,eachviolationwouldresultin$100[$50,000foreach suchviolation,nottoexceed$1,500,000fortheallsuchviolationswithinthesamecalendaryear. Incasesofwrongfuldisclosureofindividuallyidentifiablepatientinformation,apersonshallbefined $1,000[$50,000foreachsuchviolationandnotmorethan$1,500,000forallsuchviolationswithin thesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandcorrectedinthesamecalendar year,apersonshallbefined$10,000[$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandnotcorrectedinthesame calendaryear,apersonshallbefined$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Criminalpenaltiescanbeimposedagainstindividualsandaredividedasfollows: Upto$50,000andpotentialimprisonmentofnotmorethan1yearincasesofwrongfuldisclosureof PHI. Upto$100,000andpotentialimprisonmentofnotmorethan5yearsincasescommittedunderfalse pretenses. Upto$250,000andimprisonmentofnotmorethan10yearsincasescommittedwithintenttosell, transferorusephiforcommercialadvantage,personalgainormaliciousharm. TheHIPAASecurityRule,asdefinedwithin45CFRPart160andSubpartsAandCofPart 164,has22requirementsthatpertaintothesafeguardingofpatientdataandareoutlined below.ofthose22,therequirementsthatwebelievearerelevanttovmware sproduct solutionsarehighlightedinyellow: TECHNICALGUIDE/6

8 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Administrative Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope SecurityManagementProcess (a)(1)(i) Notapplicable AssignedSecurityResponsibility (a)(2) Notapplicable WorkforceSecurity (a)(3)(i) Notapplicable InformationAccessManagement (a)(4)(i) Notapplicable SecurityAwarenessandTraining (a)(5)(i) Notapplicable SecurityIncidentProcedures (a)(6)(i) Notapplicable ContingencyPlans (a)(7)(i) Notapplicable Evaluation (a)(8) Notapplicable BusinessAssociateContracts andotherarrangements (b)(1) Notapplicable HIPAA PHYSICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope FacilityAccessControls (a)(1) Notapplicable WorkstationUse (b) Notapplicable WorkstationSecurity (c) Notapplicable TECHNICALGUIDE/7

9 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA PHYSICAL Safeguards DeviceandMediaControls (d)(1) Notapplicable HIPAA TECHNICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope AccessControl (a)(1) Applicable AuditControls (b) Applicable Integrity (c)(1) Applicable PersonorEntityAuthentication (d) Applicable TransmissionSecurity (e)(1) Applicable HIPAA organizational requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope BusinessAssociateContractsor OtherArrangements (a)(1)(i) NotApplicable RequirementsforGroupHealth Plans (b)(1) NotApplicable TECHNICALGUIDE/8

10 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Policies and Procedures and Documentation Requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope PoliciesandProcedures (a) NotApplicable Documentation (b)(1)(i) NotApplicable Table1:HIPAASecurityStandards HIPAAProtectedHealthInformationandIdentifiers Protectedhealthinformation(PHI)hasbeendefinedbytheUSDepartmentofHealthandHuman Services( HHS )asanyinformationinthemedicalrecordordesignatedrecordsetthatcanbe usedtoidentifyanindividualandthatwascreated,used,ordisclosedinthecourseof providingahealthcareservicesuchasdiagnosisortreatment.hipaaregulationsallowresearchers toaccessandusephiwhennecessarytoconductresearch.however,hipaaonlyaffectsresearch thatuses,creates,ordisclosesphithatwillbeenteredinto themedicalrecordorwillbeusedforhealthcareservices,suchastreatment,paymentor operations. AsdefinedbytheHeathResourcesandServicesAdministration: UndertheHIPAAPrivacyRule,protectedhealthinformation(PHI)referstoindividually identifiablehealthinformation.individuallyidentifiablehealthinformationisthatwhichcanbe linkedtoaparticularperson.specifically,thisinformationcanrelateto: Theindividual spast,presentorfuturephysicalormentalhealthorcondition, Theprovisionofhealthcaretotheindividual,or, Thepast,present,orfuturepaymentfortheprovisionofhealthcaretotheindividual. Commonidentifiersofhealthinformationincludenames,socialsecuritynumbers,addresses, andbirthdates. TheHIPAASecurityRuleappliestoindividualidentifiablehealthinformationinelectronicform orelectronicprotectedhealthinformation(ephi).itisintendedtoprotecttheconfidentiality, integrity,andavailabilityofephiwhenitisstored,maintained,ortransmitted. 1 The18PHIidentifiersthathavebeendefinedwithinHIPAAbytheHHSasin[scopeinclude: Namese AllgeographicalsubdivisionssmallerthanaState 2 e Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual 3 e Phonenumberse Faxnumberse Electronicmailaddressese With exceptions 3 With exceptions TECHNICALGUIDE/9

11 VMwareProductAvailability GuideforHIPAAandHITECH SocialSecuritynumberse Medicalrecordnumberse Healthplanbeneficiarynumberse Accountnumberse Certificate/licensenumberse Vehicleidentifiersandserialnumbers,Includinglicenseplatenumberse Deviceidentifiersandserialnumberse WebUniversalResourceLocators(URLs)e InternetProtocol(IP)addressnumberse Biometricidentifiers,includingfingerandvoiceprintse Fullfacephotographicimagesandanycomparableimageseand 18. Anyotheruniqueidentifyingnumber,characteristic,orcode(notethisdoesnotmeanthe uniquecodeassignedbytheinvestigatortocodethedata) HIPAA/HITECHComplianceGuidance Whileformalguidelineshavenotyetbeenreleasedrecommendingexplicitsecurityguidelines forhipaacompliancewithinapubliccloudenvironment,in2007theu.s.departmentof HealthandHumanServices( HHS )releasedan EducationalPaperSeries thatcovereda numberofsecurityprinciplesinanefforttoprovidehipaacoveredentities insightintothesecurity Rule 4.Thepaperscoveredavarietyoftopics: Security101forCoveredEntities AdministrativeSafeguards PhysicalSafeguards TechnicalSafeguards Organizational,PoliciesandProceduresandDocumentationRequirements BasicsofRiskAnalysisandRiskManagement SecurityStandards:ImplementationfortheSmallProvider AllofthepapersprovidedbytheHHSarerecommendedindevelopinganunderstandingof HIPAA sintent.ofthesevenpapers,thesecurity101forcoveredentities,technical SafeguardsandBasicsofRiskAnalysisandRiskManagementholdthemostrelevancetothe VMwarescopedefinedinanearliersection. 4http:// TECHNICALGUIDE/10

12 VMwareProductAvailability GuideforHIPAAandHITECH Figure4.HIPAASecuritySeries#1,#4and#6 InadditiontotheEducationalPaperSeries,HHSreleasedin2010aguidancepaperrelative tohitechtitled GuidanceonRiskAnalysisRequirementsundertheHIPAASecurityRule. ThispaperisintendedtoassistorganizationsinunderstandingwhatHHSconsidersthe mosteffective andappropriateadministrative,physicalandtechnicalsafeguards 5 relativetoe[phi.inthis documentthehhsveryspecificallyacknowledgeslimitedprescriptivespecificitywithinthe SecurityRuleandpointsatoneverycleardirective basetheidentificationand implementationofthevarioussafeguardsuponriskanalysis. WeunderstandthattheSecurityRuledoesnotprescribeaspecificriskanalysismethodology, recognizingthatmethodswillvarydependentonthesize,complexity,andcapabilitiesofthe organization.instead,theruleidentifiesriskanalysisasthefoundationalelementintheprocessof achievingcompliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 6. Theguideprovidesadditionalclarificationbetweentheterms addressable and required enotingthat addressablespecificationsarenotoptionalandrequireorganizationstodeterminewhether eachaddressablespecificationisreasonableandappropriate.organizations mustdocument 7,as partofthatdeterminationprocess,whyaparticularspecificationwasdeterminedtobeunreasonable orinappropriate. 5FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.1,postedJuly14,2010 6FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 7FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/11

13 VMwareProductAvailability GuideforHIPAAandHITECH Figure5.GuidanceonRiskAnalysisRequirementsUndertheHIPAASecurityRule DefinitionofCloudComputing Cloudcomputingcanbedefinedasamodelforleveragingpoolsofsharedresourceson[demand,suchas networks,storage,servers,applicationsandservices.thesesharedresources,knownasa cloud,provideamultitudeofcapabilities,someofwhichincludescalability,elasticityofit resources,smallerenvironmentalfootprintsuchaspowerorphysicalspace,andfinallymore accurateeconomiesofscale. Cloudcomputingisnothingnew,andhasoriginsdatingbacktotheearly1950 sand1960 s,when mainframesweremodifiedtoprovidebetterefficiencyandscalability.theterm cloud itself becamecommonplacewheninthe1990 sthegraphicofacloudwasusedtoidentifythe Internetoranyothersharednetwork.Ithasreallybeeninthelastdecadethatamature definitionof CloudComputing hasbeenestablished.severalkeyeventsoccurredthat helpedtoestablishcurrentdaycloudcomputing: 1.In1999VMwareintroducedtheVMwareVirtualPlatformthatprovidedthefirstaffordableand reliablevirtualizationplatform,enablingbroadadoptionofvirtualizationwithinthedatacenterand ultimatelysupportingprivatecloudcomputing. 2.In2006AmazonreleasedAmazonWebServices(AWS)expandingcloudcomputingfroma privateendeavortoautilityprovidedtoexternalcustomers. VMwaredefinescloudorutilitycomputingasthefollowing: Cloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofon? demand,self?managedvirtualinfrastructure,consumedasaservice.sometimesknownasutility computing,cloudsprovideasetoftypicallyvirtualizedcomputerswhichcanprovideuserswiththe abilitytostartandstopserversorusecomputecyclesonlywhenneeded,oftenpayingonly uponusage. Thereareseveralkeycharacteristicstocloudcomputingthatarerecognizedthroughoutthe industry.thefirstkeycharacteristicofthecloudisitsservicemodels.thesecondkey characteristicofthecloudisitsdeploymentmodels.fourdistinctdeploymentmodelsexist(which donotnecessarilyalignwiththeservicemodels):theprivatecloud,thepubliccloud,thehybridcloud (combiningbothpublicandprivate),andfinallythecommunitycloud. TheCloud sservicemodelsaredividedintofourseparateservicemodels: InfrastructureasaService(IaaS) AsthenamesuggeststheIaaSmodelisspecifictothe infrastructurethatsupportscloudcomputing.iaassolutionprovidersofferphysicalorvirtual TECHNICALGUIDE/12

14 VMwareProductAvailability GuideforHIPAAandHITECH computers,disk,networkroutingandswitchinginfrastructureandothernetworkandsecurity infrastructure. PlatformasaService(PaaS) BuildinguponanIaaSsolution,thePaaSmodelprovidesthe computingplatformnecessarytorunandsupporttheapplicationsandservices.apaassolution providertypicallyprovidestheoperatingsystems,serviceapplicationstack suchaswebservers anddatabaseservers,andothernecessaryenvironmentsupport suchasprogramminglanguages, frameworksandservices. SoftwareasaService(SaaS) Certainlythemostvisibleoftheservicemodels,theSaaSmodel providesaccesstofullyoperationalapplications.theseapplicationsarefullymanagedattheplatform andinfrastructurelevelandareoftenaresupportedthroughseparateiaasandpaasproviders. NetworkasaService(NaaS) Thisfinalmodelbringscommonnetwork,transportorVPN connectivitytothemarket. TheCloud sdeploymentmodelshappentoalsobedividedintofourdistinctmodelstoday.the deploymentmodelstonotnecessarilyalignwiththeservicemodelsdefinedabove. PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanaged bytheorganizationorathirdparty.thecloudinfrastructuremaybeon[premiseoroff[premise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustry groupandisownedbyanorganizationthatsellscloudservices. Figure6.CloudComputingOverview HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic) thatremainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataand applicationportabilityeforexample,cloudburstingforloadbalancingbetweenclouds.withahybrid cloud,anorganizationgetsthebestofbothworlds,gainingtheabilitytoburstintothepubliccloud whenneededwhilemaintainingcriticalassetson[premise. TECHNICALGUIDE/13

15 VMwareProductAvailability GuideforHIPAAandHITECH CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,and complianceconsiderations).itmaybemanagedbytheorganizationsorathirdparty,andmayexist on[premiseoroff[premise. TolearnmoreaboutVMware sapproachtocloudcomputing,pleasereviewthefollowing: VMwareCloudComputingOverview[ computing/index.html#tab3 VMware svcloudarchitecturetoolkit[ architecture/vcat[toolkit.html Organizationsconsideringthepotentialcomplianceimpactcloudcomputinghasuponcritical applicationsthatmaybehighlyregulatedshouldconsiderthefollowingquestions: Towhatextentdothoseapplicationsleveragecloudarchitecture? Whatservicemodelsanddeploymentmodelsarebeingusedtotransmitandstoreprotectedhealth informationandwhoarethecloudprovidersinvolved? Arethecloudplatformsusedtrustedplatformsandwhatcomplianceassurancesareprovidedbythe cloudprovidersinvolved? Whichindustry[recognizedcertificationshasthecloudprovider,environmentandservicebeen auditedandcertifiedascompliantfor? Afinalcriticalpointthatmustbeconsideredisthat,becauseHIPAAdoesnotprescribehowto meet regulatorycompliance(i.ewhichtechnologytouse,howtoimplementsaidtechnology,etc),itis imperativethatanorganization sbusinessanditstakeholdersarealignedwithtechnology requirementsdrivenfromthestakeholder. VMwareisthegloballeaderinvirtualization,thekeytechnologythatenablescloudcomputing.VMware s vcloudsuiteisaturnkey,integratedvirtualizationsolutionforbuildingandmanaginga completecloudinfrastructure,allowingcustomerstorealizethemanybenefitsofcloud computing. PriortoundertakinganyHIPAAcomplianceproject,VMwarerecommendsthatcustomersdeterminea healthcheck statusofsystemscompliance.customerscanimplementvmware s HIPAACompliance Checker bydownloadingtheapplicationfromthefollowinglocation: chk&lp=default&cid= mjsmaaw WheretoStart ConsiderationsforCoveredEntities Whenitcomestothequestionofwheretostart,HIPAAandtheguidancearoundHIPAAis quitespecific.organizationsthatareworkingonachievinghipaaandhitechcomplianceshouldstart withariskassessment.asnotedbythedepartmentofhealthandhumanservicesandrelative tohipaa ssecurityrule: theruleidentifiesriskanalysisasthefoundationalelementintheprocessofachieving compliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 8 8FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/14

16 VMwareProductAvailability GuideforHIPAAandHITECH Whatisveryimportanttonoteisthatutilizingavirtualorcloudenvironmenthasnogreater impactrelativetohipaacompliancethantraditionalinformationtechnologyoranydifferencesthanare typicallyconsideredbetweenvirtualization,cloudandtraditionaltechnology.organizationscan utilizeastrongriskmanagementapproachtowardtheirhipaacomplianceeffortsandtake advantageofthemanyadvantagesprovidedbyvirtualorcloudenvironmentsbecausetherisk assessmenteffortshouldinformtheorganizationoftheproperapplicationofsecuritywithin thevirtualorcloudenvironment. IndependentofHIPAAorHITECH,themovetocloudandvirtualenvironmentsarefilledwithtechnical considerationsandbusinessdecision,someofwhichdifferfromtraditionalinformation technology.organizationsshouldreviewthebenefitsandrisksoftheircurrentenvironment andcomparethemtothedifferentclouddeploymentmodelsandservicemodels. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact, benefits,andrisksofavirtualand/orcloudenvironment. Management/BusinessConsiderations 1.CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2.WhatisthestrategicvaluethattheCloudcoulddelivertotheorganization? 3.WhataretheareaswheretheCloudcanprovideadditionalvaluetothecompany? 4.WhatisthebusinessvaluethattheCloudcoulddelivertooperations? 5.Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 6.WhatCloudmodels,includingPublic,HybridandPrivate,arebeingconsidered? 7.WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1.Aretheorganizationalbusiness,IT,andGRCgroupsalignedwiththevirtualizationorcloud strategy? 2.HastheproposedvirtualizationimplementationbeencommunicatedtoGRCandapproval received? 3.HowhasGRCaffectedITOperationsanddoesitmandateanyconsiderationswhenconsidering virtualizationorcloudenvironments? 4.HastheflowofePHIbeenidentifiedanddocumented? 5.Haveallsystems(servers,SANs,SEIMs)whichstoreePHIandareconsidered in[scope for HIPAAcompliancebeenidentified?Whichvirtualizationorclouddeploymentmodelandservice modelwill beimplemented? 6.HowcanvirtualizationorcloudtechnologybenefitexistingITinitiatives?Arethereeffortsto consolidateitfunctionsthatcanbeaddressedwithcloud? 7.WhatIToperationalchangesshouldbemade,fromasegregationofdutiesperspective,to accountfortheconversionofphysicaltovirtualizedresourceswithintheorganization? 8.Wherecanvirtualizationand/orCloudimproveexistingSLAorOLAs(Internal,External)? VMwareHIPAAComplianceStack VMwareprovidesanextensivesuiteofproductsdesignedtosupportanorganization s InformationSecurityandCompliancerequirements.Whileeveryenvironmentwillhaveunique needs,thefollowinghipaa/hitechcompliancestackprovidesacomprehensivemixof TECHNICALGUIDE/15

17 VMwareProductAvailability GuideforHIPAAandHITECH VMwaresolutionsthatcanhelporganizationsmeetthecomplianceandgovernance requirementsofhipaa/hitech. VCloud Suite Product Product Components or Features vsphere ESXi,vMotion,StoragevMotion,HighAvailability,Data ProtectionandReplication,andHostProfiles vclouddirector ElasticVirtualDatacenters,ServiceCatalogandMulti[Tenancy vcloudnetworkingandsecurity Suite Edge,AppFirewall,VXLAN,andDataSecurity vcentersiterecoverymanager RecoveryPlans,AutomatedDRFailoverandFailback,vSphere Replication vcenteroperationsmanagement Suite VMConfigurationCompliance,andHostConfigurationCompliance Table2:Captiontocome. HIPAA/HITECHrequirementsandhavebeenaddressedindetailinthefollowingsections.To determinetheproductsandfeaturesavailablewithvmwaresuitespleasereferto VMware.com. HIPAASecurityRuleSolutionApplicabilityMatrix VMwarehascreatedaHIPAASecurityRuleRequirementsMatrixtoassistorganizationswithan understandingofvmwaresolutions,vmwarepartnersolutions(wheretheyoverlap),andthe remainingcustomerresponsibilitiesthatshouldbeaddressedseparatelybythecustomer throughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthatthe technicalrequirementsfoundwithinthesecurityrulecanbeaddressedthroughthevmwaresuites and/orvmwarepartnersolutions. TheremaininggapsinaddressingHIPAA/HITECHrequirementsmaybefilledbythecustomerthrough processes,proceduresandothertools(i.e.approvingcustomers policies,keepinganupdated networkdiagram,approvingchanges,etc.). TECHNICALGUIDE/16

18 VMwareProductAvailability GuideforHIPAAandHITECH Figure7.VMwareSolutions Figure8.DiagrammaticRepresentationofVMwareandVMwarePartnerProductsforHIPAA TECHNICALGUIDE/17

19 VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS Security Management Process (a)(1)(i) No No Yes AssignedSecurity Responsibility (a)(2) No No Yes WorkforceSecurity (a)(3)(i) No No Yes InformationAccess Management (a)(4)(i) No No Yes Security Awarenessand Training (a)(5)(i) No No Yes SecurityIncident Procedures (a)(6)(i) No No Yes ContingencyPlan (a)(7)(i) No No Yes Evaluation (a)(8) No No Yes BusinessAssociate Contracts andother Arrangements (b)(1) No No Yes FacilityAccess Controls (a)(1) No No Yes WorkstationUse (b) No No Yes TECHNICALGUIDE/18

20 VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS WorkstationSecurity (c) No No Yes DeviceandMedia Controls (d)(1) No No Yes AccessControl (a)(1) Yes Yes No AuditControls (b) Yes Yes No Integrity (c)(1) Yes Yes No PersonorEntity Authentication (d) Yes Yes No TransmissionSecurity (e)(1) Yes Yes No BusinessAssociate Contracts orother Arrangements (a)(1)(i) No No Yes Requirementsfor GroupHealthPlans (b)(1) No No Yes Policiesand Procedures (a) No No Yes Documentation (b)(1)(i) No No Yes Table3:HIPAASecurityRuleRequirements TECHNICALGUIDE/19

21 VMwareProductAvailability GuideforHIPAAandHITECH HIPAASecurityRuleSolutionApplicabilityDetails vsphere ForthepurposesofthisVMwareSolutionGuideforHIPAA/HITECH,vSphere scomponents andfeatures,asdescribedbelow,cansupportautomaticcomplianceanddeploymentscenariosto accommodatehipaa/hitechrequirements. ESXi isabare[metalhypervisorinstalledonphysicalservers.esxiallowsforpartitioningthe physicalresourcesintomultiplevirtualmachinesandallowsformanagementofmultipleesxihosts throughasinglemanagementplatform(vcenterserver). vmotion allowsliverunningvirtualmachinestomovebetweenonephysicalservertoanotherwithout disruption.theabilitytodynamicallyandautomaticallymoveliverunningvirtualmachinescanease scalingandallowworkloadstobeperformedwithinvirtualsegments. StoragevMotion providestheabilitytomigratelivevirtualmachinedisksacrossanystorage arrayssupportedbyvsphere. HighAvailability allowsforapplicationsrunninginvirtualmachinestoruninhighavailabilitymode, protectingtheapplicationfromhardwareandoperatingsystemsfailuresbymonitoringthestateofthe virtualmachineandphysicalhostandautomaticallyrestartsthevirtualmachineonotherphysical servers. DataProtectionandReplication Dataprotectionprovidesagent[lessimage[levelbackupand recoverypoweredbyemcavamar.backupsaredoneviafastandefficientbackuptodiskandalso providefastrecovery.thereplicationforvsphereallowsforpoweredonreplicationofvirtual machinesfromonevspherehosttoanotherwithoutneedingstoragebasedreplication. HostProfiles allowsfortheconsistencyandautomationofdeployingphysicalesx/esxihosts rapidly.hostprofilesallowforautomaticdeploymentofconfigurationstohostsandprovideautomatic compliancewiththeconfigurations.simplifyingoperationalmanagementalsoreducesthepossibility formis[configuration. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletovSphereandits components. Technical Safeguards ( ) HIPAAStandardDescription Compliance Attainability Comments AccessControls[ (a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftware programsthathavebeengranted accessrights. Attainable ESXiandvCentercanbeconfigured toprovideaccesscontrolforindividual usersandalsoprotectaccessto systemsandfeatureswithinvsphere byimplementingrolebasedaccess. See:ConfiguringActiveDirectory See:ConfiguringAuthentication& TECHNICALGUIDE/20