VMware 'SDDC'Product' Applicability'Guide'for' HIPAA/HITECH,'v1.0 '

Transcription

1 VMware SDDCProduct ApplicabilityGuidefor HIPAA/HITECH,v1.0 November2013 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the Framework and download the additional documents from the VMware HIPAA Compliance Resources on VMware Solution Exchange.

2 VMwareProductAvailability GuideforHIPAAandHITECH TableofContents Introduction...2 ScopeandApproach...3 VMwareSolutionScope...3 HIPAAandHITECHActScope...4 Approach...4 OverviewofHIPAA/HITECHSecurityRequirements...6 HIPAAProtectedHealthInformationandIdentifiers...9 HIPAA/HITECHComplianceGuidance...10 DefinitionofCloudComputing...12 WheretoStart ConsiderationsforCoveredEntities...14 Management/BusinessConsiderations...15 ITConsiderations...15 VMwareHIPAAComplianceStack...15 HIPAASecurityRuleSolutionApplicabilityMatrix...16 HIPAASecurityRuleSolutionApplicabilityDetails...20 vsphere...20 vclouddirector...22 vcloudnetworkingandsecuritysuite...24 vcentersiterecoverymanager...26 vcenteroperationsmanagementsuite...28 Acknowledgments...30 AboutAccuvant...30 TECHNICALGUIDE/1

3 VMwareProductAvailability GuideforHIPAAandHITECH Introduction Informationsecuritydesignandarchitecturalrequirements,drivenbyregulatorycompliance,arecommon butcriticalaspectsthatorganizationsshouldconsiderwhenmigratingfromtraditionalit environmentstocloudcomputingenvironments.helpingorganizationswiththearduoustasksof meetingandmaintaininghipaaandthehitechactregulatorycompliance,vmwareanditspartners providesuitesofindustry[leading,virtualizationsolutionswhichaddresstheconfidentiality,integrity andavailabilityrequirementsofhipaa/hitech.thisvmwaresolutionguidewillassistin answeringquestionssuchas HowCanOurOrganizationComplywithHIPAARequirements withinacloudcomputingenvironment byprovidinghelpfulinformationtovmwarearchitects, thehipaa/hitechcommunity,businessstakeholdersandthirdparties. VMwarevCloudSuiteisVMware scompletesoftware?defineddatacenter(sddc)solution, enablingcustomerstobuildandmanagetheirowncloudinfrastructure.thevcloudsuiteis offeredintothreeeditionsanddividedintoeightdiscretesoftwarecomponents: vsphere Virtualizedinfrastructurewithpolicy[basedautomation vclouddirector Virtualizeddatacenterswithmulti[tenancyandpubliccloudextensibility vcloudconnector Integratedviewinganddynamictransferofworkloadsbetweenprivateandpublic clouds vcloudnetworkingandsecurity Softwaredefinednetworking,securityandecosystemintegration vcentersiterecoverymanager Automateddisasterrecoveryplanning,testingandexecution vcenteroperationsmanagementsuite Integrated,proactiveperformancecapacity,and configurationmanagementfordynamiccloudenvironments.thevcenteroperations ManagementSuiteisbrokenintosevenfeaturesthatareoffereddependingonvCloudSuite editiontype.thesesevenfeaturesare: ApplicationMonitoring StorageAdaptersforEMC VMConfigurationCompliance HostConfigurationCompliance PerformanceandCapacityOptimization ApplicationAwareness Chargeback vfabricapplicationdirector Multi[tierapplicationservicecatalogpublishingand provisioning vcloudautomationcenter Self[serviceandpolicy[enabledcloudserviceprovisioning TECHNICALGUIDE/2

4 VMwareProductAvailability GuideforHIPAAandHITECH Figure1.VMwareCloudSuitecomponents ScopeandApproach DuetothebroadcontextoftheHIPAAandHITECHactsitisprudenttoproperlydefineand detailthescopeofthisdocumentandtheapproachthathasbeentakenindefiningsuch scope.thescopeisdividedbetweenthevmwarecomponentsthatareincluded,reviewedand consideredhighlyrelevantaspartofthisguideandthegoverningsectionsofthehipaaand HITECHActsthatpertaintoelectronicdata,informationtechnologyandthusnetworkand electronicinformationsecurity.whilethisguideprovidesspecifictechnicalopinionsregarding theapplicabilityofvmwaresolutionstohipaa sregulationstheguideisneither comprehensiveinitscoverageoftheentirehipaaregulationnorprescriptive.itdoesnot defineasingleimplementationstrategythatassurescompliance. VMwareSolutionScope UsingtheEnterpriseeditionofvCloudSuiteasthebasisfortheVMwaresolution,the componentsapplicabletothisguideanddetailedwithinthisguide( VMwareScope )include: vsphere vclouddirector vcloudnetworkingandsecurity(vcns) vcentersiterecoverymanager(srm) vcenteroperationsmanagementsuite(oms) VMConfigurationCompliance HostConfigurationCompliance TECHNICALGUIDE/3

5 VMwareProductAvailability GuideforHIPAAandHITECH ThosespecificVMwarecomponentsthatarenotwithinthescopeofthisdocumenthavebeen omittedeitherbecauseoftheirnon[applicability(i.e.applicationmonitoring,applicationawareness, PerformanceandOptimizationandChargebackcomponentsofvCenterOMS,vFabricApplication DirectorandvCloudAutomationCenter)orinterdependencyuponseparatetechnologynotin scope(i.e.storageadaptersforemc). HIPAAandHITECHActScope TheportionsoftheHIPAAandHITECHactsthatareconsideredtechnicalinnatureandthereforewithin scope( HIPAAScope )ofthisguideconsistofspecificcontrolswithinhipaa ssecurityrule, 45CFRPart160andSubpartsAandCofPart164.TheHITECHactandotherportionsof HIPAA,suchasthePrivacyRule,aswellasseveralsectionsofHIPAA ssecurityrulearenot addressablethroughtheuseofvirtualizationandcloudtechnology,includingvmware s solutionsandthereforearenotcoveredwithinthisdocument. VMwarerecognizesthelargerimpactthatthefullscopeofHIPAAandHITECHhasuponan organization.thissolutionsguideisintendedtohelpanorganizationunderstandtherolethat VMware ssolutionscanplaywithintheirlargercomplianceefforts.andduetotheflexiblenatureof HIPAAandsignificantimpactthatnon[compliancecanhaveuponanorganization,itisstrongly recommendedthatorganizationsestablishtheirhipaaandhitechcomplianceeffortsupona comprehensiveriskassessmentstrategy. Approach The HIPAASecurityRuleSolutionApplicabilityMatrix (foundlaterinthisdocument)mapsthe specificrequirementsofthehipaasecurityruletovmware sproductsolutionsuites,theirtechnology areasandinsomecasespartnersolutions.byunderstandinghowthetechnologysolutionsand technologyareasapplytothecompliancerequirementscustomersareabletosupporttheirbroader electronicgovernance,riskandcompliance(egrc)initiatives. Figure2.VMware+PartnerProductSolutionsforaTrustedCloud TECHNICALGUIDE/4

6 VMwareProductAvailability GuideforHIPAAandHITECH Whiletherearemanyvariationsofcloudenvironments,includingpublic,privateandhybrid clouds,andtherearemanypartnersolutionsthatenhanceanorganization sabilitytoaddress confidentiality,integrityandavailability,thevmwarevcloudsuitecanhelporganizations addressupto23%(asseeninfigure3below)ofthecompliancerequirementsofthehipaa SecurityRule. Figure3.HIPAASecurityRuleControlsCoverage TECHNICALGUIDE/5

7 VMwareProductAvailability GuideforHIPAAandHITECH OverviewofHIPAA/HITECHSecurityRequirements TheHealthInsurancePortabilityandAccountabilityActof1996(HIPAAePub.L.104[191,110Stat.1936) wasenactedbytheunitedstatescongressandsignedbypresidentbillclintononaugust21, 1996.TitleII:PreventingHealthCareFraudandAbuseFAdministrativeSimplificationFMedical LiabilityReformdefinespolicies,proceduresandguidelinesformaintainingtheprivacyandsecurity ofindividuallyidentifiablehealthinformationaswellasoutliningnumerousoffensesrelatingtohealth careandsetscivilandcriminalpenaltiesforviolations. AsrequiredbyCongressinHIPAAandHITECHcoverthefollowingtypesoforganizations: Healthplans Healthcareclearinghouses Healthcareproviderswhoconductcertainfinancialandadministrativetransactionselectronically. TheseelectronictransactionsarethoseforwhichstandardshavebeenadoptedbytheSecretary underhipaa, suchaselectronicbillingandfundtransfers. FailuretomeetHIPAAcompliancerequirementsandstandardscouldgiverisetobothcivilandcriminal penalties.section13410ofthehitechactamendssection1176ofthesocialsecurityact(42 U.S.C1320d[5)inordertoupdateenforcementofHIPAA.ThepenaltiesundertheSocial SecurityAct,andamendedintheHITECHactaredividedintocategoriesofclaimsand categoriesofpenaltiesthatareapplicabletoindividualsandorganizations. Civilmonetarypenaltiesaredividedasfollows: IncasesofunknowingviolationsofHIPAA,eachviolationwouldresultin$100[$50,000foreach suchviolation,nottoexceed$1,500,000fortheallsuchviolationswithinthesamecalendaryear. Incasesofwrongfuldisclosureofindividuallyidentifiablepatientinformation,apersonshallbefined $1,000[$50,000foreachsuchviolationandnotmorethan$1,500,000forallsuchviolationswithin thesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandcorrectedinthesamecalendar year,apersonshallbefined$10,000[$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandnotcorrectedinthesame calendaryear,apersonshallbefined$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Criminalpenaltiescanbeimposedagainstindividualsandaredividedasfollows: Upto$50,000andpotentialimprisonmentofnotmorethan1yearincasesofwrongfuldisclosureof PHI. Upto$100,000andpotentialimprisonmentofnotmorethan5yearsincasescommittedunderfalse pretenses. Upto$250,000andimprisonmentofnotmorethan10yearsincasescommittedwithintenttosell, transferorusephiforcommercialadvantage,personalgainormaliciousharm. TheHIPAASecurityRule,asdefinedwithin45CFRPart160andSubpartsAandCofPart 164,has22requirementsthatpertaintothesafeguardingofpatientdataandareoutlined below.ofthose22,therequirementsthatwebelievearerelevanttovmware sproduct solutionsarehighlightedinyellow: TECHNICALGUIDE/6

8 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Administrative Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope SecurityManagementProcess (a)(1)(i) Notapplicable AssignedSecurityResponsibility (a)(2) Notapplicable WorkforceSecurity (a)(3)(i) Notapplicable InformationAccessManagement (a)(4)(i) Notapplicable SecurityAwarenessandTraining (a)(5)(i) Notapplicable SecurityIncidentProcedures (a)(6)(i) Notapplicable ContingencyPlans (a)(7)(i) Notapplicable Evaluation (a)(8) Notapplicable BusinessAssociateContracts andotherarrangements (b)(1) Notapplicable HIPAA PHYSICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope FacilityAccessControls (a)(1) Notapplicable WorkstationUse (b) Notapplicable WorkstationSecurity (c) Notapplicable TECHNICALGUIDE/7

9 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA PHYSICAL Safeguards DeviceandMediaControls (d)(1) Notapplicable HIPAA TECHNICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope AccessControl (a)(1) Applicable AuditControls (b) Applicable Integrity (c)(1) Applicable PersonorEntityAuthentication (d) Applicable TransmissionSecurity (e)(1) Applicable HIPAA organizational requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope BusinessAssociateContractsor OtherArrangements (a)(1)(i) NotApplicable RequirementsforGroupHealth Plans (b)(1) NotApplicable TECHNICALGUIDE/8

10 VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Policies and Procedures and Documentation Requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope PoliciesandProcedures (a) NotApplicable Documentation (b)(1)(i) NotApplicable Table1:HIPAASecurityStandards HIPAAProtectedHealthInformationandIdentifiers Protectedhealthinformation(PHI)hasbeendefinedbytheUSDepartmentofHealthandHuman Services( HHS )asanyinformationinthemedicalrecordordesignatedrecordsetthatcanbe usedtoidentifyanindividualandthatwascreated,used,ordisclosedinthecourseof providingahealthcareservicesuchasdiagnosisortreatment.hipaaregulationsallowresearchers toaccessandusephiwhennecessarytoconductresearch.however,hipaaonlyaffectsresearch thatuses,creates,ordisclosesphithatwillbeenteredinto themedicalrecordorwillbeusedforhealthcareservices,suchastreatment,paymentor operations. AsdefinedbytheHeathResourcesandServicesAdministration: UndertheHIPAAPrivacyRule,protectedhealthinformation(PHI)referstoindividually identifiablehealthinformation.individuallyidentifiablehealthinformationisthatwhichcanbe linkedtoaparticularperson.specifically,thisinformationcanrelateto: Theindividual spast,presentorfuturephysicalormentalhealthorcondition, Theprovisionofhealthcaretotheindividual,or, Thepast,present,orfuturepaymentfortheprovisionofhealthcaretotheindividual. Commonidentifiersofhealthinformationincludenames,socialsecuritynumbers,addresses, andbirthdates. TheHIPAASecurityRuleappliestoindividualidentifiablehealthinformationinelectronicform orelectronicprotectedhealthinformation(ephi).itisintendedtoprotecttheconfidentiality, integrity,andavailabilityofephiwhenitisstored,maintained,ortransmitted. 1 The18PHIidentifiersthathavebeendefinedwithinHIPAAbytheHHSasin[scopeinclude: Namese AllgeographicalsubdivisionssmallerthanaState 2 e Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual 3 e Phonenumberse Faxnumberse Electronicmailaddressese With exceptions 3 With exceptions TECHNICALGUIDE/9

11 VMwareProductAvailability GuideforHIPAAandHITECH SocialSecuritynumberse Medicalrecordnumberse Healthplanbeneficiarynumberse Accountnumberse Certificate/licensenumberse Vehicleidentifiersandserialnumbers,Includinglicenseplatenumberse Deviceidentifiersandserialnumberse WebUniversalResourceLocators(URLs)e InternetProtocol(IP)addressnumberse Biometricidentifiers,includingfingerandvoiceprintse Fullfacephotographicimagesandanycomparableimageseand 18. Anyotheruniqueidentifyingnumber,characteristic,orcode(notethisdoesnotmeanthe uniquecodeassignedbytheinvestigatortocodethedata) HIPAA/HITECHComplianceGuidance Whileformalguidelineshavenotyetbeenreleasedrecommendingexplicitsecurityguidelines forhipaacompliancewithinapubliccloudenvironment,in2007theu.s.departmentof HealthandHumanServices( HHS )releasedan EducationalPaperSeries thatcovereda numberofsecurityprinciplesinanefforttoprovidehipaacoveredentities insightintothesecurity Rule 4.Thepaperscoveredavarietyoftopics: Security101forCoveredEntities AdministrativeSafeguards PhysicalSafeguards TechnicalSafeguards Organizational,PoliciesandProceduresandDocumentationRequirements BasicsofRiskAnalysisandRiskManagement SecurityStandards:ImplementationfortheSmallProvider AllofthepapersprovidedbytheHHSarerecommendedindevelopinganunderstandingof HIPAA sintent.ofthesevenpapers,thesecurity101forcoveredentities,technical SafeguardsandBasicsofRiskAnalysisandRiskManagementholdthemostrelevancetothe VMwarescopedefinedinanearliersection. 4http:// TECHNICALGUIDE/10

12 VMwareProductAvailability GuideforHIPAAandHITECH Figure4.HIPAASecuritySeries#1,#4and#6 InadditiontotheEducationalPaperSeries,HHSreleasedin2010aguidancepaperrelative tohitechtitled GuidanceonRiskAnalysisRequirementsundertheHIPAASecurityRule. ThispaperisintendedtoassistorganizationsinunderstandingwhatHHSconsidersthe mosteffective andappropriateadministrative,physicalandtechnicalsafeguards 5 relativetoe[phi.inthis documentthehhsveryspecificallyacknowledgeslimitedprescriptivespecificitywithinthe SecurityRuleandpointsatoneverycleardirective basetheidentificationand implementationofthevarioussafeguardsuponriskanalysis. WeunderstandthattheSecurityRuledoesnotprescribeaspecificriskanalysismethodology, recognizingthatmethodswillvarydependentonthesize,complexity,andcapabilitiesofthe organization.instead,theruleidentifiesriskanalysisasthefoundationalelementintheprocessof achievingcompliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 6. Theguideprovidesadditionalclarificationbetweentheterms addressable and required enotingthat addressablespecificationsarenotoptionalandrequireorganizationstodeterminewhether eachaddressablespecificationisreasonableandappropriate.organizations mustdocument 7,as partofthatdeterminationprocess,whyaparticularspecificationwasdeterminedtobeunreasonable orinappropriate. 5FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.1,postedJuly14,2010 6FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 7FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/11

13 VMwareProductAvailability GuideforHIPAAandHITECH Figure5.GuidanceonRiskAnalysisRequirementsUndertheHIPAASecurityRule DefinitionofCloudComputing Cloudcomputingcanbedefinedasamodelforleveragingpoolsofsharedresourceson[demand,suchas networks,storage,servers,applicationsandservices.thesesharedresources,knownasa cloud,provideamultitudeofcapabilities,someofwhichincludescalability,elasticityofit resources,smallerenvironmentalfootprintsuchaspowerorphysicalspace,andfinallymore accurateeconomiesofscale. Cloudcomputingisnothingnew,andhasoriginsdatingbacktotheearly1950 sand1960 s,when mainframesweremodifiedtoprovidebetterefficiencyandscalability.theterm cloud itself becamecommonplacewheninthe1990 sthegraphicofacloudwasusedtoidentifythe Internetoranyothersharednetwork.Ithasreallybeeninthelastdecadethatamature definitionof CloudComputing hasbeenestablished.severalkeyeventsoccurredthat helpedtoestablishcurrentdaycloudcomputing: 1.In1999VMwareintroducedtheVMwareVirtualPlatformthatprovidedthefirstaffordableand reliablevirtualizationplatform,enablingbroadadoptionofvirtualizationwithinthedatacenterand ultimatelysupportingprivatecloudcomputing. 2.In2006AmazonreleasedAmazonWebServices(AWS)expandingcloudcomputingfroma privateendeavortoautilityprovidedtoexternalcustomers. VMwaredefinescloudorutilitycomputingasthefollowing: Cloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofon? demand,self?managedvirtualinfrastructure,consumedasaservice.sometimesknownasutility computing,cloudsprovideasetoftypicallyvirtualizedcomputerswhichcanprovideuserswiththe abilitytostartandstopserversorusecomputecyclesonlywhenneeded,oftenpayingonly uponusage. Thereareseveralkeycharacteristicstocloudcomputingthatarerecognizedthroughoutthe industry.thefirstkeycharacteristicofthecloudisitsservicemodels.thesecondkey characteristicofthecloudisitsdeploymentmodels.fourdistinctdeploymentmodelsexist(which donotnecessarilyalignwiththeservicemodels):theprivatecloud,thepubliccloud,thehybridcloud (combiningbothpublicandprivate),andfinallythecommunitycloud. TheCloud sservicemodelsaredividedintofourseparateservicemodels: InfrastructureasaService(IaaS) AsthenamesuggeststheIaaSmodelisspecifictothe infrastructurethatsupportscloudcomputing.iaassolutionprovidersofferphysicalorvirtual TECHNICALGUIDE/12

14 VMwareProductAvailability GuideforHIPAAandHITECH computers,disk,networkroutingandswitchinginfrastructureandothernetworkandsecurity infrastructure. PlatformasaService(PaaS) BuildinguponanIaaSsolution,thePaaSmodelprovidesthe computingplatformnecessarytorunandsupporttheapplicationsandservices.apaassolution providertypicallyprovidestheoperatingsystems,serviceapplicationstack suchaswebservers anddatabaseservers,andothernecessaryenvironmentsupport suchasprogramminglanguages, frameworksandservices. SoftwareasaService(SaaS) Certainlythemostvisibleoftheservicemodels,theSaaSmodel providesaccesstofullyoperationalapplications.theseapplicationsarefullymanagedattheplatform andinfrastructurelevelandareoftenaresupportedthroughseparateiaasandpaasproviders. NetworkasaService(NaaS) Thisfinalmodelbringscommonnetwork,transportorVPN connectivitytothemarket. TheCloud sdeploymentmodelshappentoalsobedividedintofourdistinctmodelstoday.the deploymentmodelstonotnecessarilyalignwiththeservicemodelsdefinedabove. PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanaged bytheorganizationorathirdparty.thecloudinfrastructuremaybeon[premiseoroff[premise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustry groupandisownedbyanorganizationthatsellscloudservices. Figure6.CloudComputingOverview HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic) thatremainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataand applicationportabilityeforexample,cloudburstingforloadbalancingbetweenclouds.withahybrid cloud,anorganizationgetsthebestofbothworlds,gainingtheabilitytoburstintothepubliccloud whenneededwhilemaintainingcriticalassetson[premise. TECHNICALGUIDE/13

15 VMwareProductAvailability GuideforHIPAAandHITECH CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,and complianceconsiderations).itmaybemanagedbytheorganizationsorathirdparty,andmayexist on[premiseoroff[premise. TolearnmoreaboutVMware sapproachtocloudcomputing,pleasereviewthefollowing: VMwareCloudComputingOverview[ computing/index.html#tab3 VMware svcloudarchitecturetoolkit[ architecture/vcat[toolkit.html Organizationsconsideringthepotentialcomplianceimpactcloudcomputinghasuponcritical applicationsthatmaybehighlyregulatedshouldconsiderthefollowingquestions: Towhatextentdothoseapplicationsleveragecloudarchitecture? Whatservicemodelsanddeploymentmodelsarebeingusedtotransmitandstoreprotectedhealth informationandwhoarethecloudprovidersinvolved? Arethecloudplatformsusedtrustedplatformsandwhatcomplianceassurancesareprovidedbythe cloudprovidersinvolved? Whichindustry[recognizedcertificationshasthecloudprovider,environmentandservicebeen auditedandcertifiedascompliantfor? Afinalcriticalpointthatmustbeconsideredisthat,becauseHIPAAdoesnotprescribehowto meet regulatorycompliance(i.ewhichtechnologytouse,howtoimplementsaidtechnology,etc),itis imperativethatanorganization sbusinessanditstakeholdersarealignedwithtechnology requirementsdrivenfromthestakeholder. VMwareisthegloballeaderinvirtualization,thekeytechnologythatenablescloudcomputing.VMware s vcloudsuiteisaturnkey,integratedvirtualizationsolutionforbuildingandmanaginga completecloudinfrastructure,allowingcustomerstorealizethemanybenefitsofcloud computing. PriortoundertakinganyHIPAAcomplianceproject,VMwarerecommendsthatcustomersdeterminea healthcheck statusofsystemscompliance.customerscanimplementvmware s HIPAACompliance Checker bydownloadingtheapplicationfromthefollowinglocation: chk&lp=default&cid= mjsmaaw WheretoStart ConsiderationsforCoveredEntities Whenitcomestothequestionofwheretostart,HIPAAandtheguidancearoundHIPAAis quitespecific.organizationsthatareworkingonachievinghipaaandhitechcomplianceshouldstart withariskassessment.asnotedbythedepartmentofhealthandhumanservicesandrelative tohipaa ssecurityrule: theruleidentifiesriskanalysisasthefoundationalelementintheprocessofachieving compliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 8 8FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/14

16 VMwareProductAvailability GuideforHIPAAandHITECH Whatisveryimportanttonoteisthatutilizingavirtualorcloudenvironmenthasnogreater impactrelativetohipaacompliancethantraditionalinformationtechnologyoranydifferencesthanare typicallyconsideredbetweenvirtualization,cloudandtraditionaltechnology.organizationscan utilizeastrongriskmanagementapproachtowardtheirhipaacomplianceeffortsandtake advantageofthemanyadvantagesprovidedbyvirtualorcloudenvironmentsbecausetherisk assessmenteffortshouldinformtheorganizationoftheproperapplicationofsecuritywithin thevirtualorcloudenvironment. IndependentofHIPAAorHITECH,themovetocloudandvirtualenvironmentsarefilledwithtechnical considerationsandbusinessdecision,someofwhichdifferfromtraditionalinformation technology.organizationsshouldreviewthebenefitsandrisksoftheircurrentenvironment andcomparethemtothedifferentclouddeploymentmodelsandservicemodels. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact, benefits,andrisksofavirtualand/orcloudenvironment. Management/BusinessConsiderations 1.CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2.WhatisthestrategicvaluethattheCloudcoulddelivertotheorganization? 3.WhataretheareaswheretheCloudcanprovideadditionalvaluetothecompany? 4.WhatisthebusinessvaluethattheCloudcoulddelivertooperations? 5.Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 6.WhatCloudmodels,includingPublic,HybridandPrivate,arebeingconsidered? 7.WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1.Aretheorganizationalbusiness,IT,andGRCgroupsalignedwiththevirtualizationorcloud strategy? 2.HastheproposedvirtualizationimplementationbeencommunicatedtoGRCandapproval received? 3.HowhasGRCaffectedITOperationsanddoesitmandateanyconsiderationswhenconsidering virtualizationorcloudenvironments? 4.HastheflowofePHIbeenidentifiedanddocumented? 5.Haveallsystems(servers,SANs,SEIMs)whichstoreePHIandareconsidered in[scope for HIPAAcompliancebeenidentified?Whichvirtualizationorclouddeploymentmodelandservice modelwill beimplemented? 6.HowcanvirtualizationorcloudtechnologybenefitexistingITinitiatives?Arethereeffortsto consolidateitfunctionsthatcanbeaddressedwithcloud? 7.WhatIToperationalchangesshouldbemade,fromasegregationofdutiesperspective,to accountfortheconversionofphysicaltovirtualizedresourceswithintheorganization? 8.Wherecanvirtualizationand/orCloudimproveexistingSLAorOLAs(Internal,External)? VMwareHIPAAComplianceStack VMwareprovidesanextensivesuiteofproductsdesignedtosupportanorganization s InformationSecurityandCompliancerequirements.Whileeveryenvironmentwillhaveunique needs,thefollowinghipaa/hitechcompliancestackprovidesacomprehensivemixof TECHNICALGUIDE/15

17 VMwareProductAvailability GuideforHIPAAandHITECH VMwaresolutionsthatcanhelporganizationsmeetthecomplianceandgovernance requirementsofhipaa/hitech. VCloud Suite Product Product Components or Features vsphere ESXi,vMotion,StoragevMotion,HighAvailability,Data ProtectionandReplication,andHostProfiles vclouddirector ElasticVirtualDatacenters,ServiceCatalogandMulti[Tenancy vcloudnetworkingandsecurity Suite Edge,AppFirewall,VXLAN,andDataSecurity vcentersiterecoverymanager RecoveryPlans,AutomatedDRFailoverandFailback,vSphere Replication vcenteroperationsmanagement Suite VMConfigurationCompliance,andHostConfigurationCompliance Table2:Captiontocome. HIPAA/HITECHrequirementsandhavebeenaddressedindetailinthefollowingsections.To determinetheproductsandfeaturesavailablewithvmwaresuitespleasereferto VMware.com. HIPAASecurityRuleSolutionApplicabilityMatrix VMwarehascreatedaHIPAASecurityRuleRequirementsMatrixtoassistorganizationswithan understandingofvmwaresolutions,vmwarepartnersolutions(wheretheyoverlap),andthe remainingcustomerresponsibilitiesthatshouldbeaddressedseparatelybythecustomer throughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthatthe technicalrequirementsfoundwithinthesecurityrulecanbeaddressedthroughthevmwaresuites and/orvmwarepartnersolutions. TheremaininggapsinaddressingHIPAA/HITECHrequirementsmaybefilledbythecustomerthrough processes,proceduresandothertools(i.e.approvingcustomers policies,keepinganupdated networkdiagram,approvingchanges,etc.). TECHNICALGUIDE/16

18 VMwareProductAvailability GuideforHIPAAandHITECH Figure7.VMwareSolutions Figure8.DiagrammaticRepresentationofVMwareandVMwarePartnerProductsforHIPAA TECHNICALGUIDE/17

19 VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS Security Management Process (a)(1)(i) No No Yes AssignedSecurity Responsibility (a)(2) No No Yes WorkforceSecurity (a)(3)(i) No No Yes InformationAccess Management (a)(4)(i) No No Yes Security Awarenessand Training (a)(5)(i) No No Yes SecurityIncident Procedures (a)(6)(i) No No Yes ContingencyPlan (a)(7)(i) No No Yes Evaluation (a)(8) No No Yes BusinessAssociate Contracts andother Arrangements (b)(1) No No Yes FacilityAccess Controls (a)(1) No No Yes WorkstationUse (b) No No Yes TECHNICALGUIDE/18

20 VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS WorkstationSecurity (c) No No Yes DeviceandMedia Controls (d)(1) No No Yes AccessControl (a)(1) Yes Yes No AuditControls (b) Yes Yes No Integrity (c)(1) Yes Yes No PersonorEntity Authentication (d) Yes Yes No TransmissionSecurity (e)(1) Yes Yes No BusinessAssociate Contracts orother Arrangements (a)(1)(i) No No Yes Requirementsfor GroupHealthPlans (b)(1) No No Yes Policiesand Procedures (a) No No Yes Documentation (b)(1)(i) No No Yes Table3:HIPAASecurityRuleRequirements TECHNICALGUIDE/19

21 VMwareProductAvailability GuideforHIPAAandHITECH HIPAASecurityRuleSolutionApplicabilityDetails vsphere ForthepurposesofthisVMwareSolutionGuideforHIPAA/HITECH,vSphere scomponents andfeatures,asdescribedbelow,cansupportautomaticcomplianceanddeploymentscenariosto accommodatehipaa/hitechrequirements. ESXi isabare[metalhypervisorinstalledonphysicalservers.esxiallowsforpartitioningthe physicalresourcesintomultiplevirtualmachinesandallowsformanagementofmultipleesxihosts throughasinglemanagementplatform(vcenterserver). vmotion allowsliverunningvirtualmachinestomovebetweenonephysicalservertoanotherwithout disruption.theabilitytodynamicallyandautomaticallymoveliverunningvirtualmachinescanease scalingandallowworkloadstobeperformedwithinvirtualsegments. StoragevMotion providestheabilitytomigratelivevirtualmachinedisksacrossanystorage arrayssupportedbyvsphere. HighAvailability allowsforapplicationsrunninginvirtualmachinestoruninhighavailabilitymode, protectingtheapplicationfromhardwareandoperatingsystemsfailuresbymonitoringthestateofthe virtualmachineandphysicalhostandautomaticallyrestartsthevirtualmachineonotherphysical servers. DataProtectionandReplication Dataprotectionprovidesagent[lessimage[levelbackupand recoverypoweredbyemcavamar.backupsaredoneviafastandefficientbackuptodiskandalso providefastrecovery.thereplicationforvsphereallowsforpoweredonreplicationofvirtual machinesfromonevspherehosttoanotherwithoutneedingstoragebasedreplication. HostProfiles allowsfortheconsistencyandautomationofdeployingphysicalesx/esxihosts rapidly.hostprofilesallowforautomaticdeploymentofconfigurationstohostsandprovideautomatic compliancewiththeconfigurations.simplifyingoperationalmanagementalsoreducesthepossibility formis[configuration. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletovSphereandits components. Technical Safeguards ( ) HIPAAStandardDescription Compliance Attainability Comments AccessControls[ (a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftware programsthathavebeengranted accessrights. Attainable ESXiandvCentercanbeconfigured toprovideaccesscontrolforindividual usersandalsoprotectaccessto systemsandfeatureswithinvsphere byimplementingrolebasedaccess. See:ConfiguringActiveDirectory See:ConfiguringAuthentication& TECHNICALGUIDE/20

22 VMwareProductAvailability GuideforHIPAAandHITECH TECHNICALGUIDE/21 Technical Safeguards ( ) UserManagement AuditControls[ (b) Implementhardware,software, and/orproceduralmechanismsthat recordandexamineactivityin informationsystemsthatcontainor useelectronicprotectedhealth information. Attainablewiththird[party solutions vspherecontainsbasicauditing informationonuseractivitythatcan beusedtoidentifywhenchangestook place,andwhatcategoryofchanges wereaffected.third[partyvendors shouldbeusedtoaugmentthelogs andeventsinordertoprovidegreater visibilitythanwhatisprovidedby vsphere. See:ManagingESXiLogFiles See:RetrievevCenterLogs Integrity[ (c)(1) Implementpoliciesandprocedures toprotectelectronicprotected healthinformationfromimproper alterationordestruction. Attainablewiththird[party solutions vspheredataprotectionand Replicationcanbeimplementedto ensurethatdataisintactand unalteredduringbackupand replication.third[partysolutionsare requiredtoprovidead[hocdataand fileintegrityatthefile[systemlevel. See:vSphereReplication Administration See:vSphereDataProtection Administration PersonorEntityAuthentication[ (d) Implementprocedurestoverify thatapersonorentityseeking accesstoelectronicprotected healthinformationistheone claimed. Attainable. Enhancedbythird[party solutions Byutilizinglocalaccounts,vCenter SingleSign[On(SSO),orActive Directory,userscanbeauthenticated onanindividuallevel.byusingathird[ partysolution,two[factor authenticationcanalsobe implementedtoauthenticateusers againstthemanagementvcenter, whichensuresgreateraccuracythat

23 VMwareProductAvailability GuideforHIPAAandHITECH Technical Safeguards ( ) usersarewhotheyclaimtobe. See:ConfiguringActiveDirectory TransmissionSecurity[ (e)(1) Implementtechnicalsecurity measurestoguardagainst unauthorizedaccesstoelectronic protectedhealthinformationthatis beingtransmittedoveran electroniccommunicationsnetwork Attainablewiththird[party support Throughtheabilitytocreateport groupsandvswitchs,administrators canlimitcommunicationofvirtual machineswithinthesamephysical host.usingthirdpartysolutions, administratorscanalsoprevent certainnetworkbasedchangesfrom takingplace. See:vSphereNetworkingGuide Table4:ApplicabilityofHIPAAControlstovSphereSuite vclouddirector ForthepurposesofthisVMwareSolutionGuidevCloud scomponentsandfeatures,as describedbelow,canprovideforautomaticcomplianceviapre[definedservicecatalogsand isolationthroughmulti[tenacytoaccommodatehipaa/hitechrequirements. ElasticVirtualDatacenter vclouddirectorprovidestheabilitytorapidlyprovisionandrelease resources.vcdallowsuserstospinupvirtualdatacentersthatspanmultipleclustersandautomatic placementofvapps.anapialsoenablesorganizationstoprogrammaticallyspinupordown resourcesondemand. ServiceCatalog givetheabilitytopredefineresourcesfornetwork,storage,andcomputewhile providingconsistencyindeploymentsandlimitorallowservicesfordifferentuserclasses. MultiSTenancy Administratorscangroupusersintoorganizationsandprovidedifferentlevelsof serviceandresourcesbasedonthosegroups.enablingalltheseparateorganizationstosharethe sameinfrastructure. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletovCloudDirector anditscomponents. Technical Safeguards ( ) HIPAAStandardDescription Compliance Attainability Comments AccessControls[ (a)(1) TECHNICALGUIDE/22

24 VMwareProductAvailability GuideforHIPAAandHITECH TECHNICALGUIDE/23 Technical Safeguards ( ) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftware programsthathavebeengranted accessrights. Attainable. Enhancedbythird[party solutions vclouddirectorallowsadministratorsto limitaccesstomostadministrative functionsandprotecttheenvironmentin whichhipaa/hitechworkloadsare running.role[basedaccesscanbe placedonuserssothattheycanonly performthefunctionsandduties assignedtothemthroughthevcloud directorportal.therearealsothirdparty solutionstoprovidetwofactor authentication. See:vCDUsersGuidepg.15 See:vCloudSecurity Two[Factor AuditControls[ (b) Implementhardware,software, and/orproceduralmechanisms thatrecordandexamineactivityin informationsystemsthatcontain oruseelectronicprotectedhealth information. Attainable. Enhancedbythird[party solutions vclouddirectorprovidesadministrators withtheabilitytoauditandmonitor activitiesperformedthroughvcd.by implementingathirdpartysolution additionaldetailoflogscanbe accessible. See:vCDUsersGuidepg.42 Integrity[ (c)(1) Implementpoliciesand procedurestoprotectelectronic protectedhealthinformationfrom improperalterationordestruction. Attainable. Enhancedbythird[party solutions vclouddirectorcanpreventdeletionof vappsviapoliciessetbythe administrator.also,byusingathird partysolution,itispossibletofurther limitdestructionofvirtualmachines and/orrequireadditionallevelsof authorizationbeforedoingso. See:vCDUsersGuidepg.36 PersonorEntityAuthentication[ (d) Implementprocedurestoverify thatapersonorentityseeking accesstoelectronicprotected Attainable. Enhancedbythird[party vclouddirectorcanintegrateintoactive directoryandprovidesupportfor SecuritySupportProviderInterface

25 VMwareProductAvailability GuideforHIPAAandHITECH Technical Safeguards ( ) healthinformationistheone claimed. solutions (SSPI),whichisMicrosoft sproprietary implementationofgssapi.integrating thirdpartysolutionscanprovidetwo[ factorauthenticationtobothusersand administrators. See:vCloudSecurity Two[Factor TransmissionSecurity[ (e)(1) Implementtechnicalsecurity measurestoguardagainst unauthorizedaccesstoelectronic protectedhealthinformationthatis beingtransmittedoveran electroniccommunications network Attainable vclouddirectorcanprovidemultiple typesofvpn[basedaccessintovcloud environments.thesescenarioscan varyfromcloud[to[cloudaccess,or public[to[privateaccessbetweenthe cloudenvironments.usingipseccan providebothauthenticationand encryptionintoandbetweenthecloud environments. See:vCloudSecurity Network Security Table5:ApplicabilityofHIPAAControlstovCloudDirector vcloudnetworkingandsecuritysuite ForthepurposesofthisVMwareSolutionGuide,thesuiteisagroupofproductsthatdeliver avirtualizedsecuritymodelspecificallydesignedtoovercomethetraditionalchallengesof managingsecurityinavirtualenvironment.vcloudnetworkingandsecurityprovidesa software[basedapproachtoapplicationanddatasecurityinvirtualizedandcloudenvironments, whichhavetraditionallybeenenforcedprimarilythroughphysicalsecurityappliances.thevcloud NetworkingandSecuritysuiteconsistsofthefollowingfour(4)products: App Protectsapplicationsinavirtualdatacenteragainstnetwork[basedthreatsbyprovidinga firewallthatishypervisor[basedandapplication[aware.vcloudnetworkingandsecurityapphas visibilityofintra[vmcommunication,andenforcespolicies,firewallrulesbasedonlogicalgroups,and workloads. DataSecurity AddstoSensitiveDataDiscoveryacrossvirtualizedresourcesallowingthe organizationstoidentifyandsecuredifferenttypesofsensitivedata. Edge Enhancesprotectionofavirtualdatacenterperimeterbyprovidinggatewaysecurityservices includingcarefulinspectionfirewall,site[to[sitevpn,loadbalancing,dynamichostconfiguration Protocol(DHCP),andNetworkAddressTranslation(NAT).Italsohastheabilitytointegratewith third[partyidssolutions. VXLAN VXLANtechnologyallowscomputeresourcestobepooledacrossnon[contiguousclusters orpods.youcanthensegmentthispoolintologicalnetworksattachedtoapplications.unlike VLANs,VXLANsvirtualnetworkscanspanacrossvirtualresourcespoolsandphysicalboundaries[ andassuch,aremoreefficient,scalable,resilientandmanageable. TECHNICALGUIDE/24

26 VMwareProductAvailability GuideforHIPAAandHITECH TECHNICALGUIDE/25 ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletothevCloud NetworkingandSecurity(vCNS)anditscomponents. Technical Safeguards ( ) HIPAAStandardDescription Compliance Attainability Comments AccessControls[ (a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftware programsthathavebeengranted accessrights. Attainable ByutilizingAppfirewallorEdgeforvCloud NetworkingandSecurity(VCNS)network restrictionsandpoliciescanbecreated, protectingvirtualassetsfrom unauthorizedaccess,basedoneither logicalgroupsoripaddresses. See:vShieldadminguide5.1[pg151 AuditControls[ (b) Implementhardware,software, and/orproceduralmechanisms thatrecordandexamineactivityin informationsystemsthatcontainor useelectronicprotectedhealth information. Attainable DataSecurityforvCloudNetworkingand Securityallowsadministratorstodiscover unstructured,sensitivedataacrossthe vsphereenvironment,allowingthe identifyingandsecuringofpii(personally identifiableinformation),pci[dss cardholderdata,andphi(protectedhealth information. See:vShieldadminguide5.1[pg177 Integrity[ (c)(1) Implementpoliciesandprocedures toprotectelectronicprotected healthinformationfromimproper alterationordestruction. NotApplicable PersonorEntityAuthentication[ (d) Implementprocedurestoverify thatapersonorentityseeking accesstoelectronicprotected healthinformationistheone Attainable ByutilizingvCloudNetworkingand SecurityEdgeenterprisescanallow secureexternalauthentication(radius, ActiveDirectory,LDAP,RSA[ACEor

27 VMwareProductAvailability GuideforHIPAAandHITECH Technical Safeguards ( ) claimed. Localsources)andcommunication (defaultisaes256[sha) tothevirtualdatacenterbyutilizingthe SSLVPN. See:vShieldadminguide5.1[pg103 TransmissionSecurity[ (e)(1) Implementtechnicalsecurity measurestoguardagainst unauthorizedaccesstoelectronic protectedhealthinformationthatis beingtransmittedoveran electroniccommunicationsnetwork Attainable vcloudnetworkingandsecurityedge allowstheability toutilizebothsslandipsecvpn connectionstoallowsecure communicationandauthentication betweendatacentersandexternaluser. See:vShieldadminguide5.1 pg103 See:vShieldadminguide5.1 pg80 Table6:ApplicabilityofHIPAAControlstovCloudNetworkingandSecuritySuite vcentersiterecoverymanager ForthepurposesofthisVMwareSolutionGuidevCenter ssiterecoverymanager,as describedbelow,canprovideforautomaticormanualrecoveryduringaservicedisruptionto accommodatehipaa/hitechrequirements. AutomatedRecoveryPlans SiterecoverymanagercanutilizetheinformationinvCentertobuild automatedrecoveryplansbasedonthelatestrunninginfrastructureinvcenter.theplanscanbe usedtofulfillcompliancerequirementsforrecoveryplansandtestresults. AutomatedDRFailoverandFailback Byusingautomation,siterecoverymanagercandetect failuresandautomaticallyfailovertothedrlocationaswellasautomaticallyfailback.manualrecovery timescanbereduceddrasticallyanderrorproneprocesseseliminated. vspherereplication[thereplicationforvsphereallowsforpoweredonreplicationofvirtual machinesfromonevspherehosttoanotherwithoutneedingstoragebasedreplicationandcan providerecoverypointsfrom15minutesto24hoursreplicatingonlychanges. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletothevCenterSiteRecovery Manager(vSRM).followingisthedetaileddescriptionofthecontrolsthatmaybemetthrough vsrmanditscomponents. Technical Safeguards ( ) HIPAAStandardDescription Compliance Attainability Comments TECHNICALGUIDE/26

28 VMwareProductAvailability GuideforHIPAAandHITECH TECHNICALGUIDE/27 Technical Safeguards ( ) AccessControls[ (a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftwareprograms thathavebeengrantedaccess rights. NotApplicable AuditControls[ (b) Implementhardware,software, and/orproceduralmechanisms thatrecordandexamineactivityin informationsystemsthatcontainor useelectronicprotectedhealth information. Attainable ThroughvCenterSiteRecovery Managerrecoveryplansandtest planscanbegeneratedautomatically andusedtoauditfailoveractivity betweensites. See:SRMAdministrationGuide RecoveryPlans Integrity[ (c)(1) Implementpoliciesandprocedures toprotectelectronicprotected healthinformationfromimproper alterationordestruction. Attainable ThroughthevSphereReplication product,datacanbesafelyreplicated acrosssiteswithoutriskofalteration. See:vSphereReplicationAdmin Guide PersonorEntityAuthentication[ (d) Implementprocedurestoverify thatapersonorentityseeking accesstoelectronicprotected healthinformationistheone claimed. NotApplicable TransmissionSecurity[ (e)(1)

29 VMwareProductAvailability GuideforHIPAAandHITECH Technical Safeguards ( ) Implementtechnicalsecurity measurestoguardagainst unauthorizedaccesstoelectronic protectedhealthinformationthatis beingtransmittedoveran electroniccommunicationsnetwork Attainablewiththird[party solutions vspherereplicationdoesnotprovide anyencryptionduringtransmission, thereforetheuseofathirdparty encryptionsolutionwouldbenecessary toprotectphiduringtransmissionin thecaseofreplication. Table7:ApplicabilityofHIPAAControlstovCenterSiteRecoveryManager vcenteroperationsmanagementsuite ForthepurposesofthisVMwareSolutionGuide,thevCenterOperationsManagementSuite,asdescribed below,canenableitorganizationstogainbettervisibilityandactionableintelligenceto proactivelyfacilitateservicelevels,optimumresourceusage,andconfigurationcompliancein dynamicvirtualandcloudenvironments. vcenteroperationsmanager(vcops) Usespatentedanalyticsandintegratedapproachto operationsmanagementinordertoprovidetheintelligenceandvisibilityrequiredtoproactively maintainservicelevels,optimumresourceusage,andconfigurationcomplianceindynamicvirtual andcloudenvironments. vcenterconfigurationmanager(vcm) Automatesconfigurationmanagementacrossvirtualand physicalserversanddesktops,increasingefficiencybyeliminatingmanual,error[prone,andtime[ consumingwork.thisenablesenterprisestomaintaincontinuouscompliancebydetectingchanges andcomparingthemtoconfigurationandsecuritypolicies. vcenterinfrastructurenavigator Automaticallydiscoversandvisualizesapplicationand infrastructuredependencies.itprovidesvisibilityintotheapplicationservicesrunningoverthevirtual[ machineinfrastructureandtheirinterrelationshipsforday[to[dayoperationalmanagement. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletothevCenterOperations Management(vCOPs)Suite.VMwareSolutionGuideforHIPAA/HITECH,vCenterConfiguration Manager(vCM)istheprincipalapplicationwithinthevCOPsSuitethatallowsittohelpthe usermeethipaa/hitechregulatorycompliancestandards.thefollowingisthedetailed descriptionofthecontrolsthatmaybemetthroughthesuite. Technical Safeguards ( ) HIPAAStandardDescription ComplianceAttainability Comments AccessControls[ (a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth NotApplicable TECHNICALGUIDE/28

30 VMwareProductAvailability GuideforHIPAAandHITECH TECHNICALGUIDE/29 Technical Safeguards ( ) informationtoallowaccessonlyto thosepersonsorsoftwareprograms thathavebeengrantedaccess rights. AuditControls[ (b) Implementhardware,software, and/orproceduralmechanisms thatrecordandexamineactivityin informationsystemsthatcontainor useelectronicprotectedhealth information. ThevCenterOperationsManagement suiteallowsadministratorstocollect configurationdata,changetracking, andcomplianceassessmentwithin thevmwareinfrastructureforvmware productsincludingesx,esxi, vcenter,vclouddirector,and VMwarevCloudNetworkingand Securityallowingcorrelationbetween performanceandsecuritymetrics acrossthevirtualinfrastructure. Integrity[ (c)(1) Implementpoliciesandprocedures toprotectelectronicprotected healthinformationfromimproper alterationordestruction. Attainable ByutilizingvCenterConfiguration Manager(vCM)enterprisesareableto maintaincontinuouscomplianceby detectingchangesintheconfigurations maintainedandcomparingthemto configurationandsecuritypolicies acrossthevirtualenvironmentbased onvariousregulations(sarbanes[ Oxley,HIPAA,GLBAandFISMA). See:vCMAdminGuidepg153 PersonorEntityAuthentication[ (d) Implementprocedurestoverify thatapersonorentityseeking accesstoelectronicprotected healthinformationistheone claimed. NotApplicable TransmissionSecurity[ (e)(1)

31 VMwareProductAvailability GuideforHIPAAandHITECH Technical Safeguards ( ) Implementtechnicalsecurity measurestoguardagainst unauthorizedaccesstoelectronic protectedhealthinformationthatis beingtransmittedoveran electroniccommunicationsnetwork NotApplicable Table8:ApplicabilityofHIPAAControlstovCenterOperationsManagementSuite Acknowledgements VMwarewouldliketorecognizetheeffortsoftheVMwareComplianceSolutionsteam, VMwareAlliancePartners,andthenumerousVMwareteamsthatcontributedtothispaperand totheestablishmentofthevmwarecomplianceprogram.vmwarewouldalsoliketo recognizetheaccuvantlabsenterpriseriskteamwww.accuvant.comfortheirindustry guidance.accuvantprovidedhipaaandhitechguidanceandcontrolinterpretation describedherein. TheinformationprovidedbyAccuvantandcontainedinthisdocumentisforeducationaland informationalpurposesonly.accuvantmakesnoclaims,promisesorguaranteesaboutthe completenessoradequacyoftheinformationcontainedherein. AboutAccuvant AccuvantistheAuthoritativeSourceforinformationsecurity.Since2002,thecompanyhas servedmorethan5,200clients,includinghalfofthefortune100andmorethan900 educationalinstitutionsandgovernmententities.headquarteredindenver,accuvanthasoffices acrosstheunitedstatesandcanadaandhasthelargestandmostskilledteamoftechnicalsecurity professionalsintheworld AccuvantLABS.Formoreinformation,pleasevisit TECHNICALGUIDE/30

32 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877[486[9273Fax650[427[5001www.vmware.com Copyright 2013VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslistedat oftheirrespectivecompanies.itemno:vmw[twp[vmware[solution[guide[for[hipaa[hitec[uslet[103