VMware SDDCProduct ApplicabilityGuidefor HIPAA/HITECH,v1.0 November2013 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the Framework and download the additional documents from the VMware HIPAA Compliance Resources on VMware Solution Exchange.
VMwareProductAvailability GuideforHIPAAandHITECH TableofContents Introduction...2 ScopeandApproach...3 VMwareSolutionScope...3 HIPAAandHITECHActScope...4 Approach...4 OverviewofHIPAA/HITECHSecurityRequirements...6 HIPAAProtectedHealthInformationandIdentifiers...9 HIPAA/HITECHComplianceGuidance...10 DefinitionofCloudComputing...12 WheretoStart ConsiderationsforCoveredEntities...14 Management/BusinessConsiderations...15 ITConsiderations...15 VMwareHIPAAComplianceStack...15 HIPAASecurityRuleSolutionApplicabilityMatrix...16 HIPAASecurityRuleSolutionApplicabilityDetails...20 vsphere...20 vclouddirector...22 vcloudnetworkingandsecuritysuite...24 vcentersiterecoverymanager...26 vcenteroperationsmanagementsuite...28 Acknowledgments...30 AboutAccuvant...30 TECHNICALGUIDE/1
VMwareProductAvailability GuideforHIPAAandHITECH Introduction Informationsecuritydesignandarchitecturalrequirements,drivenbyregulatorycompliance,arecommon butcriticalaspectsthatorganizationsshouldconsiderwhenmigratingfromtraditionalit environmentstocloudcomputingenvironments.helpingorganizationswiththearduoustasksof meetingandmaintaininghipaaandthehitechactregulatorycompliance,vmwareanditspartners providesuitesofindustry[leading,virtualizationsolutionswhichaddresstheconfidentiality,integrity andavailabilityrequirementsofhipaa/hitech.thisvmwaresolutionguidewillassistin answeringquestionssuchas HowCanOurOrganizationComplywithHIPAARequirements withinacloudcomputingenvironment byprovidinghelpfulinformationtovmwarearchitects, thehipaa/hitechcommunity,businessstakeholdersandthirdparties. VMwarevCloudSuiteisVMware scompletesoftware?defineddatacenter(sddc)solution, enablingcustomerstobuildandmanagetheirowncloudinfrastructure.thevcloudsuiteis offeredintothreeeditionsanddividedintoeightdiscretesoftwarecomponents: vsphere Virtualizedinfrastructurewithpolicy[basedautomation vclouddirector Virtualizeddatacenterswithmulti[tenancyandpubliccloudextensibility vcloudconnector Integratedviewinganddynamictransferofworkloadsbetweenprivateandpublic clouds vcloudnetworkingandsecurity Softwaredefinednetworking,securityandecosystemintegration vcentersiterecoverymanager Automateddisasterrecoveryplanning,testingandexecution vcenteroperationsmanagementsuite Integrated,proactiveperformancecapacity,and configurationmanagementfordynamiccloudenvironments.thevcenteroperations ManagementSuiteisbrokenintosevenfeaturesthatareoffereddependingonvCloudSuite editiontype.thesesevenfeaturesare: ApplicationMonitoring StorageAdaptersforEMC VMConfigurationCompliance HostConfigurationCompliance PerformanceandCapacityOptimization ApplicationAwareness Chargeback vfabricapplicationdirector Multi[tierapplicationservicecatalogpublishingand provisioning vcloudautomationcenter Self[serviceandpolicy[enabledcloudserviceprovisioning TECHNICALGUIDE/2
VMwareProductAvailability GuideforHIPAAandHITECH Figure1.VMwareCloudSuitecomponents ScopeandApproach DuetothebroadcontextoftheHIPAAandHITECHactsitisprudenttoproperlydefineand detailthescopeofthisdocumentandtheapproachthathasbeentakenindefiningsuch scope.thescopeisdividedbetweenthevmwarecomponentsthatareincluded,reviewedand consideredhighlyrelevantaspartofthisguideandthegoverningsectionsofthehipaaand HITECHActsthatpertaintoelectronicdata,informationtechnologyandthusnetworkand electronicinformationsecurity.whilethisguideprovidesspecifictechnicalopinionsregarding theapplicabilityofvmwaresolutionstohipaa sregulationstheguideisneither comprehensiveinitscoverageoftheentirehipaaregulationnorprescriptive.itdoesnot defineasingleimplementationstrategythatassurescompliance. VMwareSolutionScope UsingtheEnterpriseeditionofvCloudSuiteasthebasisfortheVMwaresolution,the componentsapplicabletothisguideanddetailedwithinthisguide( VMwareScope )include: vsphere vclouddirector vcloudnetworkingandsecurity(vcns) vcentersiterecoverymanager(srm) vcenteroperationsmanagementsuite(oms) VMConfigurationCompliance HostConfigurationCompliance TECHNICALGUIDE/3
VMwareProductAvailability GuideforHIPAAandHITECH ThosespecificVMwarecomponentsthatarenotwithinthescopeofthisdocumenthavebeen omittedeitherbecauseoftheirnon[applicability(i.e.applicationmonitoring,applicationawareness, PerformanceandOptimizationandChargebackcomponentsofvCenterOMS,vFabricApplication DirectorandvCloudAutomationCenter)orinterdependencyuponseparatetechnologynotin scope(i.e.storageadaptersforemc). HIPAAandHITECHActScope TheportionsoftheHIPAAandHITECHactsthatareconsideredtechnicalinnatureandthereforewithin scope( HIPAAScope )ofthisguideconsistofspecificcontrolswithinhipaa ssecurityrule, 45CFRPart160andSubpartsAandCofPart164.TheHITECHactandotherportionsof HIPAA,suchasthePrivacyRule,aswellasseveralsectionsofHIPAA ssecurityrulearenot addressablethroughtheuseofvirtualizationandcloudtechnology,includingvmware s solutionsandthereforearenotcoveredwithinthisdocument. VMwarerecognizesthelargerimpactthatthefullscopeofHIPAAandHITECHhasuponan organization.thissolutionsguideisintendedtohelpanorganizationunderstandtherolethat VMware ssolutionscanplaywithintheirlargercomplianceefforts.andduetotheflexiblenatureof HIPAAandsignificantimpactthatnon[compliancecanhaveuponanorganization,itisstrongly recommendedthatorganizationsestablishtheirhipaaandhitechcomplianceeffortsupona comprehensiveriskassessmentstrategy. Approach The HIPAASecurityRuleSolutionApplicabilityMatrix (foundlaterinthisdocument)mapsthe specificrequirementsofthehipaasecurityruletovmware sproductsolutionsuites,theirtechnology areasandinsomecasespartnersolutions.byunderstandinghowthetechnologysolutionsand technologyareasapplytothecompliancerequirementscustomersareabletosupporttheirbroader electronicgovernance,riskandcompliance(egrc)initiatives. Figure2.VMware+PartnerProductSolutionsforaTrustedCloud TECHNICALGUIDE/4
VMwareProductAvailability GuideforHIPAAandHITECH Whiletherearemanyvariationsofcloudenvironments,includingpublic,privateandhybrid clouds,andtherearemanypartnersolutionsthatenhanceanorganization sabilitytoaddress confidentiality,integrityandavailability,thevmwarevcloudsuitecanhelporganizations addressupto23%(asseeninfigure3below)ofthecompliancerequirementsofthehipaa SecurityRule. Figure3.HIPAASecurityRuleControlsCoverage TECHNICALGUIDE/5
VMwareProductAvailability GuideforHIPAAandHITECH OverviewofHIPAA/HITECHSecurityRequirements TheHealthInsurancePortabilityandAccountabilityActof1996(HIPAAePub.L.104[191,110Stat.1936) wasenactedbytheunitedstatescongressandsignedbypresidentbillclintononaugust21, 1996.TitleII:PreventingHealthCareFraudandAbuseFAdministrativeSimplificationFMedical LiabilityReformdefinespolicies,proceduresandguidelinesformaintainingtheprivacyandsecurity ofindividuallyidentifiablehealthinformationaswellasoutliningnumerousoffensesrelatingtohealth careandsetscivilandcriminalpenaltiesforviolations. AsrequiredbyCongressinHIPAAandHITECHcoverthefollowingtypesoforganizations: Healthplans Healthcareclearinghouses Healthcareproviderswhoconductcertainfinancialandadministrativetransactionselectronically. TheseelectronictransactionsarethoseforwhichstandardshavebeenadoptedbytheSecretary underhipaa, suchaselectronicbillingandfundtransfers. FailuretomeetHIPAAcompliancerequirementsandstandardscouldgiverisetobothcivilandcriminal penalties.section13410ofthehitechactamendssection1176ofthesocialsecurityact(42 U.S.C1320d[5)inordertoupdateenforcementofHIPAA.ThepenaltiesundertheSocial SecurityAct,andamendedintheHITECHactaredividedintocategoriesofclaimsand categoriesofpenaltiesthatareapplicabletoindividualsandorganizations. Civilmonetarypenaltiesaredividedasfollows: IncasesofunknowingviolationsofHIPAA,eachviolationwouldresultin$100[$50,000foreach suchviolation,nottoexceed$1,500,000fortheallsuchviolationswithinthesamecalendaryear. Incasesofwrongfuldisclosureofindividuallyidentifiablepatientinformation,apersonshallbefined $1,000[$50,000foreachsuchviolationandnotmorethan$1,500,000forallsuchviolationswithin thesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandcorrectedinthesamecalendar year,apersonshallbefined$10,000[$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Incaseswheretheoffenseiscommittedunderfalsepretensesandnotcorrectedinthesame calendaryear,apersonshallbefined$50,000foreachsuchviolationandnotmorethan$1,500,000 forallsuchviolationswithinthesamecalendaryear. Criminalpenaltiescanbeimposedagainstindividualsandaredividedasfollows: Upto$50,000andpotentialimprisonmentofnotmorethan1yearincasesofwrongfuldisclosureof PHI. Upto$100,000andpotentialimprisonmentofnotmorethan5yearsincasescommittedunderfalse pretenses. Upto$250,000andimprisonmentofnotmorethan10yearsincasescommittedwithintenttosell, transferorusephiforcommercialadvantage,personalgainormaliciousharm. TheHIPAASecurityRule,asdefinedwithin45CFRPart160andSubpartsAandCofPart 164,has22requirementsthatpertaintothesafeguardingofpatientdataandareoutlined below.ofthose22,therequirementsthatwebelievearerelevanttovmware sproduct solutionsarehighlightedinyellow: TECHNICALGUIDE/6
VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Administrative Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope SecurityManagementProcess 164.308(a)(1)(i) Notapplicable AssignedSecurityResponsibility 164.308(a)(2) Notapplicable WorkforceSecurity 164.308(a)(3)(i) Notapplicable InformationAccessManagement 164.308(a)(4)(i) Notapplicable SecurityAwarenessandTraining 164.308(a)(5)(i) Notapplicable SecurityIncidentProcedures 164.308(a)(6)(i) Notapplicable ContingencyPlans 164.308(a)(7)(i) Notapplicable Evaluation 164.308(a)(8) Notapplicable BusinessAssociateContracts andotherarrangements 164.308(b)(1) Notapplicable HIPAA PHYSICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope FacilityAccessControls 164.310(a)(1) Notapplicable WorkstationUse 164.310(b) Notapplicable WorkstationSecurity 164.310(c) Notapplicable TECHNICALGUIDE/7
VMwareProductAvailability GuideforHIPAAandHITECH HIPAA PHYSICAL Safeguards DeviceandMediaControls 164.310(d)(1) Notapplicable HIPAA TECHNICAL Safeguards HIPAAStandard Reference ApplicabilitytoTechnicalScope AccessControl 164.312(a)(1) Applicable AuditControls 164.312(b) Applicable Integrity 164.312(c)(1) Applicable PersonorEntityAuthentication 164.312(d) Applicable TransmissionSecurity 164.312(e)(1) Applicable HIPAA organizational requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope BusinessAssociateContractsor OtherArrangements 164.314(a)(1)(i) NotApplicable RequirementsforGroupHealth Plans 164.314(b)(1) NotApplicable TECHNICALGUIDE/8
VMwareProductAvailability GuideforHIPAAandHITECH HIPAA Policies and Procedures and Documentation Requirements HIPAAStandard Reference ApplicabilitytoTechnicalScope PoliciesandProcedures 164.316(a) NotApplicable Documentation 164.316(b)(1)(i) NotApplicable Table1:HIPAASecurityStandards HIPAAProtectedHealthInformationandIdentifiers Protectedhealthinformation(PHI)hasbeendefinedbytheUSDepartmentofHealthandHuman Services( HHS )asanyinformationinthemedicalrecordordesignatedrecordsetthatcanbe usedtoidentifyanindividualandthatwascreated,used,ordisclosedinthecourseof providingahealthcareservicesuchasdiagnosisortreatment.hipaaregulationsallowresearchers toaccessandusephiwhennecessarytoconductresearch.however,hipaaonlyaffectsresearch thatuses,creates,ordisclosesphithatwillbeenteredinto themedicalrecordorwillbeusedforhealthcareservices,suchastreatment,paymentor operations. AsdefinedbytheHeathResourcesandServicesAdministration: UndertheHIPAAPrivacyRule,protectedhealthinformation(PHI)referstoindividually identifiablehealthinformation.individuallyidentifiablehealthinformationisthatwhichcanbe linkedtoaparticularperson.specifically,thisinformationcanrelateto: Theindividual spast,presentorfuturephysicalormentalhealthorcondition, Theprovisionofhealthcaretotheindividual,or, Thepast,present,orfuturepaymentfortheprovisionofhealthcaretotheindividual. Commonidentifiersofhealthinformationincludenames,socialsecuritynumbers,addresses, andbirthdates. TheHIPAASecurityRuleappliestoindividualidentifiablehealthinformationinelectronicform orelectronicprotectedhealthinformation(ephi).itisintendedtoprotecttheconfidentiality, integrity,andavailabilityofephiwhenitisstored,maintained,ortransmitted. 1 The18PHIidentifiersthathavebeendefinedwithinHIPAAbytheHHSasin[scopeinclude: 1. 2. 3. 4. 5. 6. Namese AllgeographicalsubdivisionssmallerthanaState 2 e Allelementsofdates(exceptyear)fordatesdirectlyrelatedtoanindividual 3 e Phonenumberse Faxnumberse Electronicmailaddressese 1 http://www.hrsa.gov/healthit/toolbox/healthitadoptiontoolbox/privacyandsecurity/underhipaa.html 2 With exceptions 3 With exceptions TECHNICALGUIDE/9
VMwareProductAvailability GuideforHIPAAandHITECH 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. SocialSecuritynumberse Medicalrecordnumberse Healthplanbeneficiarynumberse Accountnumberse Certificate/licensenumberse Vehicleidentifiersandserialnumbers,Includinglicenseplatenumberse Deviceidentifiersandserialnumberse WebUniversalResourceLocators(URLs)e InternetProtocol(IP)addressnumberse Biometricidentifiers,includingfingerandvoiceprintse Fullfacephotographicimagesandanycomparableimageseand 18. Anyotheruniqueidentifyingnumber,characteristic,orcode(notethisdoesnotmeanthe uniquecodeassignedbytheinvestigatortocodethedata) HIPAA/HITECHComplianceGuidance Whileformalguidelineshavenotyetbeenreleasedrecommendingexplicitsecurityguidelines forhipaacompliancewithinapubliccloudenvironment,in2007theu.s.departmentof HealthandHumanServices( HHS )releasedan EducationalPaperSeries thatcovereda numberofsecurityprinciplesinanefforttoprovidehipaacoveredentities insightintothesecurity Rule 4.Thepaperscoveredavarietyoftopics: Security101forCoveredEntities AdministrativeSafeguards PhysicalSafeguards TechnicalSafeguards Organizational,PoliciesandProceduresandDocumentationRequirements BasicsofRiskAnalysisandRiskManagement SecurityStandards:ImplementationfortheSmallProvider AllofthepapersprovidedbytheHHSarerecommendedindevelopinganunderstandingof HIPAA sintent.ofthesevenpapers,thesecurity101forcoveredentities,technical SafeguardsandBasicsofRiskAnalysisandRiskManagementholdthemostrelevancetothe VMwarescopedefinedinanearliersection. 4http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html TECHNICALGUIDE/10
VMwareProductAvailability GuideforHIPAAandHITECH Figure4.HIPAASecuritySeries#1,#4and#6 InadditiontotheEducationalPaperSeries,HHSreleasedin2010aguidancepaperrelative tohitechtitled GuidanceonRiskAnalysisRequirementsundertheHIPAASecurityRule. ThispaperisintendedtoassistorganizationsinunderstandingwhatHHSconsidersthe mosteffective andappropriateadministrative,physicalandtechnicalsafeguards 5 relativetoe[phi.inthis documentthehhsveryspecificallyacknowledgeslimitedprescriptivespecificitywithinthe SecurityRuleandpointsatoneverycleardirective basetheidentificationand implementationofthevarioussafeguardsuponriskanalysis. WeunderstandthattheSecurityRuledoesnotprescribeaspecificriskanalysismethodology, recognizingthatmethodswillvarydependentonthesize,complexity,andcapabilitiesofthe organization.instead,theruleidentifiesriskanalysisasthefoundationalelementintheprocessof achievingcompliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 6. Theguideprovidesadditionalclarificationbetweentheterms addressable and required enotingthat addressablespecificationsarenotoptionalandrequireorganizationstodeterminewhether eachaddressablespecificationisreasonableandappropriate.organizations mustdocument 7,as partofthatdeterminationprocess,whyaparticularspecificationwasdeterminedtobeunreasonable orinappropriate. 5FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.1,postedJuly14,2010 6FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 7FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/11
VMwareProductAvailability GuideforHIPAAandHITECH Figure5.GuidanceonRiskAnalysisRequirementsUndertheHIPAASecurityRule DefinitionofCloudComputing Cloudcomputingcanbedefinedasamodelforleveragingpoolsofsharedresourceson[demand,suchas networks,storage,servers,applicationsandservices.thesesharedresources,knownasa cloud,provideamultitudeofcapabilities,someofwhichincludescalability,elasticityofit resources,smallerenvironmentalfootprintsuchaspowerorphysicalspace,andfinallymore accurateeconomiesofscale. Cloudcomputingisnothingnew,andhasoriginsdatingbacktotheearly1950 sand1960 s,when mainframesweremodifiedtoprovidebetterefficiencyandscalability.theterm cloud itself becamecommonplacewheninthe1990 sthegraphicofacloudwasusedtoidentifythe Internetoranyothersharednetwork.Ithasreallybeeninthelastdecadethatamature definitionof CloudComputing hasbeenestablished.severalkeyeventsoccurredthat helpedtoestablishcurrentdaycloudcomputing: 1.In1999VMwareintroducedtheVMwareVirtualPlatformthatprovidedthefirstaffordableand reliablevirtualizationplatform,enablingbroadadoptionofvirtualizationwithinthedatacenterand ultimatelysupportingprivatecloudcomputing. 2.In2006AmazonreleasedAmazonWebServices(AWS)expandingcloudcomputingfroma privateendeavortoautilityprovidedtoexternalcustomers. VMwaredefinescloudorutilitycomputingasthefollowing: Cloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofon? demand,self?managedvirtualinfrastructure,consumedasaservice.sometimesknownasutility computing,cloudsprovideasetoftypicallyvirtualizedcomputerswhichcanprovideuserswiththe abilitytostartandstopserversorusecomputecyclesonlywhenneeded,oftenpayingonly uponusage. Thereareseveralkeycharacteristicstocloudcomputingthatarerecognizedthroughoutthe industry.thefirstkeycharacteristicofthecloudisitsservicemodels.thesecondkey characteristicofthecloudisitsdeploymentmodels.fourdistinctdeploymentmodelsexist(which donotnecessarilyalignwiththeservicemodels):theprivatecloud,thepubliccloud,thehybridcloud (combiningbothpublicandprivate),andfinallythecommunitycloud. TheCloud sservicemodelsaredividedintofourseparateservicemodels: InfrastructureasaService(IaaS) AsthenamesuggeststheIaaSmodelisspecifictothe infrastructurethatsupportscloudcomputing.iaassolutionprovidersofferphysicalorvirtual TECHNICALGUIDE/12
VMwareProductAvailability GuideforHIPAAandHITECH computers,disk,networkroutingandswitchinginfrastructureandothernetworkandsecurity infrastructure. PlatformasaService(PaaS) BuildinguponanIaaSsolution,thePaaSmodelprovidesthe computingplatformnecessarytorunandsupporttheapplicationsandservices.apaassolution providertypicallyprovidestheoperatingsystems,serviceapplicationstack suchaswebservers anddatabaseservers,andothernecessaryenvironmentsupport suchasprogramminglanguages, frameworksandservices. SoftwareasaService(SaaS) Certainlythemostvisibleoftheservicemodels,theSaaSmodel providesaccesstofullyoperationalapplications.theseapplicationsarefullymanagedattheplatform andinfrastructurelevelandareoftenaresupportedthroughseparateiaasandpaasproviders. NetworkasaService(NaaS) Thisfinalmodelbringscommonnetwork,transportorVPN connectivitytothemarket. TheCloud sdeploymentmodelshappentoalsobedividedintofourdistinctmodelstoday.the deploymentmodelstonotnecessarilyalignwiththeservicemodelsdefinedabove. PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanaged bytheorganizationorathirdparty.thecloudinfrastructuremaybeon[premiseoroff[premise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustry groupandisownedbyanorganizationthatsellscloudservices. Figure6.CloudComputingOverview HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic) thatremainuniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataand applicationportabilityeforexample,cloudburstingforloadbalancingbetweenclouds.withahybrid cloud,anorganizationgetsthebestofbothworlds,gainingtheabilitytoburstintothepubliccloud whenneededwhilemaintainingcriticalassetson[premise. TECHNICALGUIDE/13
VMwareProductAvailability GuideforHIPAAandHITECH CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,and complianceconsiderations).itmaybemanagedbytheorganizationsorathirdparty,andmayexist on[premiseoroff[premise. TolearnmoreaboutVMware sapproachtocloudcomputing,pleasereviewthefollowing: VMwareCloudComputingOverview[http://www.vmware.com/solutions/cloud[ computing/index.html#tab3 VMware svcloudarchitecturetoolkit[http://www.vmware.com/cloud[computing/cloud[ architecture/vcat[toolkit.html Organizationsconsideringthepotentialcomplianceimpactcloudcomputinghasuponcritical applicationsthatmaybehighlyregulatedshouldconsiderthefollowingquestions: Towhatextentdothoseapplicationsleveragecloudarchitecture? Whatservicemodelsanddeploymentmodelsarebeingusedtotransmitandstoreprotectedhealth informationandwhoarethecloudprovidersinvolved? Arethecloudplatformsusedtrustedplatformsandwhatcomplianceassurancesareprovidedbythe cloudprovidersinvolved? Whichindustry[recognizedcertificationshasthecloudprovider,environmentandservicebeen auditedandcertifiedascompliantfor? Afinalcriticalpointthatmustbeconsideredisthat,becauseHIPAAdoesnotprescribehowto meet regulatorycompliance(i.ewhichtechnologytouse,howtoimplementsaidtechnology,etc),itis imperativethatanorganization sbusinessanditstakeholdersarealignedwithtechnology requirementsdrivenfromthestakeholder. VMwareisthegloballeaderinvirtualization,thekeytechnologythatenablescloudcomputing.VMware s vcloudsuiteisaturnkey,integratedvirtualizationsolutionforbuildingandmanaginga completecloudinfrastructure,allowingcustomerstorealizethemanybenefitsofcloud computing. PriortoundertakinganyHIPAAcomplianceproject,VMwarerecommendsthatcustomersdeterminea healthcheck statusofsystemscompliance.customerscanimplementvmware s HIPAACompliance Checker bydownloadingtheapplicationfromthefollowinglocation: https://my.vmware.com/web/vmware/evalcenter?p=compliance[ chk&lp=default&cid=70180000000mjsmaaw WheretoStart ConsiderationsforCoveredEntities Whenitcomestothequestionofwheretostart,HIPAAandtheguidancearoundHIPAAis quitespecific.organizationsthatareworkingonachievinghipaaandhitechcomplianceshouldstart withariskassessment.asnotedbythedepartmentofhealthandhumanservicesandrelative tohipaa ssecurityrule: theruleidentifiesriskanalysisasthefoundationalelementintheprocessofachieving compliance,anditestablishesseveralobjectivesthatanymethodologyadoptedmust achieve 8 8FromGuidanceonRiskAnalysisRequirementsUnderHIPAASecurityRulepg.2postedJuly14,2010 TECHNICALGUIDE/14
VMwareProductAvailability GuideforHIPAAandHITECH Whatisveryimportanttonoteisthatutilizingavirtualorcloudenvironmenthasnogreater impactrelativetohipaacompliancethantraditionalinformationtechnologyoranydifferencesthanare typicallyconsideredbetweenvirtualization,cloudandtraditionaltechnology.organizationscan utilizeastrongriskmanagementapproachtowardtheirhipaacomplianceeffortsandtake advantageofthemanyadvantagesprovidedbyvirtualorcloudenvironmentsbecausetherisk assessmenteffortshouldinformtheorganizationoftheproperapplicationofsecuritywithin thevirtualorcloudenvironment. IndependentofHIPAAorHITECH,themovetocloudandvirtualenvironmentsarefilledwithtechnical considerationsandbusinessdecision,someofwhichdifferfromtraditionalinformation technology.organizationsshouldreviewthebenefitsandrisksoftheircurrentenvironment andcomparethemtothedifferentclouddeploymentmodelsandservicemodels. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact, benefits,andrisksofavirtualand/orcloudenvironment. Management/BusinessConsiderations 1.CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2.WhatisthestrategicvaluethattheCloudcoulddelivertotheorganization? 3.WhataretheareaswheretheCloudcanprovideadditionalvaluetothecompany? 4.WhatisthebusinessvaluethattheCloudcoulddelivertooperations? 5.Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 6.WhatCloudmodels,includingPublic,HybridandPrivate,arebeingconsidered? 7.WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1.Aretheorganizationalbusiness,IT,andGRCgroupsalignedwiththevirtualizationorcloud strategy? 2.HastheproposedvirtualizationimplementationbeencommunicatedtoGRCandapproval received? 3.HowhasGRCaffectedITOperationsanddoesitmandateanyconsiderationswhenconsidering virtualizationorcloudenvironments? 4.HastheflowofePHIbeenidentifiedanddocumented? 5.Haveallsystems(servers,SANs,SEIMs)whichstoreePHIandareconsidered in[scope for HIPAAcompliancebeenidentified?Whichvirtualizationorclouddeploymentmodelandservice modelwill beimplemented? 6.HowcanvirtualizationorcloudtechnologybenefitexistingITinitiatives?Arethereeffortsto consolidateitfunctionsthatcanbeaddressedwithcloud? 7.WhatIToperationalchangesshouldbemade,fromasegregationofdutiesperspective,to accountfortheconversionofphysicaltovirtualizedresourceswithintheorganization? 8.Wherecanvirtualizationand/orCloudimproveexistingSLAorOLAs(Internal,External)? VMwareHIPAAComplianceStack VMwareprovidesanextensivesuiteofproductsdesignedtosupportanorganization s InformationSecurityandCompliancerequirements.Whileeveryenvironmentwillhaveunique needs,thefollowinghipaa/hitechcompliancestackprovidesacomprehensivemixof TECHNICALGUIDE/15
VMwareProductAvailability GuideforHIPAAandHITECH VMwaresolutionsthatcanhelporganizationsmeetthecomplianceandgovernance requirementsofhipaa/hitech. VCloud Suite Product Product Components or Features vsphere ESXi,vMotion,StoragevMotion,HighAvailability,Data ProtectionandReplication,andHostProfiles vclouddirector ElasticVirtualDatacenters,ServiceCatalogandMulti[Tenancy vcloudnetworkingandsecurity Suite Edge,AppFirewall,VXLAN,andDataSecurity vcentersiterecoverymanager RecoveryPlans,AutomatedDRFailoverandFailback,vSphere Replication vcenteroperationsmanagement Suite VMConfigurationCompliance,andHostConfigurationCompliance Table2:Captiontocome. HIPAA/HITECHrequirementsandhavebeenaddressedindetailinthefollowingsections.To determinetheproductsandfeaturesavailablewithvmwaresuitespleasereferto VMware.com. HIPAASecurityRuleSolutionApplicabilityMatrix VMwarehascreatedaHIPAASecurityRuleRequirementsMatrixtoassistorganizationswithan understandingofvmwaresolutions,vmwarepartnersolutions(wheretheyoverlap),andthe remainingcustomerresponsibilitiesthatshouldbeaddressedseparatelybythecustomer throughuseofothertoolsorprocesses.whileeverycloudisunique,vmwarebelievesthatthe technicalrequirementsfoundwithinthesecurityrulecanbeaddressedthroughthevmwaresuites and/orvmwarepartnersolutions. TheremaininggapsinaddressingHIPAA/HITECHrequirementsmaybefilledbythecustomerthrough processes,proceduresandothertools(i.e.approvingcustomers policies,keepinganupdated networkdiagram,approvingchanges,etc.). TECHNICALGUIDE/16
VMwareProductAvailability GuideforHIPAAandHITECH Figure7.VMwareSolutions Figure8.DiagrammaticRepresentationofVMwareandVMwarePartnerProductsforHIPAA TECHNICALGUIDE/17
VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS Security Management Process 164.308(a)(1)(i) No No Yes AssignedSecurity Responsibility 164.308(a)(2) No No Yes WorkforceSecurity 164.308(a)(3)(i) No No Yes InformationAccess Management 164.308(a)(4)(i) No No Yes Security Awarenessand Training 164.308(a)(5)(i) No No Yes SecurityIncident Procedures 164.308(a)(6)(i) No No Yes ContingencyPlan 164.308(a)(7)(i) No No Yes Evaluation 164.308(a)(8) No No Yes BusinessAssociate Contracts andother Arrangements 164.308(b)(1) No No Yes FacilityAccess Controls 164.310(a)(1) No No Yes WorkstationUse 164.310(b) No No Yes TECHNICALGUIDE/18
VMwareProductAvailability GuideforHIPAAandHITECH PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE S SUITES REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS WorkstationSecurity 164.310(c) No No Yes DeviceandMedia Controls 164.310(d)(1) No No Yes AccessControl 164.312(a)(1) Yes Yes No AuditControls 164.312(b) Yes Yes No Integrity 164.312(c)(1) Yes Yes No PersonorEntity Authentication 164.312(d) Yes Yes No TransmissionSecurity 164.312(e)(1) Yes Yes No BusinessAssociate Contracts orother Arrangements 164.314(a)(1)(i) No No Yes Requirementsfor GroupHealthPlans 164.314(b)(1) No No Yes Policiesand Procedures 164.316(a) No No Yes Documentation 164.316(b)(1)(i) No No Yes Table3:HIPAASecurityRuleRequirements TECHNICALGUIDE/19
VMwareProductAvailability GuideforHIPAAandHITECH HIPAASecurityRuleSolutionApplicabilityDetails vsphere ForthepurposesofthisVMwareSolutionGuideforHIPAA/HITECH,vSphere scomponents andfeatures,asdescribedbelow,cansupportautomaticcomplianceanddeploymentscenariosto accommodatehipaa/hitechrequirements. ESXi isabare[metalhypervisorinstalledonphysicalservers.esxiallowsforpartitioningthe physicalresourcesintomultiplevirtualmachinesandallowsformanagementofmultipleesxihosts throughasinglemanagementplatform(vcenterserver). vmotion allowsliverunningvirtualmachinestomovebetweenonephysicalservertoanotherwithout disruption.theabilitytodynamicallyandautomaticallymoveliverunningvirtualmachinescanease scalingandallowworkloadstobeperformedwithinvirtualsegments. StoragevMotion providestheabilitytomigratelivevirtualmachinedisksacrossanystorage arrayssupportedbyvsphere. HighAvailability allowsforapplicationsrunninginvirtualmachinestoruninhighavailabilitymode, protectingtheapplicationfromhardwareandoperatingsystemsfailuresbymonitoringthestateofthe virtualmachineandphysicalhostandautomaticallyrestartsthevirtualmachineonotherphysical servers. DataProtectionandReplication Dataprotectionprovidesagent[lessimage[levelbackupand recoverypoweredbyemcavamar.backupsaredoneviafastandefficientbackuptodiskandalso providefastrecovery.thereplicationforvsphereallowsforpoweredonreplicationofvirtual machinesfromonevspherehosttoanotherwithoutneedingstoragebasedreplication. HostProfiles allowsfortheconsistencyandautomationofdeployingphysicalesx/esxihosts rapidly.hostprofilesallowforautomaticdeploymentofconfigurationstohostsandprovideautomatic compliancewiththeconfigurations.simplifyingoperationalmanagementalsoreducesthepossibility formis[configuration. ThefollowingproductmatrixexplainswhichHIPAAcontrolsareapplicabletovSphereandits components. Technical Safeguards ( 164.312) HIPAAStandardDescription Compliance Attainability Comments AccessControls[ 164.312(a)(1) Implementtechnicalpoliciesand proceduresforelectronic informationsystemsthatmaintain electronicprotectedhealth informationtoallowaccessonlyto thosepersonsorsoftware programsthathavebeengranted accessrights. Attainable ESXiandvCentercanbeconfigured toprovideaccesscontrolforindividual usersandalsoprotectaccessto systemsandfeatureswithinvsphere byimplementingrolebasedaccess. See:ConfiguringActiveDirectory See:ConfiguringAuthentication& TECHNICALGUIDE/20