Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

Similar documents
Safeguard Protected Health Information With Citrix ShareFile

HIPAA Compliance Guide

The Office Reinvented: Mobile Workspaces are the Future of Work

Citrix Lifecycle Management

Advanced Service Desk Security

Datto Compliance 101 1

Secure Data Sharing in the Enterprise

Citrix ShareFile Enterprise technical overview

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Powering Real-Time Mobile Access to Critical Information With Citrix ShareFile

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Design and deliver cloudbased apps and data for flexible, on-demand IT

HIPAA Compliance Guide

Top Three Reasons to Deliver Web Apps with App Virtualization

Deploying NetScaler Gateway in ICA Proxy Mode

VMware vcloud Air HIPAA Matrix

Microsoft SharePoint 2013 with Citrix NetScaler

Provisioning ShareFile on Microsoft Azure Storage

The Always-on Enterprise: Business Continuity Scenarios that Work

Trend Micro Cloud Security for Citrix CloudPlatform

Virtual desktops in hospitals: streamlining clinical workflows

Solutions Guide. Deploying Citrix NetScaler for Global Server Load Balancing of Microsoft Lync citrix.com

HIPAA Security Alert

Modernize your business with Citrix XenApp 7.6

Mobilize with Enterprise-Grade Security and a Great Experience

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Deploying XenApp on a Microsoft Azure cloud

HIPAA Security Matrix

Healthcare Compliance Solutions

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Maximizing Flexibility and Productivity for Mobile MacBook Users

Microsoft Dynamics CRM 2015 with NetScaler for Global Server Load Balancing

HIPAA Security Rule Compliance

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

The falling cost and rising value of desktop virtualization

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Solution Guide for Citrix NetScaler and Cisco APIC EM

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

ShareFile for enterprises

Powering real-time mobile access to critical information with ShareFile

ShareFile Enterprise technical overview

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Deploying XenApp 7.5 on Microsoft Azure cloud

How To Use Netscaler As An Afs Proxy

SECURITY RISK ASSESSMENT SUMMARY

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Citrix ShareFile Enterprise: a technical overview citrix.com

icrosoft TMG Replacement with NetScaler

Optimizing service assurance for XenServer virtual infrastructures with Xangati

efolder White Paper: HIPAA Compliance

Secure SSL, Fast SSL

Enterprise- Grade MDM

White Paper. Optimizing the video experience for XenApp and XenDesktop deployments with CloudBridge. citrix.com

Taking Windows Mobile on Any Device

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

5 Reasons Why GoToAssist Remote Support and Service Desk Go Better Together

Citrix Workspace Cloud Apps and Desktop Service with an on-premises Resource Reference Architecture

The fastest, most secure path to mobile employee productivity

Citrix desktop virtualization and Microsoft System Center 2012: better together

Websense Data Security Gateway and Citrix NetScaler SDX Platform Overview

HIPAA Security Checklist

HIPAA Information Security Overview

Bring your own device freedom

GoToAssist Remote Support HIPAA compliance guide

Comprehensive Enterprise Mobile Management for ios 8

Overview of the HIPAA Security Rule

Run Skype for Business as a Secure Virtual App with a Great User Experience

Using Vasco IDENTIKEY Server with NetScaler

Windows XP Application Migration Checklist

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Data Center Consolidation for Federal Government

Enabling mobile workstyles with an end-to-end enterprise mobility management solution.

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

Trend Micro InterScan Web Security and Citrix NetScaler SDX Platform Overview

Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Desktop virtualization for all

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Mobility and cloud transform access and delivery of apps, desktops and data

How To Get Cloud Services To Work For You

Single Sign On for ShareFile with NetScaler. Deployment Guide

Transcription:

Solutions Brief Citrix Solutions for Healthcare and HIPAA Compliance citrix.com/healthcare

While most people are well aware of the repercussions of losing personal or organizational data from identity theft to termination penalties for losing patient data under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) are far more severe. Financial penalties range up to $1.5 million, and can be accompanied by potential damage to your brand. To help you avoid these problems, Citrix prepared this guide to take some of the guesswork out of how to apply our technologies to meet specific requirements of the HIPAA Security Rule. This document will also help you better understand how your investment in Citrix solutions can help you support broader enterprise governance, risk, and compliance (egrc) initiatives going forward. The matrix is based upon the HIPAA Security s rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160 and 164 Health Insurance Reform: Security s; Final Rule). The Department of Health and Human Services provides the HIPAA Security s on its website: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html. An overview of HIPAA and HITECH The Health Insurance Portability Accountability Act of 1996 (HIPAA) is a U.S. law with the objective of providing privacy standards designed to protect patients medical records and specified health information provided to health plans, doctors, hospitals, and other healthcare providers. At a high level, HIPAA breaks into the following categories: HIPAA Privacy Rule, which creates a minimum standard for the protection of health information and privacy rights for all in the U.S. HIPAA Security Rule, which establishes physical, technical, and administrative safeguards for electronic transactions of electronic protected health information (ephi) and links closely to the Privacy Rule. These categories break into the following subcategories: Technical safeguards, which include access control, audit controls, integrity controls, and transmission security. Physical safeguards, which include facility access and control, as well as physical workstation and device security. Administrative safeguards, which include security management processes, security personnel, information access management, training, and assessment. Organizational policies/procedures and documentation requirements, which include covered entity responsibilities, business associate contracts, and policy/procedure and documentation requirements and updates. Transaction and code sets standards, which are designed to achieve administrative simplification on a national scale. citrix.com/healthcare 2

Citrix IT solutions for healthcare The tables below identify the specific requirements of the HIPAA Security Rule, what they call for to be successfully implemented, and the recommended Citrix products that can help you achieve that. You ll also find valuable information that estimates how much impact Citrix technology can have on compliance. HIPAA Security Compliance with the rule is enhanced by the use of Citrix technologies; however, additional measures are required for full compliance. Compliance with the rule is enabled by the use of Citrix technologies; however, compliance will depend on several factors within the customers exclusive control, including system design, deployment attributes, administrative settings, and inclusion of non-citrix technologies. ADMINISTRATIVE SAFEGUARDS 164.308 Security Management Process 164.308(a)(1) Assigned Security Responsibility 164.308(a)(2) Workforce Security 164.308(a)(3) Conduct HIPAA/ePHI assessment and risk analysis (R) Implement measures to manage/reduce HIPAA risks (R) Apply sanctions against non-compliant workers (R) Conduct regular system review (logs, incidents, etc.) (R) Identify, assign, and train HIPAA security officer Authorization and/or supervision of workforce (A) Develop workforce clearance/verification procedure (A) Enhanced: While this rule is administrative in nature, the Citrix product suite influences successful compliance in that XenApp, XenDesktop, XenMobile, and ShareFile each function to reduce risk associated with loss or exposure of ephi, combining data containment strategies with encryption, auditing, and granular policy. As the delivery mechanism for the controlled applications and data, Citrix products are uniquely suited to improve compliance. Enhanced: XenDesktop and XenApp bring unparalleled visibility into all applications and user sessions in a compliant environment. With the ability to determine who used an application, when, for how long, and what application-level errors or messages occurred, IT staff benefit from a much more granular set of audit logs than they would with traditional application delivery mechanisms. Audit information contained within Citrix logs can provide information to security and IT teams for both active incidents and investigations after the fact. XenDesktop, XenApp, XenMobile, ShareFile, citrix.com/healthcare 3

ADMINISTRATIVE SAFEGUARDS 164.308 continued Workforce Security continued 164.308(a)(3) Implement procedures for access termination (A) Enhanced: Although access termination is an administrative task, XenDesktop and XenApp increase IT and security teams ability to remove access for terminated employees to both limit them from logging into protected applications and from seeing the applications. This is most beneficial when large numbers of applications are used that are not integrated into a central directory (such as Active Directory) and would require a complex process or individual application restrictions to a large number of applications. Additionally, use of XenMobile and ShareFile provide the same ability as XenDesktop and XenApp but extend control and access termination to corporate-provided or, more importantly, user-owned mobile devices. When properly configured, not only will access be terminated on mobile devices, but all controlled data will be removed, regardless of whether or not the device is on the network. XenApp, XenDesktop, XenMobile, ShareFile, Information Access Management 164.308(a)(4) Isolate any healthcare clearinghouse functions (R) Implement policies to authorize access to ephi by job function (A) Enhanced: Use of Citrix products and integration with a central user directory allows increased granularity of control when configuring access for users. While traditional delivery methods restrict the user s ability to log in to controlled applications, XenApp and XenDesktop effectively remove the ability to even see the application unless the job function or role permits it. This increased granularity and control allows the IT and security teams to minimize their attack surface, provide a second mechanism to ensure that users who shouldn t have access to applications don t, and significantly reduce unauthorized access attempts from users or third parties. XenMobile Establish policies to review/ modify user access rights (A) Security Awareness and Training 164.308(a)(5) Implement and conduct periodic security updates/ training (A) Implement protection from malicious software; establish process for regular system patch and security updates (A) Enhanced: Use of Citrix Provisioning Server with XenApp and XenDesktop ensures that malicious software is removed from systems upon reboot (typically automated) and that all servers and desktops based on the provisioned image maintain identical patch and security update configuration. This reduces the overall burden to IT and security staff and ensures significantly higher levels of compliance to this safeguard, especially when used at scale. Provisioning Server citrix.com/healthcare 4

ADMINISTRATIVE SAFEGUARDS 164.308 continued Security Awareness and Training continued 164.308(a)(5) Establish/implement procedures for login monitoring (A) Enhanced: When used in conjunction with application-level logging, XenApp, XenDesktop, and XenMobile enable increased granularity and monitoring capabilities down to the application level, providing additional data regarding who is logging into an application, from where, and for how long. This allows IT and security staff additional visibility into users access to controlled applications as well as faster correlation in the event of compromise or incident. XenMobile Establish/implement procedures and rules for strong password management (A) Security Incident Procedures 164.308(a)(6) Implement policies and procedures to address and report security incidents (R) Contingency Plan 164.308(a)(7) Implement procedures to make exact copies of ephi data (R) Implement plans/ procedures to restore any loss of data (R) Establish continuity plans to continue operations and protect ephi in case of emergency mode operations (R) Enhanced: When combined with, XenApp, and XenDesktop provide significantly improved disaster recovery/business continuity capabilities in the event that normal operations are disrupted. By reducing the level of effort and complexity of delivery applications and data from a secondary location (on-premise or cloudbased), IT and security staff are free to focus on restoration procedures while clinical users have a much more robust user experience over traditional continuity plans. Periodically test and revise contingency/emergency plans (A) Assess criticality of applications and data in contingency plans for emergency mode operations (A) Evaluation 164.308(a)(8) Perform periodic technical and non-technical evaluation of environment and operations as they pertain to ephi Business Associate Contracts and Other Arrangements Establish written contracts with business associates (R) 164.308(b)(1) citrix.com/healthcare 5

PHYSICAL SAFEGUARDS 164.310 Facility Access Controls 164.310(a)(1) Provide for facility access for contingency operation mode (A) Develop procedures for physical security of ephi (A) Control individual physical access to ephi (employees/ visitors/contractors) (A) Document maintenance to physical components/ facility (A) Workstation Use 164.310(b) Implement policies for proper use and location of user devices that can access ephi (on/off-premise laptops and workstations) Enhanced: XenApp, XenDesktop, and XenMobile enable IT and security staff to have simpler and more effective policies regarding the location and authorization to access protected applications and infrastructure both on and off premise by allowing access to applications or machines housing ephi by centralizing applications into the data center and granting access to interact only during active use. Combined with two-factor authentication, a properly deployed Citrix environment ensures that data stays within the data center regardless of the device type, ownership, or location. XenMobile, Workstation Security 164.310(c) Implement physical safeguards for all workstations that access ephi to restrict access only to authorized users Enhanced: XenApp, XenDesktop, and XenMobile allow integration with HID, smart card, and other authentication technologies that restrict the ability to access ephi even with physical access to the device. Working on the principle of granting access with something you know (username/password) and something you have (HID badge, smart card, etc.), Citrix combines physical and logical controls even on campus. Further, when configured to automatically secure applications and desktops that have been idle for a specified period of time, Citrix technologies help keep security intact even in the event of an abandoned session. XenMobile Device and Media Controls 164.310(d)(1) Implement procedures to address final disposal of media and devices containing ephi, including internal/external (R) Implement policies for reuse of media containing ephi (R) Maintain records of movement of hardware and media containing ephi inside and outside of facility (A) Create exact copy of ephi before movement of equipment (A) citrix.com/healthcare 6

TECHNICAL SAFEGUARDS 164.312 Access Control 164.312(a)(1) Assign a unique identifier to track user identity (R) Enhanced: XenApp, XenDesktop, and XenMobile allow IT and security teams to leverage the unique identifier to determine whether a user should even see an application that contains ephi or log in to said application. Additionally, robust logging of user activity in Citrix allows IT and security to track activity before and after access to ephi applications further enhancing visibility. XenMobile Create procedures to access ephi during an emergency (R) Enabled: With the capability to provision Citrix presence to cloud services such as Amazon, Microsoft, etc., certain emergency circumstances can be mitigated, thereby enhancing the ability to provide emergency procedures and increase the clinician experience in the event of an emergency (for example, an ephi export/repository hosted in a Citrix environment in the cloud with hotspots or other technology to provide access in the event that the network is down). Terminate a user session after a certain period of inactivity (A) Enabled: Citrix natively provides the ability to have granular timeouts and the ability to secure idle sessions. For example, if a session is abandoned or inactive, the session will time out and secure the user s environment; however, because the session is in a disconnected state, it s ready for the user to resume work where they left off, bringing the session back to an active state from the secured/ disconnected state (and allowing for a more aggressive timeout for the initial disconnect/ securing of the session). If the disconnected session is not used after a specified amount of time, the session will be terminated completely. This granular control provides a much more robust user experience with a high level of security and brings compliance of this rule beyond just the applications, securing the entire environment and all associated ephi. XenMobile Implement a mechanism to encrypt/decrypt ephi (A) Enabled: Use of XenApp and XenDesktop can not only reduce the amount of data needed to encrypt by keeping all data in the data center and enforcing policies that do not allow export or removal of data outside of the data center (data that is typically cached or copied to distributed PCs/workstations) but also provides in-flight encryption capabilities for ALL information accessed. XenMobile and ShareFile ensure that ephi distributed outside of the confines of an organization s secured network or owned assets is encrypted and secure (for example, on mobile phones, tablets, personal computers, etc.). XenMobile, ShareFile, citrix.com/healthcare 7

TECHNICAL SAFEGUARDS 164.312 continued Audit Controls 164.312(b) Implement systems that record, examine, and report on activity in all information systems that contain or use ephi Enabled: Citrix applications access audit records of application use and activity that when coupled with the audit capabilities of certified EMRs provides unparalleled audit records that enhance an organization s ability to know and report on activity generated by a user that includes connecting username, device name, IP of connecting workstation (inside and outside the corporate network), application used, and for how long, as well as capture of all errors/notifications (such as invalid password or unauthorized access attempts) that the application containing ephi generates. This information is particularly valuable in investigating potential breaches or unauthorized access. XenMobile, ShareFile, Integrity 164.312(c)(1) Implement procedures to authenticate and protect ephi from improper alteration or destruction (A) Person or Entity Authentication 164.312(d) Implement procedures to verify that a person or entity attempting to access ephi is the one claimed Enabled: Citrix enhances the ability to ensure that the person or entity accessing is the one claimed through its support and integration with multifactor authentication such as smart cards, biometrics, etc. This can effectively limit access to Citrix, hosting the EMR application to those authorized with the second measure, disallowing access to even attempt to launch the ephi-containing applications if the user is unable to properly authenticate. This specifically warrants against user account compromise or account sharing. XenMobile, ShareFile Transmission Security 164.312(e)(1) Ensure ephi isn t improperly modified during transmission (A) Encrypt transmitted ephi whenever deemed appropriate (A) Enabled: XenApp and XenDesktop encrypt transmitted data and session information by default and support increased levels of encyption above and beyond default levels if desired. XenMobile and ShareFile allow transmitted data sent via email or file distribution to be encrypted during transmission, ensuring that current methods of distribution by clinical staff are secured. XenMobile, ShareFile, ORGANIZATIONAL REQUIREMENTS (OMNIBUS RULE) 164.314 Business Associate Contracts or Other Arrangements 164.314(a)(1) Implement BA agreements for any partners/ subcontractors that create, receive, maintain, or transmit ephi (R) Enhanced: ShareFile provides a secure data storage enclave dedicated only for PHI. This secure enclave, ShareFile Cloud for Healthcare, enables covered entities and their business associates to leverage the protected ShareFile platform within a private cloud to process, maintain, and store PHI. ShareFile supports your HIPAA compliance and will enter into a business associate agreement (BAA) with customers that want to upload and share PHI using ShareFile. ShareFile Other arrangements needed to satisfy this requirement (R) Requirements for Group Health Plans 164.314(b)(1) Group health plans must in general abide by all specifications of the HIPAA Security Rule, similar to other covered entities (R) citrix.com/healthcare 8

POLICIES, PROCEDURES, AND DOCUMENTATION REQUIREMENTS (OMNIBUS RULE) 164.316 Policies and Procedures 164.316(a) Documentation 164.316(b)(1) Implement policies/ procedures to comply with all standards and specifications of HIPAA rule. Document changes as needed. Retain documentation for 6 years (R) Make documents available for all responsible parties (R) Review and update as needed (R) Frequently asked questions Q: What are the general requirements of the HIPAA Security s? (Ref: 164.306 Security s: General Rules) Covered entities must do the following: 1. Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations. 4. Ensure compliance with this subpart by its workforce. Q: How are covered entities expected to address these requirements? Covered entities may use any security measures that reasonably and appropriately implement the standards; however, covered entities must first take into account the risks to protected electronic information; the organization s size, complexity and existing infrastructure; and costs. The final rule includes three safeguards sections outlining standards (what must be done) and implementation specifications (how it must be done) that are either required or addressable. If required, it must be implemented to meet the standard; if addressable, a covered entity can either implement it, implement an equivalent measure or do nothing (documenting why it would not be reasonable and appropriate). Administrative Safeguards: Policies and procedures, workforce security and training, evaluations, and business associate contracts. Physical Safeguards: Facility access, workstation security, and device and media controls. Technical Safeguards: Access control, audit controls, data integrity, authentication, and transmission security. Q: What is Citrix doing to help customers address HIPAA regulations? To facilitate our customers compliance with HIPAA security regulations, Citrix is providing detailed information about the security safeguards we have implemented into our healthcare solutions. This information is provided in this document, our security white paper, and other technical collateral. Additionally, our Client Services group is available to provide guidance and assistance in all deployments. citrix.com/healthcare 9

Learn more We hope that the information provided in these tables gives you a better understanding of how Citrix solutions for healthcare can help you meet HIPAA and HITECH security requirements. Our commitment to helping our customers comply with these important regulations is one of the reasons we ve become a trusted solution partner of 90 percent of the largest healthcare providers, all of the US NEWS & World Report top hospitals, and the top healthcare IT vendors. You can learn more about Citrix solutions for healthcare and HIPAA compliance on our website and by reading through the FAQs and white papers we ve prepared around these topics. Web: Citrix IT Solutions for Healthcare www.citrix.com/healthcare Citrix Security and Compliance Solutions www.citrix.com/secure FAQ: Citrix ShareFile Cloud for Healthcare https://www.citrix.com/content/dam/citrix/en_us/ documents/products-solutions/citrix-sharefile-cloudfor-healthcare-frequently-asked-questions.pdf White Paper: Citrix ShareFile Cloud for Healthcare https://www.citrix.com/content/dam/citrix/en_us/ documents/products-solutions/what-is-the-citrixsharefile-cloud-for-healthcare.pdf Corporate Headquarters Fort Lauderdale, FL, USA India Development Center Bangalore, India Latin America Headquarters Coral Gables, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA Online Division Headquarters Santa Barbara, CA, USA UK Development Center Chalfont, United Kingdom EMEA Headquarters Schaffhausen, Switzerland Pacific Headquarters Hong Kong, China About Citrix Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com. Copyright 2014 Citrix Systems, Inc. All rights reserved. Citrix, XenMobile, ShareFile and are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies. 1114/PDF citrix.com/healthcare 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information