vmware product applicability guide for hipaa/hitech pdf
TRANSCRIPT
! ! ! ! !
!
VMware®'SDDC'Product'Applicability'Guide'for'HIPAA/HITECH,'v1.0'
November'2013'
T E C H N I C A L ' G U I D E '''''''''
This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the Framework and download the additional documents from the VMware HIPAA Compliance Resources on VMware Solution Exchange.
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 !
Table!of!Contents!
Introduction'...............................................................................................................................''2'
Scope'and'Approach'.................................................................................................................'3'
VMware'Solution'Scope'........................................................................................................'3'HIPAA'and'HITECH'Act'Scope'.............................................................................................'4'Approach'...............................................................................................................................'4'
Overview'of'HIPAA/HITECH'Security'Requirements'................................................................'6'
HIPAA'Protected'Health'Information'and'Identifiers'.................................................................'9'
HIPAA/HITECH'Compliance'Guidance''..................................................................................'10'
Definition'of'Cloud'Computing'.................................................................................................'12'
Where'to'Start'–'Considerations'for'Covered'Entities'.............................................................'14'
Management/Business'Considerations'..............................................................................''15'IT'Considerations'.................................................................................................................'15'
VMware'HIPAA'Compliance'Stack'.........................................................................................'15'
HIPAA'Security'Rule'Solution'Applicability'Matrix'..................................................................'16'
HIPAA'Security'Rule'Solution'Applicability'Details'.................................................................'20'
vSphere'...............................................................................................................................'20'vCloud'Director'....................................................................................................................'22'vCloud'Networking'and'Security'Suite'................................................................................'24'vCenter'Site'Recovery'Manager'..........................................................................................'26'vCenter'Operations'Management'Suite'..............................................................................'28'
Acknowledgments'...................................................................................................................'30'
About'Accuvant'....................................................................................................................'30'
!
!'
'
'
'
'
'
'
'
'
'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 !
Introduction!Information'security'design'and'architectural'requirements,'driven'by'regulatory'compliance,'are'common'but'critical'aspects'that'organizations'should'consider'when'migrating'from'traditional'IT'environments'to'cloud'computing'environments.'Helping'organizations'with'the'arduous'tasks'of'meeting'and'maintaining'HIPAA'and'the'HITECH'act'regulatory'compliance,'VMware'and'its'partners'provide'suites'of'industry[leading,'virtualization'solutions'which'address'the'confidentiality,'integrity'and'availability'requirements'of'HIPAA/HITECH.'This'VMware'solution'guide'will'assist'in'answering'questions'such'as'“How!Can!Our!Organization!Comply!with!HIPAA!Requirements!within!a!Cloud!Computing!Environment”'by'providing'helpful'information'to'VMware'architects,'the'HIPAA/HITECH'community,'business'stakeholders'and'third'parties.'''
VMware'vCloud'Suite'is'VMware’s'complete'software?defined!datacenter'(SDDC)'solution,'enabling'customers'to'build'and'manage'their'own'cloud'infrastructure.'The'vCloud'Suite'is'offered'into'three'editions'and'divided'into'eight'discrete'software'components:'
vSphere!–'Virtualized'infrastructure'with'policy[based'automation'
vCloud!Director'–'Virtualized'datacenters'with'multi[tenancy'and'public'cloud'extensibility'
vCloud!Connector'–'Integrated'viewing'and'dynamic'transfer'of'workloads'between'private'and'public'clouds''
vCloud!Networking!and!Security'–'Software'defined'networking,'security'and'ecosystem'integration'
vCenter!Site!Recovery!Manager'–'Automated'disaster'recovery'planning,'testing'and'execution'
vCenter!Operations!Management!Suite'–'Integrated,'proactive'performance'capacity,'and'configuration'management'for'dynamic'cloud'environments.'The'vCenter'Operations'Management'Suite'is'broken'into'seven'features'that'are'offered'depending'on'vCloud'Suite'edition'type.'These'seven'features'are:'
•' Application'Monitoring''
•' Storage'Adapters'for'EMC''
•' VM'Configuration'Compliance'
•' Host'Configuration'Compliance'
•' Performance'and'Capacity'Optimization''
•' Application'Awareness''
•' Chargeback''
vFabric!Application!Director!–'Multi[tier'application'service'catalog'publishing'and'provisioning''
vCloud!Automation!Center'–'Self[service'and'policy[enabled'cloud'service'provisioning''!
!
!
!
!
!
!
!
!
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 3 !
Figure!1.'VMware'Cloud'Suite'components'
'
Scope!and!Approach!Due'to'the'broad'context'of'the'HIPAA'and'HITECH'acts'it'is'prudent'to'properly'define'and'detail'the'scope'of'this'document'and'the'approach'that'has'been'taken'in'defining'such'scope.'The'scope'is'divided'between'the'VMware'components'that'are'included,'reviewed'and'considered'highly'relevant'as'part'of'this'guide'and'the'governing'sections'of'the'HIPAA'and'HITECH'Acts'that'pertain'to'electronic'data,'information'technology'and'thus'network'and'electronic'information'security.'While'this'guide'provides'specific'technical'opinions'regarding'the'applicability'of'VMware'solutions'to'HIPAA’s'regulations'the'guide'is'neither'comprehensive'in'its'coverage'of'the'entire'HIPAA'regulation'nor'prescriptive.'It'does'not'define'a'single'implementation'strategy'that'assures'compliance.'
VMware!Solution!Scope!Using'the'Enterprise'edition'of'vCloud'Suite'as'the'basis'for'the'VMware'solution,'the'components'applicable'to'this'guide'and'detailed'within'this'guide'(“VMware'Scope”)'include:'
•' vSphere'
•' vCloud'Director'
•' vCloud'Networking'and'Security'(vCNS)'
•' vCenter'Site'Recovery'Manager'(SRM)'
•' vCenter'Operations'Management'Suite'(OMS)'
–' VM'Configuration'Compliance'
–' Host'Configuration'Compliance'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 4 !
Those'specific'VMware'components'that'are'not'within'the'scope'of'this'document'have'been'omitted'either'because'of'their'non[applicability'(i.e.'Application'Monitoring,'Application'Awareness,'Performance'and'Optimization'and'Chargeback'components'of'vCenter'OMS,'vFabric'Application'Director'and'vCloud'Automation'Center)'or'interdependency'upon'separate'technology'not'in'scope'(i.e.'Storage'Adapters'for'EMC).'''
HIPAA!and!HITECH!Act!Scope!The'portions'of'the'HIPAA'and'HITECH'acts'that'are'considered'technical'in'nature'and'therefore'within'scope'(“HIPAA'Scope”)'of'this'guide'consist'of'specific'controls'within'HIPAA’s'Security'Rule,'45'CFR'Part'160'and'Subparts'A'and'C'of'Part'164.'The'HITECH'act'and'other'portions'of'HIPAA,'such'as'the'Privacy'Rule,'as'well'as'several'sections'of'HIPAA’s'Security'Rule'are'not'addressable'through'the'use'of'virtualization'and'cloud'technology,'including'VMware’s'solutions'and'therefore'are'not'covered'within'this'document.''
VMware'recognizes'the'larger'impact'that'the'full'scope'of'HIPAA'and'HITECH'has'upon'an'organization.'This'solutions'guide'is'intended'to'help'an'organization'understand'the'role'that'VMware’s'solutions'can'play'within'their'larger'compliance'efforts.'And'due'to'the'flexible'nature'of'HIPAA'and'significant'impact'that'non[compliance'can'have'upon'an'organization,'it'is'strongly'recommended'that'organizations'establish'their'HIPAA'and'HITECH'compliance'efforts'upon'a'comprehensive!risk!assessment!strategy.'
Approach!The'“HIPAA'Security'Rule'Solution'Applicability'Matrix”'(found'later'in'this'document)'maps'the'specific'requirements'of'the'HIPAA'Security'Rule'to'VMware’s'product'solution'suites,'their'technology'areas'and'in'some'cases'partner'solutions.'By'understanding'how'the'technology'solutions'and'technology'areas'apply'to'the'compliance'requirements'customers'are'able'to'support'their'broader'electronic'governance,'risk'and'compliance'(eGRC)'initiatives.'
Figure!2.'VMware'+'Partner'Product'Solutions'for'a'Trusted'Cloud'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 5 !
While'there'are'many'variations'of'cloud'environments,'including'public,'private'and'hybrid'clouds,'and'there'are'many'partner'solutions'that'enhance'an'organization’s'ability'to'address'confidentiality,'integrity'and'availability,'the'VMware'vCloud'Suite'can'help'organizations'address'up'to'23%'(as'seen'in'figure'3'below)'of'the'compliance'requirements'of'the'HIPAA'Security'Rule.'
Figure!3.'HIPAA'Security'Rule'Controls'Coverage'
'
'
'
'
'
'
'
'
'
'
'
'
'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 6 !
Overview!of!HIPAA/HITECH!Security!Requirements!The'Health'Insurance'Portability'and'Accountability'Act'of'1996'(HIPAAe'Pub.L.'104[191,'110'Stat.'1936)'was'enacted'by'the'United'States'Congress'and'signed'by'President'Bill'Clinton'on'August'21,'1996.'Title!II:!Preventing!Health!Care!Fraud!and!AbuseF!Administrative!SimplificationF!Medical!Liability!Reform'defines'policies,'procedures'and'guidelines'for'maintaining'the'privacy'and'security'of'individually'identifiable'health'information'as'well'as'outlining'numerous'offenses'relating'to'health'care'and'sets'civil'and'criminal'penalties'for'violations.'
As'required'by'Congress'in'HIPAA'and'HITECH'cover'the'following'types'of'organizations:'
•' Health'plans'
•' Health'care'clearinghouses'
•' Health'care'providers'who'conduct'certain'financial'and'administrative'transactions'electronically.'These'electronic'transactions'are'those'for'which'standards'have'been'adopted'by'the'Secretary'under'HIPAA,''such'as'electronic'billing'and'fund'transfers.'
Failure'to'meet'HIPAA'compliance'requirements'and'standards'could'give'rise'to'both'civil'and'criminal'penalties.'Section'13410'of'the'HITECH'Act'amends'section'1176'of'the'Social'Security'Act'(42'U.S.C'1320d[5)'in'order'to'update'enforcement'of'HIPAA.'The'penalties'under'the'Social'Security'Act,'and'amended'in'the'HITECH'act'are'divided'into'categories'of'claims'and'categories'of'penalties'that'are'applicable'to'individuals'and'organizations.'
Civil'monetary'penalties'are'divided'as'follows:''
•' In'cases'of'unknowing'violations'of'HIPAA,'each'violation'would'result'in'$100[$50,000'for'each'such'violation,'not'to'exceed'$1,500,000'for'the'all'such'violations'within'the'same'calendar'year.'''''
•' In'cases'of'wrongful'disclosure'of'individually'identifiable'patient'information,'a'person'shall'be'fined'$1,000[$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within''the'same'calendar'year.'''
•' In'cases'where'the'offense'is'committed'under'false'pretenses'and'corrected'in'the'same'calendar'year,'a'person'shall'be'fined'$10,000[$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within'the'same'calendar'year.'
•' In'cases'where'the'offense'is'committed'under'false'pretenses'and'not'corrected'in'the'same'calendar'year,'a'person'shall'be'fined'$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within'the'same'calendar'year.'
Criminal'penalties'can'be'imposed'against'individuals'and'are'divided'as'follows:'
•' Up'to'$50,000'and'potential'imprisonment'of'not'more'than'1'year'in'cases'of'wrongful'disclosure'of'PHI.'
•' Up'to'$100,000'and'potential'imprisonment'of'not'more'than'5'years'in'cases'committed'under'false'pretenses.'
•' Up'to'$250,000'and'imprisonment'of'not'more'than'10'years'in'cases'committed'with'intent'to'sell,'transfer'or'use'PHI'for'commercial'advantage,'personal'gain'or'malicious'harm.''
The'HIPAA'Security'Rule,'as'defined'within'45'CFR'Part'160'and'Subparts'A'and'C'of'Part'164,'has'22'requirements'that'pertain'to'the'safeguarding'of'patient'data'and'are'outlined'below.'Of'those'22,'the'requirements'that'we'believe'are'relevant'to'VMware’s'product'solutions'are'highlighted'in'yellow:'
'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 7 !
HIPAA Administrative Safeguards
HIPAA!Standard! Reference! Applicability!to!Technical!Scope!
Security'Management'Process' 164.308(a)(1)(i)' Not'applicable'
Assigned'Security'Responsibility' 164.308(a)(2)' Not'applicable'
Workforce'Security' 164.308(a)(3)(i)' Not'applicable'
Information'Access'Management' 164.308(a)(4)(i)' Not'applicable'
Security'Awareness'and'Training' 164.308(a)(5)(i)' Not'applicable'
Security'Incident'Procedures' 164.308(a)(6)(i)' Not'applicable'
Contingency'Plans' 164.308(a)(7)(i)' Not'applicable'
Evaluation' 164.308(a)(8)' Not'applicable'
Business'Associate'Contracts''and'Other'Arrangements'
164.308(b)(1)'' Not'applicable'
'
HIPAA PHYSICAL Safeguards
HIPAA!Standard! Reference! Applicability!to!Technical!Scope!
Facility'Access'Controls' 164.310(a)(1)' Not'applicable'
Workstation'Use' 164.310(b)' Not'applicable'
Workstation'Security' 164.310(c)' Not'applicable'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 8 !
HIPAA PHYSICAL Safeguards
Device'and'Media'Controls' 164.310(d)(1)' Not'applicable'
'
HIPAA TECHNICAL Safeguards !
HIPAA!Standard! Reference! Applicability!to!Technical!Scope!
Access'Control' 164.312(a)(1)' Applicable'
Audit'Controls' 164.312(b)' Applicable'
Integrity' 164.312(c)(1)' Applicable'
Person'or'Entity'Authentication' 164.312(d)' Applicable'
Transmission'Security' 164.312(e)(1)' Applicable'
'
HIPAA organizational requirements
HIPAA!Standard! Reference! Applicability!to!Technical!Scope!
Business'Associate'Contracts'or''Other'Arrangements'
164.314(a)(1)(i)' Not'Applicable'
Requirements'for'Group'Health'Plans'
164.314(b)(1)' Not'Applicable'
'
'
'
'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 9 !
HIPAA Policies and Procedures and Documentation Requirements
HIPAA!Standard! Reference! Applicability!to!Technical!Scope!
Policies'and'Procedures' 164.316(a)' Not'Applicable'
Documentation' 164.316(b)(1)(i)' Not'Applicable'
Table'1:'HIPAA'Security'Standards'HIPAA!Protected!Health!Information!and!Identifiers!Protected'health'information'(PHI)'has'been'defined'by'the'US'Department'of'Health'and'Human'Services'(“HHS”)'as'any'information'in'the'medical'record'or'designated'record'set'that'can'be'used'to'identify'an'individual'and'that'was'created,'used,'or'disclosed'in'the'course'of'providing'a'health'care'service'such'as'diagnosis'or'treatment.'HIPAA'regulations'allow'researchers'to'access'and'use'PHI'when'necessary'to'conduct'research.'However,'HIPAA'only'affects'research'that'uses,'creates,'or'discloses'PHI'that'will'be'entered'in'to''the'medical'record'or'will'be'used'for'healthcare'services,'such'as'treatment,'payment'or'operations.'
As'defined'by'the'Heath'Resources'and'Services'Administration:'
“Under!the!HIPAA!Privacy!Rule,!protected!health!information!(PHI)!refers!to!individually!
identifiable!health!information.!Individually!identifiable!health!information!is!that!which!can!be!
linked!to!a!particular!person.!Specifically,!this!information!can!relate!to:!
•' The!individual’s!past,!present!or!future!physical!or!mental!health!or!condition,!
•' The!provision!of!health!care!to!the!individual,!or,!
•' The!past,!present,!or!future!payment!for!the!provision!of!health!care!to!the!individual.!
Common!identifiers!of!health!information!include!names,!social!security!numbers,!addresses,!
and!birth!dates.!
The!HIPAA!Security!Rule!applies!to!individual!identifiable!health!information!in!electronic!form!
or!electronic!protected!health!information!(ePHI).!!It!is!intended!to!protect!the!confidentiality,!
integrity,!and!availability!of!ePHI!when!it!is!stored,!maintained,!or!transmitted.”1'
The'18'PHI'identifiers'that'have'been'defined'within'HIPAA'by'the'HHS'as'in[scope'include:'
1.' Namese'
2.' All'geographical'subdivisions'smaller'than'a'State2e'
3.' All'elements'of'dates'(except'year)'for'dates'directly'related'to'an'individual3e'
4.' Phone'numberse'
5.' Fax'numberse'
6.' Electronic'mail'addressese'
1'http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html'2 With exceptions 3 With exceptions
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 0 !
'
7.' Social'Security'numberse'
8.' Medical'record'numberse'
9.' Health'plan'beneficiary'numberse'
10.' Account'numberse'
11.' Certificate/license'numberse'
12.' Vehicle'identifiers'and'serial'numbers,'Including'license'plate'numberse'
13.' Device'identifiers'and'serial'numberse'
14.' Web'Universal'Resource'Locators'(URLs)e'
15.' Internet'Protocol'(IP)'address'numberse'
16.' Biometric'identifiers,'including'finger'and'voice'printse'
17.' Full'face'photographic'images'and'any'comparable'imagese'and'
18.' Any'other'unique'identifying'number,'characteristic,'or'code'(note'this'does'not'mean'the'unique'code'assigned'by'the'investigator'to'code'the'data)'
HIPAA/HITECH!Compliance!Guidance!!While'formal'guidelines'have'not'yet'been'released'recommending'explicit'security'guidelines'for'HIPAA'compliance'within'a'Public'Cloud'environment,'in'2007'the'U.S.'Department'of'Health'and'Human'Services'(“HHS”)'released'an'“Educational'Paper'Series”'that'covered'a'number'of'security'principles'in'an'effort'to'provide'HIPAA'covered'entities'“insight'into'the'Security'Rule”4.'The'papers'covered'a'variety'of'topics:'
•' Security'101'for'Covered'Entities'
•' Administrative'Safeguards'
•' Physical'Safeguards'
•' Technical'Safeguards'
•' Organizational,'Policies'and'Procedures'and'Documentation'Requirements'
•' Basics'of'Risk'Analysis'and'Risk'Management'
•' Security'Standards:'Implementation'for'the'Small'Provider'
All'of'the'papers'provided'by'the'HHS'are'recommended'in'developing'an'understanding'of'HIPAA’s'intent.'Of'the'seven'papers,'the'Security'101'for'Covered'Entities,'Technical'Safeguards'and'Basics'of'Risk'Analysis'and'Risk'Management'hold'the'most'relevance'to'the'VMware'scope'defined'in'an'earlier'section.'
4'http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html''
'
'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 1 !
Figure!4.''HIPAA'Security'Series'#1,'#4'and'#6'
In'addition'to'the'Educational'Paper'Series,'HHS'released'in'2010'a'guidance'paper'relative'to'HITECH'titled'“Guidance!on!Risk!Analysis!Requirements!under!the!HIPAA!Security!Rule”.'This'paper'is'intended'to'assist'organizations'in'understanding'what'HHS'considers'the'“most'effective'and'appropriate'administrative,'physical'and'technical'safeguards”5'relative'to'e[PHI.'In'this'document'the'HHS'very'specifically'acknowledges'limited'prescriptive'specificity'within'the'Security'Rule'and'points'at'one'very'clear'directive—base'the'identification'and'implementation'of'the'various'safeguards'upon'risk'analysis.'
“We'understand'that'the'Security'Rule'does'not'prescribe'a'specific'risk'analysis'methodology,'recognizing'that'methods'will'vary'dependent'on'the'size,'complexity,'and'capabilities'of'the'organization.'Instead,'the'Rule'identifies'risk'analysis'as'the'foundational'element'in'the'process'of'achieving'compliance,'and'it'establishes'several'objectives'that'any'methodology'adopted'must'achieve”6.'
The'guide'provides'additional'clarification'between'the'terms'“addressable”'and'“required”e'noting'that'addressable'specifications'are'not'optional'and'require'organizations'to'determine'whether'each'addressable'specification'is'reasonable'and'appropriate.'Organizations'“must'document”7,'as'part'of'that'determination'process,'why'a'particular'specification'was'determined'to'be'unreasonable'or'inappropriate.''
'
5'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.1,'posted'July'14,'2010'6'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'7'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'
'
'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 2 !
'
'
!
!
!
!
!
!
Figure!5.''Guidance'on'Risk'Analysis'Requirements'Under'the'HIPAA'Security'Rule'
Definition!of!Cloud!Computing!!Cloud'computing'can'be'defined'as'a'model'for'leveraging'pools'of'shared'resources'on[demand,'such'as'networks,'storage,'servers,'applications'and'services.'These'shared'resources,'known'as'a'“cloud”,'provide'a'multitude'of'capabilities,'some'of'which'include'scalability,'elasticity'of'IT'resources,'smaller'environmental'footprint'such'as'power'or'physical'space,'and'finally'more'accurate'economies'of'scale.'''
Cloud'computing'is'nothing'new,'and'has'origins'dating'back'to'the'early'1950’s'and'1960’s,'when'mainframes'were'modified'to'provide'better'efficiency'and'scalability.'The'term'“cloud”'itself'became'commonplace'when'in'the'1990’s'the'graphic'of'a'cloud'was'used'to'identify'the'Internet'or'any'other'shared'network.'It'has'really'been'in'the'last'decade'that'a'mature'definition'of'“Cloud'Computing”'has'been'established.'Several'key'events'occurred'that'helped'to'establish'current'day'cloud'computing:'
1.'In'1999'VMware'introduced'the'VMware'Virtual'Platform'that'provided'the'first'affordable'and'reliable'virtualization'platform,'enabling'broad'adoption'of'virtualization'within'the'data'center'and'ultimately'supporting'private'cloud'computing.'
2.'In'2006'Amazon'released'Amazon'Web'Services'(AWS)'expanding'cloud'computing'from'a'private'endeavor'to'a'utility'provided'to'external'customers.'
VMware'defines'cloud'or'utility'computing'as'the'following:'
“Cloud!computing!is!an!approach!to!computing!that!leverages!the!efficient!pooling!of!on?
demand,!self?managed!virtual!infrastructure,!consumed!as!a!service.!Sometimes!known!as!utility!
computing,!clouds!provide!a!set!of!typically!virtualized!computers!which!can!provide!users!with!the!
ability!to!start!and!stop!servers!or!use!compute!cycles!only!when!needed,!often!paying!only!
upon!usage.”!
There'are'several'key'characteristics'to'cloud'computing'that'are'recognized'throughout'the'industry.'The'first'key'characteristic'of'the'Cloud'is'its'service'models.'The'second'key'characteristic'of'the'Cloud'is'its'deployment'models.'Four'distinct'deployment'models'exist'(which'do'not'necessarily'align'with'the'service'models):'the'Private'cloud,'the'Public'cloud,'the'Hybrid'cloud'(combining'both'public'and'private),'and'finally'the'Community'cloud.'
The'Cloud’s'service'models'are'divided'into'four'separate'service'models:'
•' Infrastructure'as'a'Service'(IaaS)'–'As'the'name'suggests'the'IaaS'model'is'specific'to'the'infrastructure'that'supports'cloud'computing.'IaaS'solution'providers'offer'physical'or'virtual'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 3 !
computers,'disk,'network'routing'and'switching'infrastructure'and'other'network'and'security'infrastructure.'
•' Platform'as'a'Service'(PaaS)'–'Building'upon'an'IaaS'solution,'the'PaaS'model'provides'the'computing'platform'necessary'to'run'and'support'the'applications'and'services.'A'PaaS'solution'provider'typically'provides'the'operating'systems,'service'application'stack'–'such'as'web'servers'and'database'servers,'and'other'necessary'environment'support'–'such'as'programming'languages,'frameworks'and'services.'
•' Software'as'a'Service'(SaaS)'–'Certainly'the'most'visible'of'the'service'models,'the'SaaS'model'provides'access'to'fully'operational'applications.'These'applications'are'fully'managed'at'the'platform'and'infrastructure'level'and'are'often'are'supported'through'separate'IaaS'and'PaaS'providers.'''
•' Network'as'a'Service'(NaaS)'–'This'final'model'brings'common'network,'transport'or'VPN'connectivity'to'the'market.''
The'Cloud’s'deployment'models'happen'to'also'be'divided'into'four'distinct'models'today.'The'deployment'models'to'not'necessarily'align'with'the'service'models'defined'above.'
•' Private'Cloud'–'The'cloud'infrastructure'is'operated'solely'for'an'organization'and'may'be'managed'by'the'organization'or'a'third'party.'The'cloud'infrastructure'may'be'on[premise'or'off[premise.'
•' Public'Cloud'–'The'cloud'infrastructure'is'made'available'to'the'general'public'or'to'a'large'industry'group'and'is'owned'by'an'organization'that'sells'cloud'services.'
Figure!6.'Cloud'Computing'Overview'
•' Hybrid'Cloud'–'The'cloud'infrastructure'is'a'composition'of'two'or'more'clouds'(private'and'public)'that'remain'unique'entities,'but'are'bound'together'by'standardized'technology.'This'enables'data'and'application'portabilitye'for'example,'cloud'bursting'for'load'balancing'between'clouds.'With'a'hybrid'cloud,'an'organization'gets'the'best'of'both'worlds,'gaining'the'ability'to'burst'into'the'public'cloud'when'needed'while'maintaining'critical'assets'on[premise.'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 4 !
•' Community'Cloud'–'The'cloud'infrastructure'is'shared'by'several'organizations'and'supports'a'specific'community'that'has'shared'concerns'(for'example,'mission,'security'requirements,'policy,'and'compliance'considerations).'It'may'be'managed'by'the'organizations'or'a'third'party,'and'may'exist'on[premise'or'off[premise.'
To'learn'more'about'VMware’s'approach'to'cloud'computing,'please'review'the'following:'
•' VMware'Cloud'Computing'Overview'['http://www.vmware.com/solutions/cloud[computing/index.html#tab3''
•' VMware’s'vCloud'Architecture'Toolkit'['http://www.vmware.com/cloud[computing/cloud[architecture/vcat[toolkit.html'''
Organizations'considering'the'potential'compliance'impact'cloud'computing'has'upon'critical'applications'that'may'be'highly'regulated'should'consider'the'following'questions:'
•' To'what'extent'do'those'applications'leverage'cloud'architecture?'
•' What'service'models'and'deployment'models'are'being'used'to'transmit'and'store'protected'health'information'and'who'are'the'cloud'providers'involved?'
•' Are'the'cloud'platforms'used'trusted'platforms'and'what'compliance'assurances'are'provided'by'the''cloud'providers'involved?'
•' Which'industry[recognized'certifications'has'the'cloud'provider,'environment'and'service'been'audited'and'certified'as'compliant'for?'
A'final'critical'point'that'must'be'considered'is'that,'because'HIPAA'does'not'prescribe'how'to'“meet”'regulatory'compliance'(i.e'which'technology'to'use,'how'to'implement'said'technology,'etc),'it'is'imperative'that'an'organization’s'business'and'IT'stakeholders'are'aligned'with'technology'requirements'driven'from'the'stakeholder.'
VMware'is'the'global'leader'in'virtualization,'the'key'technology'that'enables'cloud'computing.'VMware’s'vCloud'Suite'is'a'turnkey,'integrated'virtualization'solution'for'building'and'managing'a'complete'cloud'infrastructure,'allowing'customers'to'realize'the'many'benefits'of'cloud'computing.'''
Prior'to'undertaking'any'HIPAA'compliance'project,'VMware'recommends'that'customers'determine'a'“healthcheck”'status'of'systems'compliance.'Customers'can'implement'VMware’s'“HIPAA'Compliance'Checker”'by'downloading'the'application'from'the'following'location:'
https://my.vmware.com/web/vmware/evalcenter?p=compliance[chk&lp=default&cid=70180000000MJsMAAW'
Where!to!Start!–!Considerations!for!Covered!Entities!!When'it'comes'to'the'question'of'where!to!start,'HIPAA'and'the'guidance'around'HIPAA'is'quite'specific.'Organizations'that'are'working'on'achieving'HIPAA'and'HITECH'compliance'should'start'with'a'risk!assessment.'As'noted'by'the'Department'of'Health'and'Human'Services'and'relative'to'HIPAA’s'Security'Rule:''
“…the'Rule'identifies'risk'analysis'as'the'foundational'element'in'the'process'of'achieving'compliance,'and'it'establishes'several'objectives'that'any'methodology'adopted'must'achieve…8”'
8'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'
'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 5 !
What'is'very'important'to'note'is'that'utilizing'a'virtual'or'cloud'environment'has'no'greater'impact'relative'to'HIPAA'compliance'than'traditional'information'technology'or'any'differences'than'are'typically'considered'between'virtualization,'cloud'and'traditional'technology.'Organizations'can'utilize'a'strong'risk'management'approach'toward'their'HIPAA'compliance'efforts'and'take'advantage'of'the'many'advantages'provided'by'virtual'or'cloud'environments'because'the'risk'assessment'effort'should'inform'the'organization'of'the'proper'application'of'security'within'the'virtual'or'cloud'environment.'
Independent'of'HIPAA'or'HITECH,'the'move'to'cloud'and'virtual'environments'are'filled'with'technical'considerations'and'business'decision,'some'of'which'differ'from'traditional'information'technology.'Organizations'should'review'the'benefits'and'risks'of'their'current'environment'and'compare'them'to'the'different'cloud'deployment'models'and'service'models.'
The'following'questions'may'be'important'when'considering'the'potential'business'impact,'benefits,'and'risks'of'a'virtual'and/or'cloud'environment.'
Management/Business!Considerations!1.'Can'the'Cloud'be'a'strategic'differentiator'for'the'business'or'is'it'a'commodity'service?'
2.'What'is'the'strategic'value'that'the'Cloud'could'deliver'to'the'organization?'
3.'What'are'the'areas'where'the'Cloud'can'provide'additional'value'to'the'company?'
4.'What'is'the'business'value'that'the'Cloud'could'deliver'to'operations?'
5.'Have'there'been'any'previous'attempts'to'virtualize'or'outsource'critical'operations?'
6.'What'Cloud'models,'including'Public,'Hybrid'and'Private,'are'being'considered?'
7.'What'are'the'critical'IT'services'that'are'or'could'be'outsourced?'
IT!Considerations!1.'Are'the'organizational'business,'IT,'and'GRC'groups'aligned'with'the'virtualization'or'cloud'strategy?'
2.'Has'the'proposed'virtualization'implementation'been'communicated'to'GRC'and'approval'received?'
3.'How'has'GRC'affected'IT'Operations'and'does'it'mandate'any'considerations'when'considering'virtualization'or'cloud'environments?'
4.'Has'the'flow'of'ePHI'been'identified'and'documented?'
5.'Have'all'systems'(servers,'SANs,'SEIMs)'which'store'ePHI'and'are'considered'“in[scope”'for'HIPAA'compliance'been'identified?Which'virtualization'or'cloud'deployment'model'and'service'model'will''be'implemented?'
6.'How'can'virtualization'or'cloud'technology'benefit'existing'IT'initiatives?'Are'there'efforts'to'consolidate'IT'functions'that'can'be'addressed'with'Cloud?'
7.'What'IT'operational'changes'should'be'made,'from'a'segregation'of'duties'perspective,'to'account'for'the'conversion'of'physical'to'virtualized'resources'within'the'organization?'
8.'Where'can'virtualization'and/or'Cloud'improve'existing'SLA'or'OLAs'(Internal,'External)?'
VMware!HIPAA!Compliance!Stack!VMware'provides'an'extensive'suite'of'products'designed'to'support'an'organization’s'Information'Security'and'Compliance'requirements.''While'every'environment'will'have'unique'needs,'the'following'HIPAA/HITECH'Compliance'Stack'provides'a'comprehensive'mix'of'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 6 !
VMware'solutions'that'can'help'organizations'meet'the'compliance'and'governance'requirements'of'HIPAA/HITECH.'''
VCloud Suite Product Product Components or Features
vSphere' ESXi,'vMotion,'Storage'vMotion,'High'Availability,''Data'Protection'and'Replication,'and''Host'Profiles'
vCloud'Director' Elastic'Virtual'Datacenters,'Service'Catalog'and'Multi[Tenancy'
vCloud'Networking'and'Security'Suite'
Edge,'App'Firewall,'VXLAN,'and'Data'Security'
vCenter'Site'Recovery'Manager' Recovery'Plans,'Automated'DR'Failover'and'Failback,'vSphere'Replication'
vCenter'Operations'Management'Suite'
VM'Configuration'Compliance,'and'Host'Configuration'Compliance'
Table!2:'Caption'to'come.'
HIPAA/HITECH'requirements'and'have'been'addressed'in'detail'in'the'following'sections.'To'determine'the'products'and'features'available'with'VMware'Suites'please'refer'to'VMware.com.'
HIPAA!Security!Rule!Solution!Applicability!Matrix!!VMware'has'created'a'HIPAA'Security'Rule'Requirements'Matrix'to'assist'organizations'with'an'understanding'of'VMware'solutions,'VMware'Partner'Solutions'(where'they'overlap),'and'the'remaining'customer'responsibilities'that'should'be'addressed'separately'by'the'customer'through'use'of'other'tools'or'processes.'While'every'cloud'is'unique,'VMware'believes'that'the'technical'requirements'found'within'the'Security'Rule'can'be'addressed'through'the'VMware'Suites'and/or'VMware'partner'solutions.'
The'remaining'gaps'in'addressing'HIPAA/HITECH'requirements'may'be'filled'by'the'customer'through'processes,'procedures'and'other'tools'(i.e.'approving'customers’'policies,'keeping'an'updated'network'diagram,'approving'changes,'etc.).'
'
'
'
!
!
!
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 7 !
Figure!7.'VMware'Solutions'
Figure!8.'Diagrammatic'Representation'of'VMware'and'VMware'Partner'Products'for'HIPAA'
'
'
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 8 !
PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE’S SUITES
REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS
REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS
!
!Security'Management'Process'
164.308(a)(1)(i)' No'
'
No'
'
Yes'
'
!
!Assigned'Security'Responsibility'
164.308(a)(2)'
'
No'
'
No'
'
Yes'
'
!
!Workforce'Security' 164.308(a)(3)(i)' No' No' Yes'
!
!Information'Access'Management'
164.308(a)(4)(i)' No' No' Yes'
!
!Security'Awareness'and'Training'
164.308(a)(5)(i)' No' No' Yes'
!
!Security'Incident'Procedures'
164.308(a)(6)(i)' No' No' Yes'
!Contingency'Plan' 164.308(a)(7)(i)' No' No' Yes'
!Evaluation' 164.308(a)(8)' No' No' Yes'
!
Business'Associate'Contracts''and'Other'Arrangements'
164.308(b)(1)' No' No' Yes'
!
!Facility'Access'Controls'
164.310(a)(1)' No' No' Yes'
! Workstation'Use' 164.310(b)' No' No' Yes'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 1 9 !
PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE’S SUITES
REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS
REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS
!
!Workstation'Security' 164.310(c)' No' No' Yes'
! Device'and'Media'Controls'
164.310(d)(1)' No' No' Yes'
Access'Control' 164.312(a)(1)' Yes' Yes' No'
Audit'Controls' 164.312(b)' Yes' Yes' No'
Integrity' 164.312(c)(1)' Yes' Yes' No'
Person'or'Entity'Authentication'
164.312(d)' Yes' Yes' No'
Transmission'Security' 164.312(e)(1)' Yes' Yes' No'
!
!
!
Business'Associate'Contracts''or'Other'Arrangements'
164.314(a)(1)(i)' No' No' Yes'
!Requirements'for'Group'Health'Plans'
164.314(b)(1)' No' No' Yes'
! Policies'and'Procedures'
164.316(a)' No' No' Yes'
!Documentation' 164.316(b)(1)(i)' No' No' Yes'
'
Table!3:'HIPAA'Security'Rule'Requirements'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 0 !
'
HIPAA!Security!Rule!Solution!Applicability!Details!vSphere!For'the'purposes'of'this'VMware'Solution'Guide'for'HIPAA/HITECH,'vSphere’s'components'and'features,'as'described'below,'can'support'automatic'compliance'and'deployment'scenarios'to'accommodate'HIPAA/HITECH'requirements.'
•' ESXi'–'is'a'bare[metal'hypervisor'installed'on'physical'servers.'ESXi'allows'for'partitioning'the'physical'resources'into'multiple'virtual'machines'and'allows'for'management'of'multiple'ESXi'hosts'through'a'single'management'platform'(vCenter'Server).'
•' vMotion'–'allows'live'running'virtual'machines'to'move'between'one'physical'server'to'another'without'disruption.'The'ability'to'dynamically'and'automatically'move'live'running'virtual'machines'can'ease'scaling'and'allow'workloads'to'be'performed'within'virtual'segments.'
•' Storage!vMotion'–'provides'the'ability'to'migrate'live'virtual'machine'disks'across'any'storage'arrays'supported'by'vSphere.'
•' High!Availability'–'allows'for'applications'running'in'virtual'machines'to'run'in'high'availability'mode,'protecting'the'application'from'hardware'and'operating'systems'failures'by'monitoring'the'state'of'the'virtual'machine'and'physical'host'and'automatically'restarts'the'virtual'machine'on'other'physical'servers.'
•' Data!Protection!and!Replication'–'Data'protection'provides'agent[less'image[level'backup'and'recovery'powered'by'EMC'Avamar.'Backups'are'done'via'fast'and'efficient'backup'to'disk'and'also'provide'fast'recovery.'The'replication'for'vSphere'allows'for'powered'on'replication'of'virtual'machines'from'one'vSphere'host'to'another'without'needing'storage'based'replication.'
•' Host!Profiles'–'allows'for'the'consistency'and'automation'of'deploying'physical'ESX/ESXi'hosts'rapidly.'Host'profiles'allow'for'automatic'deployment'of'configurations'to'hosts'and'provide'automatic'compliance'with'the'configurations.'Simplifying'operational'management'also'reduces'the'possibility'for'mis[configuration.'
The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'vSphere'and'its'components.''
Technical Safeguards (§ 164.312)
HIPAA!Standard!Description!! Compliance!Attainability!
Comments!!
Access'Controls'['§'164.312(a)(1)'
Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'
Attainable' ESXi'and'vCenter'can'be'configured'to'provide'access'control'for'individual'users'and'also'protect'access'to'systems'and'features'within'vSphere'by'implementing'role'based'access.''
See:'Configuring'Active'Directory'
See:'Configuring'Authentication'&'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 1 !
Technical Safeguards (§ 164.312)
User'Management'
Audit'Controls'['§'164.312(b)'
Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'
Attainable'with'third[party'solutions'
vSphere'contains'basic'auditing'information'on'user'activity'that'can'be'used'to'identify'when'changes'took'place,'and'what'category'of'changes'were'affected.'Third[party'vendors'should'be'used'to'augment'the'logs'and'events'in'order'to'provide'greater'visibility'than'what'is'provided'by'vSphere.'
See:'Managing'ESXi'Log'Files'
See:'Retrieve'vCenter'Logs'
Integrity'['§'164.312(c)(1)'
Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'
Attainable'with'third[party'solutions'
vSphere'Data'Protection'and'Replication'can'be'implemented'to'ensure'that'data'is'intact'and'unaltered'during'backup'and'replication.'Third[party'solutions'are'required'to'provide'ad[hoc'data'and''file'integrity'at'the'file[system'level.'
See:'vSphere'Replication'Administration'
See:'vSphere'Data'Protection'Administration'
Person'or'Entity'Authentication'['§'164.312(d)'
Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'claimed.'
Attainable.''
Enhanced'by'third[party'solutions'
By'utilizing'local'accounts,'vCenter'Single'Sign[On'(SSO),'or'Active'Directory,'users'can'be'authenticated'on'an'individual'level.'By'using'a'third[party'solution,'two[factor'authentication'can'also'be'implemented'to'authenticate'users'against'the'management'vCenter,'which'ensures'greater'accuracy'that'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 2 !
Technical Safeguards (§ 164.312)
users'are'who'they'claim'to'be.''
See:'Configuring'Active'Directory'
Transmission'Security'['§'164.312(e)(1)'
Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'
Attainable'with'third[party'support'
Through'the'ability'to'create'port'groups'and'vSwitchs,'administrators'can'limit'communication'of'virtual'machines'within'the'same'physical'host.'Using'third'party'solutions,'administrators'can'also'prevent'certain'network'based'changes'from'taking'place.'
See:'vSphere'Networking'Guide'
Table!4:'Applicability'of'HIPAA'Controls'to'vSphere'Suite'
vCloud!Director!For'the'purposes'of'this'VMware'Solution'GuidevCloud’s'components'and'features,'as'described'below,'can'provide'for'automatic'compliance'via'pre[defined'service'catalogs'and'isolation'through'multi[tenacy'to'accommodate'HIPAA/HITECH'requirements.'
•' Elastic!Virtual!Datacenter'–'vCloud'Director'provides'the'ability'to'rapidly'provision'and'release'resources.'vCD'allows'users'to'spin'up'virtual'data'centers'that'span'multiple'clusters'and'automatic'placement'of'vApps.'An'API'also'enables'organizations'to'programmatically'spin'up'or'down'resources'on'demand.'
•' Service!Catalog'–'give'the'ability'to'predefine'resources'for'network,'storage,'and'compute'while'providing'consistency'in'deployments'and'limit'or'allow'services'for'different'user'classes.'
•' MultiSTenancy!–'Administrators'can'group'users'into'organizations'and'provide'different'levels'of'service'and'resources'based'on'those'groups.'Enabling'all'the'separate'organizations'to'share'the'same'infrastructure.''
The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'vCloud'Director'and'its'components.''
Technical Safeguards (§ 164.312)
HIPAA!Standard!Description!! Compliance!Attainability!
Comments!!
Access'Controls'['§'164.312(a)(1)'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 3 !
Technical Safeguards (§ 164.312)
Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'
'
Attainable.'
Enhanced'by'third[party'solutions'
'
vCloud'director'allows'administrators'to'limit'access'to'most'administrative'functions'and'protect'the'environment'in'which'HIPAA/HITECH'workloads'are'running.'Role[based'access'can'be'placed'on'users'so'that'they'can'only'perform'the'functions'and'duties'assigned'to'them'through'the'vCloud'director'portal.'There'are'also'third'party'solutions'to'provide'two'factor'authentication.'
See:'vCD'Users'Guide'pg.'15'
See:'vCloud'Security'–'Two[Factor'
Audit'Controls'['§'164.312(b)'
Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'
Attainable.'
Enhanced'by'third[party'solutions'
'
vCloud'director'provides'administrators'with'the'ability'to'audit'and'monitor'activities'performed'through'vCD.'By'implementing'a'third'party'solution'additional'detail'of'logs'can'be'accessible.''
See:'vCD'Users'Guide'pg.'42'
Integrity'['§'164.312(c)(1)' '
Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'
Attainable.'
Enhanced'by'third[party'solutions'
vCloud'director'can'prevent'deletion'of'vApps'via'policies'set'by'the'administrator.'Also,'by'using'a'third'party'solution,'it'is'possible'to'further'limit'destruction'of'virtual'machines'and/or'require'additional'levels'of'authorization'before'doing'so.'
See:'vCD'Users'Guide'pg.'36'
Person'or'Entity'Authentication'['§'164.312(d)'
Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'
Attainable.'
Enhanced'by'third[party'
vCloud'director'can'integrate'into'active'directory'and'provide'support'for'Security'Support'Provider'Interface'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 4 !
Technical Safeguards (§ 164.312)
health'information'is'the'one'claimed.'
solutions' (SSPI),'which'is'Microsoft’s'proprietary'implementation'of'GSSAPI.'Integrating'third'party'solutions'can'provide'two[factor'authentication'to'both'users'and'administrators.'
See:'vCloud'Security'–'Two[Factor'
Transmission'Security'['§'164.312(e)(1)'
Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'
Attainable' vCloud'director'can'provide'multiple'types'of'VPN[based'access'into'vCloud'environments.'These'scenarios'can'vary'from'cloud[to[cloud'access,'or'public[to[private'access'between'the'cloud'environments.'Using'IPSEC'can'provide'both'authentication'and'encryption'into'and'between'the'cloud'environments.'
See:'vCloud'Security'–'Network'Security'
Table'5:'Applicability'of'HIPAA'Controls'to'vCloud'Director'
vCloud!Networking!and!Security!Suite!!!For'the'purposes'of'this'VMware'Solution'Guide','the'suite'is'a'group'of'products'that'deliver'a'virtualized'security'model'specifically'designed'to'overcome'the'traditional'challenges'of'managing'security'in'a'virtual'environment.''vCloud'Networking'and'Security'provides'a'software[based'approach'to'application'and'data'security'in'virtualized'and'cloud'environments,'which'have'traditionally'been'enforced'primarily'through'physical'security'appliances.'The'vCloud'Networking'and'Security'suite'consists'of'the'following'four'(4)'products:'
•' App'–'Protects'applications'in'a'virtual'datacenter'against'network[based'threats'by'providing'a'firewall'that'is'hypervisor[based'and'application[aware.'vCloud'Networking'and'Security'App'has'visibility'of'intra[VM'communication,'and'enforces'policies,'firewall'rules'based'on'logical'groups,'and'workloads.'
•' Data!Security!–'Adds'to'Sensitive'Data'Discovery'across'virtualized'resources'allowing'the'organizations'to'identify'and'secure'different'types'of'sensitive'data.'''
•' Edge'–'Enhances'protection'of'a'virtual'datacenter'perimeter'by'providing'gateway'security'services'including'careful'inspection'firewall,'site[to[site'VPN,'load'balancing,'Dynamic'Host'Configuration'Protocol'(DHCP),'and'Network'Address'Translation'(NAT).''It'also'has'the'ability'to'integrate'with'third[party'IDS'solutions.'
•' VXLAN'–'VXLAN'technology'allows'compute'resources'to'be'pooled'across'non[contiguous'clusters'or'pods.'You'can'then'segment'this'pool'into'logical'networks'attached'to'applications.'Unlike'VLANs,'VXLANs'virtual'networks'can'span'across'virtual'resources'pools'and'physical'boundaries'['and'as'such,'are'more'efficient,'scalable,'resilient'and'manageable.'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 5 !
The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCloud'Networking'and'Security'(vCNS)'and'its'components.'
Technical Safeguards (§ 164.312)
HIPAA!Standard!Description!! Compliance!Attainability!
Comments!!
Access'Controls'['§'164.312(a)(1)'
Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'
Attainable'
'
By'utilizing'App'firewall'or'Edge'for'vCloud'Networking'and'Security'(VCNS)'network'restrictions'and'policies'can'be'created,'protecting'virtual'assets'from'unauthorized'access,'based'on'either'logical'groups'or'IP'addresses.''''
See:'vShield'admin'guide'5.1'['pg151'
Audit'Controls'['§'164.312(b)'
Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'
Attainable' Data'Security'for'vCloud'Networking'and'Security'allows'administrators'to'discover'unstructured,'sensitive'data'across'the'vSphere'environment,'allowing'''the'identifying'and'securing'of'PII'(personally'identifiable'information),'PCI[DSS'cardholder'data,'and'PHI'(protected'health'information.'
See:'vShield'admin'guide'5.1'['pg177'
Integrity'['§'164.312(c)(1)'
Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'
—'
'
Not'Applicable'
Person'or'Entity'Authentication'['§'164.312(d)' '
Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'
Attainable' By'utilizing'vCloud'Networking'and'Security'Edge'enterprises'can'allow'secure'external'authentication'(RADIUS,'Active'Directory,'LDAP,'RSA[ACE'or'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 6 !
Technical Safeguards (§ 164.312)
claimed.' Local'sources)'and'communication'(default'is'AES256[SHA)''to'the'virtual'datacenter'by'utilizing'the'SSL'VPN.'
See:'vShield'admin'guide'5.1'['pg103'
Transmission'Security'['§'164.312(e)(1)'
Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'
Attainable' vCloud'Networking'and'Security'Edge'allows'the'ability''to'utilize'both'SSL'and'IPSEC'VPN'connections'to'allow'secure'communication'and'authentication'between'datacenters'and'external'user.'
See:'vShield'admin'guide'5.1'–'pg103'
See:'vShield'admin'guide'5.1'–'pg80'
Table!6:'Applicability'of'HIPAA'Controls'to'vCloud'Networking'and'Security'Suite'
vCenter!Site!Recovery!Manager!For'the'purposes'of'this'VMware'Solution'Guide'vCenter’s'Site'Recovery'Manager,'as'described'below,'can'provide'for'automatic'or'manual'recovery'during'a'service'disruption'to'accommodate'HIPAA/HITECH'requirements.'
•' Automated!Recovery!Plans!–'Site'recovery'manager'can'utilize'the'information'in'vCenter'to'build'automated'recovery'plans'based'on'the'latest'running'infrastructure'in'vCenter.'The'plans'can'be'used'to'fulfill'compliance'requirements'for'recovery'plans'and'test'results.'
•' Automated!DR!Failover!and!Failback'–'By'using'automation,'site'recovery'manager'can'detect'failures'and'automatically'failover'to'the'DR'location'as'well'as'automatically'failback.'Manual'recovery'times'can'be'reduced'drastically'and'error'prone'processes'eliminated.''
•' vSphere!Replication'['The'replication'for'vSphere'allows'for'powered'on'replication'of'virtual'machines'from'one'vSphere'host'to'another'without'needing'storage'based'replication'and'can'provide'recovery'points'from'15'minutes'to'24'hours'replicating'only'changes.'
The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCenter'Site'Recovery'Manager'(vSRM).'following'is'the'detailed'description'of'the'controls'that'may'be'met'through'vSRM'and'its'components.'
Technical Safeguards (§ 164.312)
HIPAA!Standard!Description!!
!
Compliance!Attainability!
Comments!!
!
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 7 !
Technical Safeguards (§ 164.312)
Access'Controls'['§'164.312(a)(1)'
Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'
—' Not'Applicable'
Audit'Controls'['§'164.312(b)'
Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'
Attainable'
'
Through'vCenter'Site'Recovery'Manager'recovery'plans'and'test'plans'can'be'generated'automatically'and'used'to'audit'failover'activity'between'sites.'
See:'SRM'Administration'Guide'–'Recovery'Plans'
Integrity'['§'164.312(c)(1)' '
Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'
Attainable'
'
Through'the'vSphere'Replication'product,'data'can'be'safely'replicated'across'sites'without'risk'of'alteration.''
See:'vSphere'Replication'Admin'Guide'
Person'or'Entity'Authentication'['§'164.312(d)' '
Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'claimed.'
—'
'
Not'Applicable'
'
Transmission'Security'['§'164.312(e)(1)'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 8 !
Technical Safeguards (§ 164.312)
Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'
Attainable'with'third[party'solutions'
'
vSphere'Replication'does'not'provide'any'encryption'during'transmission,'therefore'the'use'of'a'third'party'encryption'solution'would'be'necessary'to'protect'PHI'during'transmission'in'the'case'of'replication.'
Table!7:'Applicability'of'HIPAA'Controls'to'vCenter'Site'Recovery'Manager'
vCenter!Operations!Management!Suite!!For'the'purposes'of'this'VMware'Solution'Guide,'the'vCenter'Operations'Management'Suite,'as'described'below,'can'enable'IT'organizations'to'gain'better'visibility'and'actionable'intelligence'to'proactively'facilitate'service'levels,'optimum'resource'usage,'and'configuration'compliance'in'dynamic'virtual'and'cloud'environments.''
•' vCenter!Operations!Manager!(vCOPs)'–'Uses'patented'analytics'and'integrated'approach'to'operations'management'in'order'to'provide'the'intelligence'and'visibility'required'to'proactively'maintain'service'levels,'optimum'resource'usage,'and'configuration'compliance'in'dynamic'virtual'and'cloud'environments.'
•' vCenter!Configuration!Manager!(vCM)'–'Automates'configuration'management'across'virtual'and'physical'servers'and'desktops,'increasing'efficiency'by'eliminating'manual,'error[prone,'and'time[consuming'work.'This'enables'enterprises'to'maintain'continuous'compliance'by'detecting'changes'and'comparing'them'to'configuration'and'security'policies.'
•' vCenter!Infrastructure!Navigator'–'Automatically'discovers'and'visualizes'application'and'infrastructure'dependencies.'It'provides'visibility'into'the'application'services'running'over'the'virtual[machine'infrastructure'and'their'interrelationships'for'day[to[day'operational'management.'
The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCenter'Operations'Management'(vCOPs)'Suite.'VMware'Solution'Guide'for'HIPAA/HITECH,'vCenter'Configuration'Manager'(vCM)'is'the'principal'application'within'the'vCOPs'Suite'that'allows'it'to'help'the'user'meet'HIPAA/HITECH'regulatory'compliance'standards.'The'following'is'the'detailed'description'of'the'controls'that'may'be'met'through'the'Suite.'
'
'
Technical Safeguards (§ 164.312)
HIPAA'Standard'Description'' Compliance'Attainability' Comments''
Access'Controls'['§'164.312(a)(1)'
Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'
—'
'
Not'Applicable'
'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 2 9 !
Technical Safeguards (§ 164.312)
information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'
Audit'Controls'['§'164.312(b)'
Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'
'
—'
'
The'vCenter'Operations'Management'suite'allows'administrators'to'collect'configuration'data,'change'tracking,'and'compliance'assessment'within'the'VMware'infrastructure'for'VMware'products'including'ESX,'ESXi,'vCenter,'vCloud'Director,'and'VMware'vCloud'Networking'and'Security'allowing'correlation'between'performance'and'security'metrics'across'the'virtual'infrastructure.'
Integrity'['§'164.312(c)(1)'
Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'
'
Attainable'
'
By'utilizing'vCenter'Configuration'Manager'(vCM)'enterprises'are'able'to'maintain'continuous'compliance'by'detecting'changes'in'the'configurations'maintained'and'comparing'them'to'configuration'and'security'policies'across'the'virtual'environment'based'on'various'regulations'(Sarbanes[Oxley,'HIPAA,'GLBA'and'FISMA).'
See:'vCM'Admin'Guide'pg'153'
Person'or'Entity'Authentication'['§'164.312(d)'
Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'claimed.'
—'
'
Not'Applicable'
'
Transmission'Security'['§'164.312(e)(1)'
VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!
T E C H N I C A L ! G U I D E / ! 3 0 !
Technical Safeguards (§ 164.312)
Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'
—'
'
Not'Applicable'
'
Table!8:'Applicability'of'HIPAA'Controls'to'vCenter'Operations'Management'Suite'
Acknowledgements!VMware'would'like'to'recognize'the'efforts'of'the'VMware'Compliance'Solutions'team,'VMware'Alliance'Partners,'and'the'numerous'VMware'teams'that'contributed'to'this'paper'and'to'the'establishment'of'the'VMware'Compliance'Program.'VMware'would'also'like'to'recognize'the'Accuvant'LABS'Enterprise'Risk'team'www.accuvant.com'for'their'industry'guidance.'Accuvant'provided'HIPAA'and'HITECH'guidance'and'control'interpretation'described'herein.'
The!information!provided!by!Accuvant!and!contained!in!this!document!is!for!educational!and!
informational!purposes!only.!Accuvant!makes!no!claims,!promises!or!guarantees!about!the!
completeness!or!adequacy!of!the!information!contained!herein.!
About!Accuvant!Accuvant'is'the'Authoritative'Source'for'information'security.'Since'2002,'the'company'has'served'more'than'5,200'clients,'including'half'of'the'Fortune'100'and'more'than'900'educational'institutions'and'government'entities.'Headquartered'in'Denver,'Accuvant'has'offices'across'the'United'States'and'Canada'and'has'the'largest'and'most'skilled'team'of'technical'security'professionals'in'the'world'–'Accuvant'LABS.'For'more'information,'please'visit'www.accuvant.com.'
'
!
!
! ! ! ! !'
VMware,'Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877[486[9273'Fax'650[427[5001'www.vmware.com'Copyright'©'2013'VMware,'Inc.'All'rights'reserved.'This'product'is'protected'by'U.S.'and'international'copyright'and'intellectual'property'laws.'VMware'products'are'covered'by'one'or'more'patents'listed'at'http://www.vmware.com/go/patents.'VMware'is'a'registered'trademark'or'trademark'of'VMware,'Inc.'in'the'United'States'and/or'other'jurisdictions.'All'other'marks'and'names'mentioned'herein'may'be'trademarks''of'their'respective'companies.'Item'No:'VMW[TWP[VMWARE[SOLUTION[GUIDE[FOR[HIPAA[HITEC[USLET[103'