VMware Product Applicability Guide for HIPAA/HITECH PDF

! ! ! ! !

!

VMware®'SDDC'Product'Applicability'Guide'for'HIPAA/HITECH,'v1.0'

November'2013'

T E C H N I C A L ' G U I D E '''''''''

This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the Framework and download the additional documents from the VMware HIPAA Compliance Resources on VMware Solution Exchange.

VMware!Product!Availability!Guide!for!HIPAA!and!HITECH!

T E C H N I C A L ! G U I D E / ! 1 !

Table!of!Contents!

Introduction'...............................................................................................................................''2'

Scope'and'Approach'.................................................................................................................'3'

VMware'Solution'Scope'........................................................................................................'3'HIPAA'and'HITECH'Act'Scope'.............................................................................................'4'Approach'...............................................................................................................................'4'

Overview'of'HIPAA/HITECH'Security'Requirements'................................................................'6'

HIPAA'Protected'Health'Information'and'Identifiers'.................................................................'9'

HIPAA/HITECH'Compliance'Guidance''..................................................................................'10'

Definition'of'Cloud'Computing'.................................................................................................'12'

Where'to'Start'–'Considerations'for'Covered'Entities'.............................................................'14'

Management/Business'Considerations'..............................................................................''15'IT'Considerations'.................................................................................................................'15'

VMware'HIPAA'Compliance'Stack'.........................................................................................'15'

HIPAA'Security'Rule'Solution'Applicability'Matrix'..................................................................'16'

HIPAA'Security'Rule'Solution'Applicability'Details'.................................................................'20'

vSphere'...............................................................................................................................'20'vCloud'Director'....................................................................................................................'22'vCloud'Networking'and'Security'Suite'................................................................................'24'vCenter'Site'Recovery'Manager'..........................................................................................'26'vCenter'Operations'Management'Suite'..............................................................................'28'

Acknowledgments'...................................................................................................................'30'

About'Accuvant'....................................................................................................................'30'

!

!'

'

'

'

'

'

'

'

'

'


T E C H N I C A L ! G U I D E / ! 2 !

Introduction!Information'security'design'and'architectural'requirements,'driven'by'regulatory'compliance,'are'common'but'critical'aspects'that'organizations'should'consider'when'migrating'from'traditional'IT'environments'to'cloud'computing'environments.'Helping'organizations'with'the'arduous'tasks'of'meeting'and'maintaining'HIPAA'and'the'HITECH'act'regulatory'compliance,'VMware'and'its'partners'provide'suites'of'industry[leading,'virtualization'solutions'which'address'the'confidentiality,'integrity'and'availability'requirements'of'HIPAA/HITECH.'This'VMware'solution'guide'will'assist'in'answering'questions'such'as'“How!Can!Our!Organization!Comply!with!HIPAA!Requirements!within!a!Cloud!Computing!Environment”'by'providing'helpful'information'to'VMware'architects,'the'HIPAA/HITECH'community,'business'stakeholders'and'third'parties.'''

VMware'vCloud'Suite'is'VMware’s'complete'software?defined!datacenter'(SDDC)'solution,'enabling'customers'to'build'and'manage'their'own'cloud'infrastructure.'The'vCloud'Suite'is'offered'into'three'editions'and'divided'into'eight'discrete'software'components:'

vSphere!–'Virtualized'infrastructure'with'policy[based'automation'

vCloud!Director'–'Virtualized'datacenters'with'multi[tenancy'and'public'cloud'extensibility'

vCloud!Connector'–'Integrated'viewing'and'dynamic'transfer'of'workloads'between'private'and'public'clouds''

vCloud!Networking!and!Security'–'Software'defined'networking,'security'and'ecosystem'integration'

vCenter!Site!Recovery!Manager'–'Automated'disaster'recovery'planning,'testing'and'execution'

vCenter!Operations!Management!Suite'–'Integrated,'proactive'performance'capacity,'and'configuration'management'for'dynamic'cloud'environments.'The'vCenter'Operations'Management'Suite'is'broken'into'seven'features'that'are'offered'depending'on'vCloud'Suite'edition'type.'These'seven'features'are:'

•' Application'Monitoring''

•' Storage'Adapters'for'EMC''

•' VM'Configuration'Compliance'

•' Host'Configuration'Compliance'

•' Performance'and'Capacity'Optimization''

•' Application'Awareness''

•' Chargeback''

vFabric!Application!Director!–'Multi[tier'application'service'catalog'publishing'and'provisioning''

vCloud!Automation!Center'–'Self[service'and'policy[enabled'cloud'service'provisioning''!

!

!

!

!

!

!

!

!

!


T E C H N I C A L ! G U I D E / ! 3 !

Figure!1.'VMware'Cloud'Suite'components'

'

Scope!and!Approach!Due'to'the'broad'context'of'the'HIPAA'and'HITECH'acts'it'is'prudent'to'properly'define'and'detail'the'scope'of'this'document'and'the'approach'that'has'been'taken'in'defining'such'scope.'The'scope'is'divided'between'the'VMware'components'that'are'included,'reviewed'and'considered'highly'relevant'as'part'of'this'guide'and'the'governing'sections'of'the'HIPAA'and'HITECH'Acts'that'pertain'to'electronic'data,'information'technology'and'thus'network'and'electronic'information'security.'While'this'guide'provides'specific'technical'opinions'regarding'the'applicability'of'VMware'solutions'to'HIPAA’s'regulations'the'guide'is'neither'comprehensive'in'its'coverage'of'the'entire'HIPAA'regulation'nor'prescriptive.'It'does'not'define'a'single'implementation'strategy'that'assures'compliance.'

VMware!Solution!Scope!Using'the'Enterprise'edition'of'vCloud'Suite'as'the'basis'for'the'VMware'solution,'the'components'applicable'to'this'guide'and'detailed'within'this'guide'(“VMware'Scope”)'include:'

•' vSphere'

•' vCloud'Director'

•' vCloud'Networking'and'Security'(vCNS)'

•' vCenter'Site'Recovery'Manager'(SRM)'

•' vCenter'Operations'Management'Suite'(OMS)'

–' VM'Configuration'Compliance'

–' Host'Configuration'Compliance'

!


T E C H N I C A L ! G U I D E / ! 4 !

Those'specific'VMware'components'that'are'not'within'the'scope'of'this'document'have'been'omitted'either'because'of'their'non[applicability'(i.e.'Application'Monitoring,'Application'Awareness,'Performance'and'Optimization'and'Chargeback'components'of'vCenter'OMS,'vFabric'Application'Director'and'vCloud'Automation'Center)'or'interdependency'upon'separate'technology'not'in'scope'(i.e.'Storage'Adapters'for'EMC).'''

HIPAA!and!HITECH!Act!Scope!The'portions'of'the'HIPAA'and'HITECH'acts'that'are'considered'technical'in'nature'and'therefore'within'scope'(“HIPAA'Scope”)'of'this'guide'consist'of'specific'controls'within'HIPAA’s'Security'Rule,'45'CFR'Part'160'and'Subparts'A'and'C'of'Part'164.'The'HITECH'act'and'other'portions'of'HIPAA,'such'as'the'Privacy'Rule,'as'well'as'several'sections'of'HIPAA’s'Security'Rule'are'not'addressable'through'the'use'of'virtualization'and'cloud'technology,'including'VMware’s'solutions'and'therefore'are'not'covered'within'this'document.''

VMware'recognizes'the'larger'impact'that'the'full'scope'of'HIPAA'and'HITECH'has'upon'an'organization.'This'solutions'guide'is'intended'to'help'an'organization'understand'the'role'that'VMware’s'solutions'can'play'within'their'larger'compliance'efforts.'And'due'to'the'flexible'nature'of'HIPAA'and'significant'impact'that'non[compliance'can'have'upon'an'organization,'it'is'strongly'recommended'that'organizations'establish'their'HIPAA'and'HITECH'compliance'efforts'upon'a'comprehensive!risk!assessment!strategy.'

Approach!The'“HIPAA'Security'Rule'Solution'Applicability'Matrix”'(found'later'in'this'document)'maps'the'specific'requirements'of'the'HIPAA'Security'Rule'to'VMware’s'product'solution'suites,'their'technology'areas'and'in'some'cases'partner'solutions.'By'understanding'how'the'technology'solutions'and'technology'areas'apply'to'the'compliance'requirements'customers'are'able'to'support'their'broader'electronic'governance,'risk'and'compliance'(eGRC)'initiatives.'

Figure!2.'VMware'+'Partner'Product'Solutions'for'a'Trusted'Cloud'

!


T E C H N I C A L ! G U I D E / ! 5 !

While'there'are'many'variations'of'cloud'environments,'including'public,'private'and'hybrid'clouds,'and'there'are'many'partner'solutions'that'enhance'an'organization’s'ability'to'address'confidentiality,'integrity'and'availability,'the'VMware'vCloud'Suite'can'help'organizations'address'up'to'23%'(as'seen'in'figure'3'below)'of'the'compliance'requirements'of'the'HIPAA'Security'Rule.'

Figure!3.'HIPAA'Security'Rule'Controls'Coverage'

'

'

'

'

'

'

'

'

'

'

'

'

'

!


T E C H N I C A L ! G U I D E / ! 6 !

Overview!of!HIPAA/HITECH!Security!Requirements!The'Health'Insurance'Portability'and'Accountability'Act'of'1996'(HIPAAe'Pub.L.'104[191,'110'Stat.'1936)'was'enacted'by'the'United'States'Congress'and'signed'by'President'Bill'Clinton'on'August'21,'1996.'Title!II:!Preventing!Health!Care!Fraud!and!AbuseF!Administrative!SimplificationF!Medical!Liability!Reform'defines'policies,'procedures'and'guidelines'for'maintaining'the'privacy'and'security'of'individually'identifiable'health'information'as'well'as'outlining'numerous'offenses'relating'to'health'care'and'sets'civil'and'criminal'penalties'for'violations.'

As'required'by'Congress'in'HIPAA'and'HITECH'cover'the'following'types'of'organizations:'

•' Health'plans'

•' Health'care'clearinghouses'

•' Health'care'providers'who'conduct'certain'financial'and'administrative'transactions'electronically.'These'electronic'transactions'are'those'for'which'standards'have'been'adopted'by'the'Secretary'under'HIPAA,''such'as'electronic'billing'and'fund'transfers.'

Failure'to'meet'HIPAA'compliance'requirements'and'standards'could'give'rise'to'both'civil'and'criminal'penalties.'Section'13410'of'the'HITECH'Act'amends'section'1176'of'the'Social'Security'Act'(42'U.S.C'1320d[5)'in'order'to'update'enforcement'of'HIPAA.'The'penalties'under'the'Social'Security'Act,'and'amended'in'the'HITECH'act'are'divided'into'categories'of'claims'and'categories'of'penalties'that'are'applicable'to'individuals'and'organizations.'

Civil'monetary'penalties'are'divided'as'follows:''

•' In'cases'of'unknowing'violations'of'HIPAA,'each'violation'would'result'in'$100[$50,000'for'each'such'violation,'not'to'exceed'$1,500,000'for'the'all'such'violations'within'the'same'calendar'year.'''''

•' In'cases'of'wrongful'disclosure'of'individually'identifiable'patient'information,'a'person'shall'be'fined'$1,000[$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within''the'same'calendar'year.'''

•' In'cases'where'the'offense'is'committed'under'false'pretenses'and'corrected'in'the'same'calendar'year,'a'person'shall'be'fined'$10,000[$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within'the'same'calendar'year.'

•' In'cases'where'the'offense'is'committed'under'false'pretenses'and'not'corrected'in'the'same'calendar'year,'a'person'shall'be'fined'$50,000'for'each'such'violation'and'not'more'than'$1,500,000'for'all'such'violations'within'the'same'calendar'year.'

Criminal'penalties'can'be'imposed'against'individuals'and'are'divided'as'follows:'

•' Up'to'$50,000'and'potential'imprisonment'of'not'more'than'1'year'in'cases'of'wrongful'disclosure'of'PHI.'

•' Up'to'$100,000'and'potential'imprisonment'of'not'more'than'5'years'in'cases'committed'under'false'pretenses.'

•' Up'to'$250,000'and'imprisonment'of'not'more'than'10'years'in'cases'committed'with'intent'to'sell,'transfer'or'use'PHI'for'commercial'advantage,'personal'gain'or'malicious'harm.''

The'HIPAA'Security'Rule,'as'defined'within'45'CFR'Part'160'and'Subparts'A'and'C'of'Part'164,'has'22'requirements'that'pertain'to'the'safeguarding'of'patient'data'and'are'outlined'below.'Of'those'22,'the'requirements'that'we'believe'are'relevant'to'VMware’s'product'solutions'are'highlighted'in'yellow:'

'


T E C H N I C A L ! G U I D E / ! 7 !

HIPAA Administrative Safeguards

HIPAA!Standard! Reference! Applicability!to!Technical!Scope!

Security'Management'Process' 164.308(a)(1)(i)' Not'applicable'

Assigned'Security'Responsibility' 164.308(a)(2)' Not'applicable'

Workforce'Security' 164.308(a)(3)(i)' Not'applicable'

Information'Access'Management' 164.308(a)(4)(i)' Not'applicable'

Security'Awareness'and'Training' 164.308(a)(5)(i)' Not'applicable'

Security'Incident'Procedures' 164.308(a)(6)(i)' Not'applicable'

Contingency'Plans' 164.308(a)(7)(i)' Not'applicable'

Evaluation' 164.308(a)(8)' Not'applicable'

Business'Associate'Contracts''and'Other'Arrangements'

164.308(b)(1)'' Not'applicable'

'

HIPAA PHYSICAL Safeguards


Facility'Access'Controls' 164.310(a)(1)' Not'applicable'

Workstation'Use' 164.310(b)' Not'applicable'

Workstation'Security' 164.310(c)' Not'applicable'


T E C H N I C A L ! G U I D E / ! 8 !

HIPAA PHYSICAL Safeguards

Device'and'Media'Controls' 164.310(d)(1)' Not'applicable'

'

HIPAA TECHNICAL Safeguards !


Access'Control' 164.312(a)(1)' Applicable'

Audit'Controls' 164.312(b)' Applicable'

Integrity' 164.312(c)(1)' Applicable'

Person'or'Entity'Authentication' 164.312(d)' Applicable'

Transmission'Security' 164.312(e)(1)' Applicable'

'

HIPAA organizational requirements


Business'Associate'Contracts'or''Other'Arrangements'

164.314(a)(1)(i)' Not'Applicable'

Requirements'for'Group'Health'Plans'

164.314(b)(1)' Not'Applicable'

'

'

'

'


T E C H N I C A L ! G U I D E / ! 9 !

HIPAA Policies and Procedures and Documentation Requirements


Policies'and'Procedures' 164.316(a)' Not'Applicable'

Documentation' 164.316(b)(1)(i)' Not'Applicable'

Table'1:'HIPAA'Security'Standards'HIPAA!Protected!Health!Information!and!Identifiers!Protected'health'information'(PHI)'has'been'defined'by'the'US'Department'of'Health'and'Human'Services'(“HHS”)'as'any'information'in'the'medical'record'or'designated'record'set'that'can'be'used'to'identify'an'individual'and'that'was'created,'used,'or'disclosed'in'the'course'of'providing'a'health'care'service'such'as'diagnosis'or'treatment.'HIPAA'regulations'allow'researchers'to'access'and'use'PHI'when'necessary'to'conduct'research.'However,'HIPAA'only'affects'research'that'uses,'creates,'or'discloses'PHI'that'will'be'entered'in'to''the'medical'record'or'will'be'used'for'healthcare'services,'such'as'treatment,'payment'or'operations.'

As'defined'by'the'Heath'Resources'and'Services'Administration:'

“Under!the!HIPAA!Privacy!Rule,!protected!health!information!(PHI)!refers!to!individually!

identifiable!health!information.!Individually!identifiable!health!information!is!that!which!can!be!

linked!to!a!particular!person.!Specifically,!this!information!can!relate!to:!

•' The!individual’s!past,!present!or!future!physical!or!mental!health!or!condition,!

•' The!provision!of!health!care!to!the!individual,!or,!

•' The!past,!present,!or!future!payment!for!the!provision!of!health!care!to!the!individual.!

Common!identifiers!of!health!information!include!names,!social!security!numbers,!addresses,!

and!birth!dates.!

The!HIPAA!Security!Rule!applies!to!individual!identifiable!health!information!in!electronic!form!

or!electronic!protected!health!information!(ePHI).!!It!is!intended!to!protect!the!confidentiality,!

integrity,!and!availability!of!ePHI!when!it!is!stored,!maintained,!or!transmitted.”1'

The'18'PHI'identifiers'that'have'been'defined'within'HIPAA'by'the'HHS'as'in[scope'include:'

1.' Namese'

2.' All'geographical'subdivisions'smaller'than'a'State2e'

3.' All'elements'of'dates'(except'year)'for'dates'directly'related'to'an'individual3e'

4.' Phone'numberse'

5.' Fax'numberse'

6.' Electronic'mail'addressese'

1'http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/underhipaa.html'2 With exceptions 3 With exceptions


T E C H N I C A L ! G U I D E / ! 1 0 !

'

7.' Social'Security'numberse'

8.' Medical'record'numberse'

9.' Health'plan'beneficiary'numberse'

10.' Account'numberse'

11.' Certificate/license'numberse'

12.' Vehicle'identifiers'and'serial'numbers,'Including'license'plate'numberse'

13.' Device'identifiers'and'serial'numberse'

14.' Web'Universal'Resource'Locators'(URLs)e'

15.' Internet'Protocol'(IP)'address'numberse'

16.' Biometric'identifiers,'including'finger'and'voice'printse'

17.' Full'face'photographic'images'and'any'comparable'imagese'and'

18.' Any'other'unique'identifying'number,'characteristic,'or'code'(note'this'does'not'mean'the'unique'code'assigned'by'the'investigator'to'code'the'data)'

HIPAA/HITECH!Compliance!Guidance!!While'formal'guidelines'have'not'yet'been'released'recommending'explicit'security'guidelines'for'HIPAA'compliance'within'a'Public'Cloud'environment,'in'2007'the'U.S.'Department'of'Health'and'Human'Services'(“HHS”)'released'an'“Educational'Paper'Series”'that'covered'a'number'of'security'principles'in'an'effort'to'provide'HIPAA'covered'entities'“insight'into'the'Security'Rule”4.'The'papers'covered'a'variety'of'topics:'

•' Security'101'for'Covered'Entities'

•' Administrative'Safeguards'

•' Physical'Safeguards'

•' Technical'Safeguards'

•' Organizational,'Policies'and'Procedures'and'Documentation'Requirements'

•' Basics'of'Risk'Analysis'and'Risk'Management'

•' Security'Standards:'Implementation'for'the'Small'Provider'

All'of'the'papers'provided'by'the'HHS'are'recommended'in'developing'an'understanding'of'HIPAA’s'intent.'Of'the'seven'papers,'the'Security'101'for'Covered'Entities,'Technical'Safeguards'and'Basics'of'Risk'Analysis'and'Risk'Management'hold'the'most'relevance'to'the'VMware'scope'defined'in'an'earlier'section.'

4'http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html''

'

'


T E C H N I C A L ! G U I D E / ! 1 1 !

Figure!4.''HIPAA'Security'Series'#1,'#4'and'#6'

In'addition'to'the'Educational'Paper'Series,'HHS'released'in'2010'a'guidance'paper'relative'to'HITECH'titled'“Guidance!on!Risk!Analysis!Requirements!under!the!HIPAA!Security!Rule”.'This'paper'is'intended'to'assist'organizations'in'understanding'what'HHS'considers'the'“most'effective'and'appropriate'administrative,'physical'and'technical'safeguards”5'relative'to'e[PHI.'In'this'document'the'HHS'very'specifically'acknowledges'limited'prescriptive'specificity'within'the'Security'Rule'and'points'at'one'very'clear'directive—base'the'identification'and'implementation'of'the'various'safeguards'upon'risk'analysis.'

“We'understand'that'the'Security'Rule'does'not'prescribe'a'specific'risk'analysis'methodology,'recognizing'that'methods'will'vary'dependent'on'the'size,'complexity,'and'capabilities'of'the'organization.'Instead,'the'Rule'identifies'risk'analysis'as'the'foundational'element'in'the'process'of'achieving'compliance,'and'it'establishes'several'objectives'that'any'methodology'adopted'must'achieve”6.'

The'guide'provides'additional'clarification'between'the'terms'“addressable”'and'“required”e'noting'that'addressable'specifications'are'not'optional'and'require'organizations'to'determine'whether'each'addressable'specification'is'reasonable'and'appropriate.'Organizations'“must'document”7,'as'part'of'that'determination'process,'why'a'particular'specification'was'determined'to'be'unreasonable'or'inappropriate.''

'

5'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.1,'posted'July'14,'2010'6'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'7'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'

'

'

!


T E C H N I C A L ! G U I D E / ! 1 2 !

'

'

!

!

!

!

!

!

Figure!5.''Guidance'on'Risk'Analysis'Requirements'Under'the'HIPAA'Security'Rule'

Definition!of!Cloud!Computing!!Cloud'computing'can'be'defined'as'a'model'for'leveraging'pools'of'shared'resources'on[demand,'such'as'networks,'storage,'servers,'applications'and'services.'These'shared'resources,'known'as'a'“cloud”,'provide'a'multitude'of'capabilities,'some'of'which'include'scalability,'elasticity'of'IT'resources,'smaller'environmental'footprint'such'as'power'or'physical'space,'and'finally'more'accurate'economies'of'scale.'''

Cloud'computing'is'nothing'new,'and'has'origins'dating'back'to'the'early'1950’s'and'1960’s,'when'mainframes'were'modified'to'provide'better'efficiency'and'scalability.'The'term'“cloud”'itself'became'commonplace'when'in'the'1990’s'the'graphic'of'a'cloud'was'used'to'identify'the'Internet'or'any'other'shared'network.'It'has'really'been'in'the'last'decade'that'a'mature'definition'of'“Cloud'Computing”'has'been'established.'Several'key'events'occurred'that'helped'to'establish'current'day'cloud'computing:'

1.'In'1999'VMware'introduced'the'VMware'Virtual'Platform'that'provided'the'first'affordable'and'reliable'virtualization'platform,'enabling'broad'adoption'of'virtualization'within'the'data'center'and'ultimately'supporting'private'cloud'computing.'

2.'In'2006'Amazon'released'Amazon'Web'Services'(AWS)'expanding'cloud'computing'from'a'private'endeavor'to'a'utility'provided'to'external'customers.'

VMware'defines'cloud'or'utility'computing'as'the'following:'

“Cloud!computing!is!an!approach!to!computing!that!leverages!the!efficient!pooling!of!on?

demand,!self?managed!virtual!infrastructure,!consumed!as!a!service.!Sometimes!known!as!utility!

computing,!clouds!provide!a!set!of!typically!virtualized!computers!which!can!provide!users!with!the!

ability!to!start!and!stop!servers!or!use!compute!cycles!only!when!needed,!often!paying!only!

upon!usage.”!

There'are'several'key'characteristics'to'cloud'computing'that'are'recognized'throughout'the'industry.'The'first'key'characteristic'of'the'Cloud'is'its'service'models.'The'second'key'characteristic'of'the'Cloud'is'its'deployment'models.'Four'distinct'deployment'models'exist'(which'do'not'necessarily'align'with'the'service'models):'the'Private'cloud,'the'Public'cloud,'the'Hybrid'cloud'(combining'both'public'and'private),'and'finally'the'Community'cloud.'

The'Cloud’s'service'models'are'divided'into'four'separate'service'models:'

•' Infrastructure'as'a'Service'(IaaS)'–'As'the'name'suggests'the'IaaS'model'is'specific'to'the'infrastructure'that'supports'cloud'computing.'IaaS'solution'providers'offer'physical'or'virtual'

!


T E C H N I C A L ! G U I D E / ! 1 3 !

computers,'disk,'network'routing'and'switching'infrastructure'and'other'network'and'security'infrastructure.'

•' Platform'as'a'Service'(PaaS)'–'Building'upon'an'IaaS'solution,'the'PaaS'model'provides'the'computing'platform'necessary'to'run'and'support'the'applications'and'services.'A'PaaS'solution'provider'typically'provides'the'operating'systems,'service'application'stack'–'such'as'web'servers'and'database'servers,'and'other'necessary'environment'support'–'such'as'programming'languages,'frameworks'and'services.'

•' Software'as'a'Service'(SaaS)'–'Certainly'the'most'visible'of'the'service'models,'the'SaaS'model'provides'access'to'fully'operational'applications.'These'applications'are'fully'managed'at'the'platform'and'infrastructure'level'and'are'often'are'supported'through'separate'IaaS'and'PaaS'providers.'''

•' Network'as'a'Service'(NaaS)'–'This'final'model'brings'common'network,'transport'or'VPN'connectivity'to'the'market.''

The'Cloud’s'deployment'models'happen'to'also'be'divided'into'four'distinct'models'today.'The'deployment'models'to'not'necessarily'align'with'the'service'models'defined'above.'

•' Private'Cloud'–'The'cloud'infrastructure'is'operated'solely'for'an'organization'and'may'be'managed'by'the'organization'or'a'third'party.'The'cloud'infrastructure'may'be'on[premise'or'off[premise.'

•' Public'Cloud'–'The'cloud'infrastructure'is'made'available'to'the'general'public'or'to'a'large'industry'group'and'is'owned'by'an'organization'that'sells'cloud'services.'

Figure!6.'Cloud'Computing'Overview'

•' Hybrid'Cloud'–'The'cloud'infrastructure'is'a'composition'of'two'or'more'clouds'(private'and'public)'that'remain'unique'entities,'but'are'bound'together'by'standardized'technology.'This'enables'data'and'application'portabilitye'for'example,'cloud'bursting'for'load'balancing'between'clouds.'With'a'hybrid'cloud,'an'organization'gets'the'best'of'both'worlds,'gaining'the'ability'to'burst'into'the'public'cloud'when'needed'while'maintaining'critical'assets'on[premise.'

!


T E C H N I C A L ! G U I D E / ! 1 4 !

•' Community'Cloud'–'The'cloud'infrastructure'is'shared'by'several'organizations'and'supports'a'specific'community'that'has'shared'concerns'(for'example,'mission,'security'requirements,'policy,'and'compliance'considerations).'It'may'be'managed'by'the'organizations'or'a'third'party,'and'may'exist'on[premise'or'off[premise.'

To'learn'more'about'VMware’s'approach'to'cloud'computing,'please'review'the'following:'

•' VMware'Cloud'Computing'Overview'['http://www.vmware.com/solutions/cloud[computing/index.html#tab3''

•' VMware’s'vCloud'Architecture'Toolkit'['http://www.vmware.com/cloud[computing/cloud[architecture/vcat[toolkit.html'''

Organizations'considering'the'potential'compliance'impact'cloud'computing'has'upon'critical'applications'that'may'be'highly'regulated'should'consider'the'following'questions:'

•' To'what'extent'do'those'applications'leverage'cloud'architecture?'

•' What'service'models'and'deployment'models'are'being'used'to'transmit'and'store'protected'health'information'and'who'are'the'cloud'providers'involved?'

•' Are'the'cloud'platforms'used'trusted'platforms'and'what'compliance'assurances'are'provided'by'the''cloud'providers'involved?'

•' Which'industry[recognized'certifications'has'the'cloud'provider,'environment'and'service'been'audited'and'certified'as'compliant'for?'

A'final'critical'point'that'must'be'considered'is'that,'because'HIPAA'does'not'prescribe'how'to'“meet”'regulatory'compliance'(i.e'which'technology'to'use,'how'to'implement'said'technology,'etc),'it'is'imperative'that'an'organization’s'business'and'IT'stakeholders'are'aligned'with'technology'requirements'driven'from'the'stakeholder.'

VMware'is'the'global'leader'in'virtualization,'the'key'technology'that'enables'cloud'computing.'VMware’s'vCloud'Suite'is'a'turnkey,'integrated'virtualization'solution'for'building'and'managing'a'complete'cloud'infrastructure,'allowing'customers'to'realize'the'many'benefits'of'cloud'computing.'''

Prior'to'undertaking'any'HIPAA'compliance'project,'VMware'recommends'that'customers'determine'a'“healthcheck”'status'of'systems'compliance.'Customers'can'implement'VMware’s'“HIPAA'Compliance'Checker”'by'downloading'the'application'from'the'following'location:'

https://my.vmware.com/web/vmware/evalcenter?p=compliance[chk&lp=default&cid=70180000000MJsMAAW'

Where!to!Start!–!Considerations!for!Covered!Entities!!When'it'comes'to'the'question'of'where!to!start,'HIPAA'and'the'guidance'around'HIPAA'is'quite'specific.'Organizations'that'are'working'on'achieving'HIPAA'and'HITECH'compliance'should'start'with'a'risk!assessment.'As'noted'by'the'Department'of'Health'and'Human'Services'and'relative'to'HIPAA’s'Security'Rule:''

“…the'Rule'identifies'risk'analysis'as'the'foundational'element'in'the'process'of'achieving'compliance,'and'it'establishes'several'objectives'that'any'methodology'adopted'must'achieve…8”'

8'From'Guidance'on'Risk'Analysis'Requirements'Under'HIPAA'Security'Rule'pg.'2'posted'July'14,'2010'

'

!


T E C H N I C A L ! G U I D E / ! 1 5 !

What'is'very'important'to'note'is'that'utilizing'a'virtual'or'cloud'environment'has'no'greater'impact'relative'to'HIPAA'compliance'than'traditional'information'technology'or'any'differences'than'are'typically'considered'between'virtualization,'cloud'and'traditional'technology.'Organizations'can'utilize'a'strong'risk'management'approach'toward'their'HIPAA'compliance'efforts'and'take'advantage'of'the'many'advantages'provided'by'virtual'or'cloud'environments'because'the'risk'assessment'effort'should'inform'the'organization'of'the'proper'application'of'security'within'the'virtual'or'cloud'environment.'

Independent'of'HIPAA'or'HITECH,'the'move'to'cloud'and'virtual'environments'are'filled'with'technical'considerations'and'business'decision,'some'of'which'differ'from'traditional'information'technology.'Organizations'should'review'the'benefits'and'risks'of'their'current'environment'and'compare'them'to'the'different'cloud'deployment'models'and'service'models.'

The'following'questions'may'be'important'when'considering'the'potential'business'impact,'benefits,'and'risks'of'a'virtual'and/or'cloud'environment.'

Management/Business!Considerations!1.'Can'the'Cloud'be'a'strategic'differentiator'for'the'business'or'is'it'a'commodity'service?'

2.'What'is'the'strategic'value'that'the'Cloud'could'deliver'to'the'organization?'

3.'What'are'the'areas'where'the'Cloud'can'provide'additional'value'to'the'company?'

4.'What'is'the'business'value'that'the'Cloud'could'deliver'to'operations?'

5.'Have'there'been'any'previous'attempts'to'virtualize'or'outsource'critical'operations?'

6.'What'Cloud'models,'including'Public,'Hybrid'and'Private,'are'being'considered?'

7.'What'are'the'critical'IT'services'that'are'or'could'be'outsourced?'

IT!Considerations!1.'Are'the'organizational'business,'IT,'and'GRC'groups'aligned'with'the'virtualization'or'cloud'strategy?'

2.'Has'the'proposed'virtualization'implementation'been'communicated'to'GRC'and'approval'received?'

3.'How'has'GRC'affected'IT'Operations'and'does'it'mandate'any'considerations'when'considering'virtualization'or'cloud'environments?'

4.'Has'the'flow'of'ePHI'been'identified'and'documented?'

5.'Have'all'systems'(servers,'SANs,'SEIMs)'which'store'ePHI'and'are'considered'“in[scope”'for'HIPAA'compliance'been'identified?Which'virtualization'or'cloud'deployment'model'and'service'model'will''be'implemented?'

6.'How'can'virtualization'or'cloud'technology'benefit'existing'IT'initiatives?'Are'there'efforts'to'consolidate'IT'functions'that'can'be'addressed'with'Cloud?'

7.'What'IT'operational'changes'should'be'made,'from'a'segregation'of'duties'perspective,'to'account'for'the'conversion'of'physical'to'virtualized'resources'within'the'organization?'

8.'Where'can'virtualization'and/or'Cloud'improve'existing'SLA'or'OLAs'(Internal,'External)?'

VMware!HIPAA!Compliance!Stack!VMware'provides'an'extensive'suite'of'products'designed'to'support'an'organization’s'Information'Security'and'Compliance'requirements.''While'every'environment'will'have'unique'needs,'the'following'HIPAA/HITECH'Compliance'Stack'provides'a'comprehensive'mix'of'


T E C H N I C A L ! G U I D E / ! 1 6 !

VMware'solutions'that'can'help'organizations'meet'the'compliance'and'governance'requirements'of'HIPAA/HITECH.'''

VCloud Suite Product Product Components or Features

vSphere' ESXi,'vMotion,'Storage'vMotion,'High'Availability,''Data'Protection'and'Replication,'and''Host'Profiles'

vCloud'Director' Elastic'Virtual'Datacenters,'Service'Catalog'and'Multi[Tenancy'

vCloud'Networking'and'Security'Suite'

Edge,'App'Firewall,'VXLAN,'and'Data'Security'

vCenter'Site'Recovery'Manager' Recovery'Plans,'Automated'DR'Failover'and'Failback,'vSphere'Replication'

vCenter'Operations'Management'Suite'

VM'Configuration'Compliance,'and'Host'Configuration'Compliance'

Table!2:'Caption'to'come.'

HIPAA/HITECH'requirements'and'have'been'addressed'in'detail'in'the'following'sections.'To'determine'the'products'and'features'available'with'VMware'Suites'please'refer'to'VMware.com.'

HIPAA!Security!Rule!Solution!Applicability!Matrix!!VMware'has'created'a'HIPAA'Security'Rule'Requirements'Matrix'to'assist'organizations'with'an'understanding'of'VMware'solutions,'VMware'Partner'Solutions'(where'they'overlap),'and'the'remaining'customer'responsibilities'that'should'be'addressed'separately'by'the'customer'through'use'of'other'tools'or'processes.'While'every'cloud'is'unique,'VMware'believes'that'the'technical'requirements'found'within'the'Security'Rule'can'be'addressed'through'the'VMware'Suites'and/or'VMware'partner'solutions.'

The'remaining'gaps'in'addressing'HIPAA/HITECH'requirements'may'be'filled'by'the'customer'through'processes,'procedures'and'other'tools'(i.e.'approving'customers’'policies,'keeping'an'updated'network'diagram,'approving'changes,'etc.).'

'

'

'

!

!

!

!


T E C H N I C A L ! G U I D E / ! 1 7 !

Figure!7.'VMware'Solutions'

Figure!8.'Diagrammatic'Representation'of'VMware'and'VMware'Partner'Products'for'HIPAA'

'

'

!


T E C H N I C A L ! G U I D E / ! 1 8 !

PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE’S SUITES

REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS

REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS

!

!Security'Management'Process'

164.308(a)(1)(i)' No'

'

No'

'

Yes'

'

!

!Assigned'Security'Responsibility'

164.308(a)(2)'

'

No'

'

No'

'

Yes'

'

!

!Workforce'Security' 164.308(a)(3)(i)' No' No' Yes'

!

!Information'Access'Management'

164.308(a)(4)(i)' No' No' Yes'

!

!Security'Awareness'and'Training'

164.308(a)(5)(i)' No' No' Yes'

!

!Security'Incident'Procedures'

164.308(a)(6)(i)' No' No' Yes'

!Contingency'Plan' 164.308(a)(7)(i)' No' No' Yes'

!Evaluation' 164.308(a)(8)' No' No' Yes'

!

Business'Associate'Contracts''and'Other'Arrangements'

164.308(b)(1)' No' No' Yes'

!

!Facility'Access'Controls'

164.310(a)(1)' No' No' Yes'

! Workstation'Use' 164.310(b)' No' No' Yes'


T E C H N I C A L ! G U I D E / ! 1 9 !

PIE CHART HIPAA STANDARD REF. REQUIREMENT ADDRESSED IN VMWARE’S SUITES

REQUIREMENT ADDRESSED OR ENHANCED BY PARTNERS

REQUIREMENT NOT ADDRESSED BY VMWARE OR PARTNERS

!

!Workstation'Security' 164.310(c)' No' No' Yes'

! Device'and'Media'Controls'

164.310(d)(1)' No' No' Yes'

Access'Control' 164.312(a)(1)' Yes' Yes' No'

Audit'Controls' 164.312(b)' Yes' Yes' No'

Integrity' 164.312(c)(1)' Yes' Yes' No'

Person'or'Entity'Authentication'

164.312(d)' Yes' Yes' No'

Transmission'Security' 164.312(e)(1)' Yes' Yes' No'

!

!

!

Business'Associate'Contracts''or'Other'Arrangements'

164.314(a)(1)(i)' No' No' Yes'

!Requirements'for'Group'Health'Plans'

164.314(b)(1)' No' No' Yes'

! Policies'and'Procedures'

164.316(a)' No' No' Yes'

!Documentation' 164.316(b)(1)(i)' No' No' Yes'

'

Table!3:'HIPAA'Security'Rule'Requirements'


T E C H N I C A L ! G U I D E / ! 2 0 !

'

HIPAA!Security!Rule!Solution!Applicability!Details!vSphere!For'the'purposes'of'this'VMware'Solution'Guide'for'HIPAA/HITECH,'vSphere’s'components'and'features,'as'described'below,'can'support'automatic'compliance'and'deployment'scenarios'to'accommodate'HIPAA/HITECH'requirements.'

•' ESXi'–'is'a'bare[metal'hypervisor'installed'on'physical'servers.'ESXi'allows'for'partitioning'the'physical'resources'into'multiple'virtual'machines'and'allows'for'management'of'multiple'ESXi'hosts'through'a'single'management'platform'(vCenter'Server).'

•' vMotion'–'allows'live'running'virtual'machines'to'move'between'one'physical'server'to'another'without'disruption.'The'ability'to'dynamically'and'automatically'move'live'running'virtual'machines'can'ease'scaling'and'allow'workloads'to'be'performed'within'virtual'segments.'

•' Storage!vMotion'–'provides'the'ability'to'migrate'live'virtual'machine'disks'across'any'storage'arrays'supported'by'vSphere.'

•' High!Availability'–'allows'for'applications'running'in'virtual'machines'to'run'in'high'availability'mode,'protecting'the'application'from'hardware'and'operating'systems'failures'by'monitoring'the'state'of'the'virtual'machine'and'physical'host'and'automatically'restarts'the'virtual'machine'on'other'physical'servers.'

•' Data!Protection!and!Replication'–'Data'protection'provides'agent[less'image[level'backup'and'recovery'powered'by'EMC'Avamar.'Backups'are'done'via'fast'and'efficient'backup'to'disk'and'also'provide'fast'recovery.'The'replication'for'vSphere'allows'for'powered'on'replication'of'virtual'machines'from'one'vSphere'host'to'another'without'needing'storage'based'replication.'

•' Host!Profiles'–'allows'for'the'consistency'and'automation'of'deploying'physical'ESX/ESXi'hosts'rapidly.'Host'profiles'allow'for'automatic'deployment'of'configurations'to'hosts'and'provide'automatic'compliance'with'the'configurations.'Simplifying'operational'management'also'reduces'the'possibility'for'mis[configuration.'

The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'vSphere'and'its'components.''

Technical Safeguards (§ 164.312)

HIPAA!Standard!Description!! Compliance!Attainability!

Comments!!

Access'Controls'['§'164.312(a)(1)'

Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'

Attainable' ESXi'and'vCenter'can'be'configured'to'provide'access'control'for'individual'users'and'also'protect'access'to'systems'and'features'within'vSphere'by'implementing'role'based'access.''

See:'Configuring'Active'Directory'

See:'Configuring'Authentication'&'


T E C H N I C A L ! G U I D E / ! 2 1 !


User'Management'

Audit'Controls'['§'164.312(b)'

Implement'hardware,'software,'and/or'procedural'mechanisms'that'record'and'examine'activity'in'information'systems'that'contain'or'use'electronic'protected'health'information.'

Attainable'with'third[party'solutions'

vSphere'contains'basic'auditing'information'on'user'activity'that'can'be'used'to'identify'when'changes'took'place,'and'what'category'of'changes'were'affected.'Third[party'vendors'should'be'used'to'augment'the'logs'and'events'in'order'to'provide'greater'visibility'than'what'is'provided'by'vSphere.'

See:'Managing'ESXi'Log'Files'

See:'Retrieve'vCenter'Logs'

Integrity'['§'164.312(c)(1)'

Implement'policies'and'procedures'to'protect'electronic'protected'health'information'from'improper'alteration'or'destruction.'


vSphere'Data'Protection'and'Replication'can'be'implemented'to'ensure'that'data'is'intact'and'unaltered'during'backup'and'replication.'Third[party'solutions'are'required'to'provide'ad[hoc'data'and''file'integrity'at'the'file[system'level.'

See:'vSphere'Replication'Administration'

See:'vSphere'Data'Protection'Administration'

Person'or'Entity'Authentication'['§'164.312(d)'

Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'claimed.'

Attainable.''

Enhanced'by'third[party'solutions'

By'utilizing'local'accounts,'vCenter'Single'Sign[On'(SSO),'or'Active'Directory,'users'can'be'authenticated'on'an'individual'level.'By'using'a'third[party'solution,'two[factor'authentication'can'also'be'implemented'to'authenticate'users'against'the'management'vCenter,'which'ensures'greater'accuracy'that'


T E C H N I C A L ! G U I D E / ! 2 2 !


users'are'who'they'claim'to'be.''

See:'Configuring'Active'Directory'

Transmission'Security'['§'164.312(e)(1)'

Implement'technical'security'measures'to'guard'against'unauthorized'access'to'electronic'protected'health'information'that'is'being'transmitted'over'an'electronic'communications'network'

Attainable'with'third[party'support'

Through'the'ability'to'create'port'groups'and'vSwitchs,'administrators'can'limit'communication'of'virtual'machines'within'the'same'physical'host.'Using'third'party'solutions,'administrators'can'also'prevent'certain'network'based'changes'from'taking'place.'

See:'vSphere'Networking'Guide'

Table!4:'Applicability'of'HIPAA'Controls'to'vSphere'Suite'

vCloud!Director!For'the'purposes'of'this'VMware'Solution'GuidevCloud’s'components'and'features,'as'described'below,'can'provide'for'automatic'compliance'via'pre[defined'service'catalogs'and'isolation'through'multi[tenacy'to'accommodate'HIPAA/HITECH'requirements.'

•' Elastic!Virtual!Datacenter'–'vCloud'Director'provides'the'ability'to'rapidly'provision'and'release'resources.'vCD'allows'users'to'spin'up'virtual'data'centers'that'span'multiple'clusters'and'automatic'placement'of'vApps.'An'API'also'enables'organizations'to'programmatically'spin'up'or'down'resources'on'demand.'

•' Service!Catalog'–'give'the'ability'to'predefine'resources'for'network,'storage,'and'compute'while'providing'consistency'in'deployments'and'limit'or'allow'services'for'different'user'classes.'

•' MultiSTenancy!–'Administrators'can'group'users'into'organizations'and'provide'different'levels'of'service'and'resources'based'on'those'groups.'Enabling'all'the'separate'organizations'to'share'the'same'infrastructure.''

The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'vCloud'Director'and'its'components.''



Comments!!



T E C H N I C A L ! G U I D E / ! 2 3 !



'

Attainable.'


'

vCloud'director'allows'administrators'to'limit'access'to'most'administrative'functions'and'protect'the'environment'in'which'HIPAA/HITECH'workloads'are'running.'Role[based'access'can'be'placed'on'users'so'that'they'can'only'perform'the'functions'and'duties'assigned'to'them'through'the'vCloud'director'portal.'There'are'also'third'party'solutions'to'provide'two'factor'authentication.'

See:'vCD'Users'Guide'pg.'15'

See:'vCloud'Security'–'Two[Factor'



Attainable.'


'

vCloud'director'provides'administrators'with'the'ability'to'audit'and'monitor'activities'performed'through'vCD.'By'implementing'a'third'party'solution'additional'detail'of'logs'can'be'accessible.''


Integrity'['§'164.312(c)(1)' '


Attainable.'


vCloud'director'can'prevent'deletion'of'vApps'via'policies'set'by'the'administrator.'Also,'by'using'a'third'party'solution,'it'is'possible'to'further'limit'destruction'of'virtual'machines'and/or'require'additional'levels'of'authorization'before'doing'so.'



Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'

Attainable.'

Enhanced'by'third[party'

vCloud'director'can'integrate'into'active'directory'and'provide'support'for'Security'Support'Provider'Interface'


T E C H N I C A L ! G U I D E / ! 2 4 !


health'information'is'the'one'claimed.'

solutions' (SSPI),'which'is'Microsoft’s'proprietary'implementation'of'GSSAPI.'Integrating'third'party'solutions'can'provide'two[factor'authentication'to'both'users'and'administrators.'

See:'vCloud'Security'–'Two[Factor'



Attainable' vCloud'director'can'provide'multiple'types'of'VPN[based'access'into'vCloud'environments.'These'scenarios'can'vary'from'cloud[to[cloud'access,'or'public[to[private'access'between'the'cloud'environments.'Using'IPSEC'can'provide'both'authentication'and'encryption'into'and'between'the'cloud'environments.'

See:'vCloud'Security'–'Network'Security'

Table'5:'Applicability'of'HIPAA'Controls'to'vCloud'Director'

vCloud!Networking!and!Security!Suite!!!For'the'purposes'of'this'VMware'Solution'Guide','the'suite'is'a'group'of'products'that'deliver'a'virtualized'security'model'specifically'designed'to'overcome'the'traditional'challenges'of'managing'security'in'a'virtual'environment.''vCloud'Networking'and'Security'provides'a'software[based'approach'to'application'and'data'security'in'virtualized'and'cloud'environments,'which'have'traditionally'been'enforced'primarily'through'physical'security'appliances.'The'vCloud'Networking'and'Security'suite'consists'of'the'following'four'(4)'products:'

•' App'–'Protects'applications'in'a'virtual'datacenter'against'network[based'threats'by'providing'a'firewall'that'is'hypervisor[based'and'application[aware.'vCloud'Networking'and'Security'App'has'visibility'of'intra[VM'communication,'and'enforces'policies,'firewall'rules'based'on'logical'groups,'and'workloads.'

•' Data!Security!–'Adds'to'Sensitive'Data'Discovery'across'virtualized'resources'allowing'the'organizations'to'identify'and'secure'different'types'of'sensitive'data.'''

•' Edge'–'Enhances'protection'of'a'virtual'datacenter'perimeter'by'providing'gateway'security'services'including'careful'inspection'firewall,'site[to[site'VPN,'load'balancing,'Dynamic'Host'Configuration'Protocol'(DHCP),'and'Network'Address'Translation'(NAT).''It'also'has'the'ability'to'integrate'with'third[party'IDS'solutions.'

•' VXLAN'–'VXLAN'technology'allows'compute'resources'to'be'pooled'across'non[contiguous'clusters'or'pods.'You'can'then'segment'this'pool'into'logical'networks'attached'to'applications.'Unlike'VLANs,'VXLANs'virtual'networks'can'span'across'virtual'resources'pools'and'physical'boundaries'['and'as'such,'are'more'efficient,'scalable,'resilient'and'manageable.'


T E C H N I C A L ! G U I D E / ! 2 5 !

The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCloud'Networking'and'Security'(vCNS)'and'its'components.'



Comments!!



Attainable'

'

By'utilizing'App'firewall'or'Edge'for'vCloud'Networking'and'Security'(VCNS)'network'restrictions'and'policies'can'be'created,'protecting'virtual'assets'from'unauthorized'access,'based'on'either'logical'groups'or'IP'addresses.''''

See:'vShield'admin'guide'5.1'['pg151'



Attainable' Data'Security'for'vCloud'Networking'and'Security'allows'administrators'to'discover'unstructured,'sensitive'data'across'the'vSphere'environment,'allowing'''the'identifying'and'securing'of'PII'(personally'identifiable'information),'PCI[DSS'cardholder'data,'and'PHI'(protected'health'information.'


Integrity'['§'164.312(c)(1)'


—'

'

Not'Applicable'

Person'or'Entity'Authentication'['§'164.312(d)' '

Implement'procedures'to'verify'that'a'person'or'entity'seeking'access'to'electronic'protected'health'information'is'the'one'

Attainable' By'utilizing'vCloud'Networking'and'Security'Edge'enterprises'can'allow'secure'external'authentication'(RADIUS,'Active'Directory,'LDAP,'RSA[ACE'or'


T E C H N I C A L ! G U I D E / ! 2 6 !


claimed.' Local'sources)'and'communication'(default'is'AES256[SHA)''to'the'virtual'datacenter'by'utilizing'the'SSL'VPN.'




Attainable' vCloud'Networking'and'Security'Edge'allows'the'ability''to'utilize'both'SSL'and'IPSEC'VPN'connections'to'allow'secure'communication'and'authentication'between'datacenters'and'external'user.'

See:'vShield'admin'guide'5.1'–'pg103'

See:'vShield'admin'guide'5.1'–'pg80'

Table!6:'Applicability'of'HIPAA'Controls'to'vCloud'Networking'and'Security'Suite'

vCenter!Site!Recovery!Manager!For'the'purposes'of'this'VMware'Solution'Guide'vCenter’s'Site'Recovery'Manager,'as'described'below,'can'provide'for'automatic'or'manual'recovery'during'a'service'disruption'to'accommodate'HIPAA/HITECH'requirements.'

•' Automated!Recovery!Plans!–'Site'recovery'manager'can'utilize'the'information'in'vCenter'to'build'automated'recovery'plans'based'on'the'latest'running'infrastructure'in'vCenter.'The'plans'can'be'used'to'fulfill'compliance'requirements'for'recovery'plans'and'test'results.'

•' Automated!DR!Failover!and!Failback'–'By'using'automation,'site'recovery'manager'can'detect'failures'and'automatically'failover'to'the'DR'location'as'well'as'automatically'failback.'Manual'recovery'times'can'be'reduced'drastically'and'error'prone'processes'eliminated.''

•' vSphere!Replication'['The'replication'for'vSphere'allows'for'powered'on'replication'of'virtual'machines'from'one'vSphere'host'to'another'without'needing'storage'based'replication'and'can'provide'recovery'points'from'15'minutes'to'24'hours'replicating'only'changes.'

The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCenter'Site'Recovery'Manager'(vSRM).'following'is'the'detailed'description'of'the'controls'that'may'be'met'through'vSRM'and'its'components.'


HIPAA!Standard!Description!!

!

Compliance!Attainability!

Comments!!

!


T E C H N I C A L ! G U I D E / ! 2 7 !




—' Not'Applicable'



Attainable'

'

Through'vCenter'Site'Recovery'Manager'recovery'plans'and'test'plans'can'be'generated'automatically'and'used'to'audit'failover'activity'between'sites.'

See:'SRM'Administration'Guide'–'Recovery'Plans'

Integrity'['§'164.312(c)(1)' '


Attainable'

'

Through'the'vSphere'Replication'product,'data'can'be'safely'replicated'across'sites'without'risk'of'alteration.''

See:'vSphere'Replication'Admin'Guide'

Person'or'Entity'Authentication'['§'164.312(d)' '


—'

'

Not'Applicable'

'



T E C H N I C A L ! G U I D E / ! 2 8 !




'

vSphere'Replication'does'not'provide'any'encryption'during'transmission,'therefore'the'use'of'a'third'party'encryption'solution'would'be'necessary'to'protect'PHI'during'transmission'in'the'case'of'replication.'

Table!7:'Applicability'of'HIPAA'Controls'to'vCenter'Site'Recovery'Manager'

vCenter!Operations!Management!Suite!!For'the'purposes'of'this'VMware'Solution'Guide,'the'vCenter'Operations'Management'Suite,'as'described'below,'can'enable'IT'organizations'to'gain'better'visibility'and'actionable'intelligence'to'proactively'facilitate'service'levels,'optimum'resource'usage,'and'configuration'compliance'in'dynamic'virtual'and'cloud'environments.''

•' vCenter!Operations!Manager!(vCOPs)'–'Uses'patented'analytics'and'integrated'approach'to'operations'management'in'order'to'provide'the'intelligence'and'visibility'required'to'proactively'maintain'service'levels,'optimum'resource'usage,'and'configuration'compliance'in'dynamic'virtual'and'cloud'environments.'

•' vCenter!Configuration!Manager!(vCM)'–'Automates'configuration'management'across'virtual'and'physical'servers'and'desktops,'increasing'efficiency'by'eliminating'manual,'error[prone,'and'time[consuming'work.'This'enables'enterprises'to'maintain'continuous'compliance'by'detecting'changes'and'comparing'them'to'configuration'and'security'policies.'

•' vCenter!Infrastructure!Navigator'–'Automatically'discovers'and'visualizes'application'and'infrastructure'dependencies.'It'provides'visibility'into'the'application'services'running'over'the'virtual[machine'infrastructure'and'their'interrelationships'for'day[to[day'operational'management.'

The'following'product'matrix'explains'which'HIPAA'controls'are'applicable'to'the'vCenter'Operations'Management'(vCOPs)'Suite.'VMware'Solution'Guide'for'HIPAA/HITECH,'vCenter'Configuration'Manager'(vCM)'is'the'principal'application'within'the'vCOPs'Suite'that'allows'it'to'help'the'user'meet'HIPAA/HITECH'regulatory'compliance'standards.'The'following'is'the'detailed'description'of'the'controls'that'may'be'met'through'the'Suite.'

'

'


HIPAA'Standard'Description'' Compliance'Attainability' Comments''


Implement'technical'policies'and'procedures'for'electronic'information'systems'that'maintain'electronic'protected'health'

—'

'

Not'Applicable'

'


T E C H N I C A L ! G U I D E / ! 2 9 !


information'to'allow'access'only'to'those'persons'or'software'programs'that'have'been'granted'access'rights.'



'

—'

'

The'vCenter'Operations'Management'suite'allows'administrators'to'collect'configuration'data,'change'tracking,'and'compliance'assessment'within'the'VMware'infrastructure'for'VMware'products'including'ESX,'ESXi,'vCenter,'vCloud'Director,'and'VMware'vCloud'Networking'and'Security'allowing'correlation'between'performance'and'security'metrics'across'the'virtual'infrastructure.'

Integrity'['§'164.312(c)(1)'


'

Attainable'

'

By'utilizing'vCenter'Configuration'Manager'(vCM)'enterprises'are'able'to'maintain'continuous'compliance'by'detecting'changes'in'the'configurations'maintained'and'comparing'them'to'configuration'and'security'policies'across'the'virtual'environment'based'on'various'regulations'(Sarbanes[Oxley,'HIPAA,'GLBA'and'FISMA).'

See:'vCM'Admin'Guide'pg'153'



—'

'

Not'Applicable'

'



T E C H N I C A L ! G U I D E / ! 3 0 !



—'

'

Not'Applicable'

'

Table!8:'Applicability'of'HIPAA'Controls'to'vCenter'Operations'Management'Suite'

Acknowledgements!VMware'would'like'to'recognize'the'efforts'of'the'VMware'Compliance'Solutions'team,'VMware'Alliance'Partners,'and'the'numerous'VMware'teams'that'contributed'to'this'paper'and'to'the'establishment'of'the'VMware'Compliance'Program.'VMware'would'also'like'to'recognize'the'Accuvant'LABS'Enterprise'Risk'team'www.accuvant.com'for'their'industry'guidance.'Accuvant'provided'HIPAA'and'HITECH'guidance'and'control'interpretation'described'herein.'

The!information!provided!by!Accuvant!and!contained!in!this!document!is!for!educational!and!

informational!purposes!only.!Accuvant!makes!no!claims,!promises!or!guarantees!about!the!

completeness!or!adequacy!of!the!information!contained!herein.!

About!Accuvant!Accuvant'is'the'Authoritative'Source'for'information'security.'Since'2002,'the'company'has'served'more'than'5,200'clients,'including'half'of'the'Fortune'100'and'more'than'900'educational'institutions'and'government'entities.'Headquartered'in'Denver,'Accuvant'has'offices'across'the'United'States'and'Canada'and'has'the'largest'and'most'skilled'team'of'technical'security'professionals'in'the'world'–'Accuvant'LABS.'For'more'information,'please'visit'www.accuvant.com.'

'

!

!

! ! ! ! !'

VMware,'Inc.'3401'Hillview'Avenue'Palo'Alto'CA'94304'USA'Tel'877[486[9273'Fax'650[427[5001'www.vmware.com'Copyright'©'2013'VMware,'Inc.'All'rights'reserved.'This'product'is'protected'by'U.S.'and'international'copyright'and'intellectual'property'laws.'VMware'products'are'covered'by'one'or'more'patents'listed'at'http://www.vmware.com/go/patents.'VMware'is'a'registered'trademark'or'trademark'of'VMware,'Inc.'in'the'United'States'and/or'other'jurisdictions.'All'other'marks'and'names'mentioned'herein'may'be'trademarks''of'their'respective'companies.'Item'No:'VMW[TWP[VMWARE[SOLUTION[GUIDE[FOR[HIPAA[HITEC[USLET[103'

Documents

VMware Product Applicability Guide for HIPAA/HITECH PDF