As published in HealthITSecurity
Patrick Ouellette | December 11, 2013
Healthcare organizations of all shapes and sizes are clearly beginning to pay attention to HIPAA and some of the changes that the omnibus rule brought forward. In the path toward compliance, it’s helpful to get a strong grasp of how and why a particular organization decides, for example, to go virtual and from there, how it secures patient data.
Matthew Barrett, IT Director of Infrastructure and Security at Jefferson Radiology, a private radiology company with 10 outpatient centers that also provides radiology services to 8 hospitals, took some time to speak with HealthITSecurity.com about how Jefferson has built its virtual environment and some security considerations that go along with the process. Barrett, who’s responsible for ensuring Jefferson patient data is protected and secure and it complies with HIPAA and HITECH, explained that Jefferson has been working on its 90-percent virtual environment (with two data centers) for the last few years.
In addition to HIPAA, HITECH came along in 2009 and the organization began to use Catbird vSecurity for virtualization threat management in 2012. “Those two acts were the main drivers for us [using Catbird and going virtual] and the HIPAA Omnibus Rule bolstered that decision,” Barrett said. “Driving towards this compliance and proving it due to penalties was a driving factor for our project. The Omnibus provision further supported our choice.”
Jefferson moved from a physical to virtual environment a few years ago and is currently based on VMware so it has a mix of standard and distributed switches, which works well because Catbird integrates with VMWare’s virtual network infrastructure. Even with a virtual environment, Barrett needs to protect the patient data and to manage and audit the environment, which becomes a bit of a challenge.
We’re able to use the Catbird vSecurity Trust Zones, which are a logical group of assets in Catbird, which we based on applications. Using the enforcement policies created in Catbird vSecurity combined with VMWare vCNS we’re able to explicitly control what is allowed to access the server. Only systems that need to communicate with each other can do so between the required ports in the trust zones. As an administrative control for example, since we use the Catbird Trust Zones based on application, for vendor access we create what’s called a “jump server” for the vendor, which is placed in its own TrustZone and only allowed to access the application TrustZone we created. As a result the vendor is isolated to only have access to the servers they need to in order to support their application. We’re also able to able to separate our production workload from our development workloads.
Because HIPAA breach fines are so large and breaches create negative publicity for healthcare organizations, compliance wasn’t an option for Jefferson, Barrett explained, it’s a federal requirement. HIPAA mandates that organizations using EHRs protect patient data and ensure that protected health information (PHI) is not left unsecured on devices. Using virtual technologies can help alleviate some of that risk. While Catbird vSecurity along with other parts of the virtual infrastructure may have increased costs associated with them, Barrett said being as secure as reasonably possible is an important trump card. “We’re able to justify the additional cost since compliance is a requirement, we’re keeping money in the company being responsible with security, ” he said.
Barrett added that Jefferson had previously struggled with net flow visibility within the switches in the virtual environment and with Catbird, it was able to get the net flow visibility into one console. “That’s important to validate what is being sent on the virtual network and important for us to ensure only valid network traffic is coming through,” he said.