Healthcare Industry Solution

Securing HIPAA compliance in a virtualized data center

Download Catbird’s HIPAA Datasheet

The new data center is being energized and driven by virtualization. Some of the organizations which stand to gain the most from virtualization are also ones where the impact and force of this new model are running head-on into the complexities of staying compliant. But building a virtualized data center even more compliant than a traditional one is possible with the right processes and tools. Catbird vCompliance was specifically designed to pave the way.

Virtualization’s Impact on HIPAA

(Click on the chart to enlarge)
Graph 1 HIPAA Controls: Blue line depicts HIPAA control status prior to virtualization. Red line shows controls after virtualization. Green line shows the automated compliance available with Catbird vCompliance. Note that HIPAA controls are cross-referenced against applicable COBIT controls in Table 1, below.

HIPAA compliance takes a combination of trained staff, strong policies, and industry leading technology. The Department of Health and Human Services (HHS) has provided a framework of 43 control objectives for measuring HIPAA compliance. Virtualization could negatively impact 37 of these controls; 14 impacts are severe (-3 values in Graph 1 and Table 1). However virtualization with Catbird vCompliance compensates for all of these new risks, providing better compliance and control in the virtualized data center.

1. Access Control: The Virtual Administrator
   Virtualization and virtualization management layers collapse traditional access controls and separation of duties. This creates a significant HIPAA control failure for primary and compensating controls to prevent unauthorized access to patient data.
2. Monitor Test and Audit: New Hypervisor Layer
   Virtualization creates additional layers to the IT infrastructure, particularly the hypervisor and the virtualized network. Legacy security technologies are not able to see, monitor, manage or control these networks. This results in a significant HIPAA compliance gap with respect to auditing of changes to the environment and the integrity and confidentiality of patient records.
3. Scope of HIPAA Assessment: Virtual Networks
   Virtualization significantly broadens the assessment scope because deployments unavoidably flatten networks, increasing the span to encompass all hosts that may house an in-scope virtual machine thru mobility, HA, and DR services.
4. Test Security Systems & Processes: Physical Devices Become Files
   Virtualization creates a process gap due to the risk of system misconfiguration, or failure to update the vulnerability management system when virtual machines are added, moved, or removed from the system. This may lead to audit findings associated with risks of unauthorized or anonymous access.

Get HIPAA Compliant with vCompliance

Catbird is the only product that can address all of the 37 HIPAA controls that are negatively affected by virtualization. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and optionally quarantining offending virtual machines and even blocking VM-to-VM traffic. No other vendor can deliver the breadth and depth necessary for HIPAA compliance from within the virtual infrastructure.

(Click on the chart to enlarge)
vCompliance provides a HIPAA status summary by asset grouping (TrustZones®) or individual virtual machine assets: (1) Enterprise-wide virtual infrastructure HIPAA compliance status is displayed via the Heat map (2) Each TrustZone appears as a box where user-defined criticality is indicated by the relative size of the box and risk is represented by the color: red is high risk, blue is low risk.

Catbird vCompliance includes the following features supporting HIPAA compliance in the virtual data center:

• Default HIPAA-specific policies and reports, built upon controls specifically related to HIPAA
• Enforcement of network access and traffic flow controls even in a flat network—significantly reducing the scope and cost of HIPAA audit and compliance requirements
• Automatic quarantine of out-of-policy or compromised VMs to prevent breach of data center security
• Policy envelope creation that spans port groups or network space (CIDR) via Catbird TrustZones® with policy maintenance across vmotion
• Network segmentation
• Continuous vulnerability management
• Continuous monitoring and configuration validation of HIPAA TrustZones
• Primary device access control for HIPAA TrustZone networks
• Change audit and compliance enforcement
• Specific HIPAA security policies designed for optimal protection of the management network and other hypervisor management components.

With the rising costs of audit failures and data security breaches, don’t assume risk— Deploy Catbird.

HIPAA Impacts in the Virtual Data Center

(Click on the chart below to enlarge)