Many healthcare organizations have realized that using cloud computing doesn’t need to be an all-in strategy that requires a complete overall of their infrastructure. Instead, many have taken advantage of virtual machine (VM) deployment by scaling the VMs to its environment and essentially using a hybrid on-premises and private cloud approach.
However, an organization won’t be truly able to enjoy the benefits of a private cloud, such as provisioning or de-provisioning resources based on current needs, without having complete confidence in its data security. Though, as stated above, the terminology may be changing, the need for transparency and access to an organization’s VMs remains a constant need for HIPAA compliance.
There are a number of different ways to approach private cloud security, but one such way is to “trust zones” to specifically determine what can and can’t communicate with and access an organization’sserver. For instance, Matthew Barrett, IT Director of Infrastructure and Security at Jefferson Radiology,told HealthITSecurity.com in an interview how his organization uses these trust zones to isolate vendor access.
As an administrative control for example, since we use the Catbird Trust Zones based on application, for vendor access we create what’s called a “jump server” for the vendor, which is placed in its own TrustZone and only allowed to access the application TrustZone we created.
Though Barrett uses Catbird, a VMware partner, the concept of separating VMs with sensitive patient data from other VMs is a must for HIPAA compliance, regardless of which vendor an organization uses. And this separation of VMs is especially important when considering the popularity of virtual desktop infrastructure (VDI). Though no PHI is stored on a VDI terminal, an organization still has to ensure that the right users are accessing the segmented data [at network and application levels] based on established policy.
Establishing trust zones is only one way to help secure a healthcare organization’s private cloud. Ascontributor Bill Kleyman discussed in a previous post, there are a multitude of new technical controls that can help a hospital IT department in securely forming and managing its own private cloud.
[T]wo virtual devices can be placed at two different data centers and used to create a secure, private-cloud, connection. The flexibility in creating virtual security appliances means organizations can have more resources supporting the end-user. Access controls can be placed in the DMZ, in the cloud or internally within the environment. With more virtual resources, security engineers can deploy better policies, access control lists (ACLs), and increase support for the various devices that the end-user decides to bring in.
Date: May 16, 2014