Is It Possible to Protect PHI in the Cloud?
The number of organizations adopting virtualized environments continues to grow in many industries, including health care[I]. Virtualization enables network flexibility that most healthcare organizations could benefit from, but many are held back by a lack of clarity about what virtualization is, and how it relates to HIPAA cloud.
A virtual environment is one in which a software layer, called a “hypervisor,” has been added to a physical server. An operating system can then be loaded onto the hypervisor layer to create a “virtual machine” (VM), which is a software-defined server, and as such can do some things not possible with physical, hardware-dependent servers. The hypervisor layer can determine the precise size and location of the server VMs or “instances” loaded onto it since it provides separation from the physical limitations of each piece of hardware. As we will explore below, this can benefit organizations through increased agility and automation.
HIPAA compliance can be particularly scary for organizations, due to the implications of a breach of security inherent in health care, the complexity of the regulations, and the severity of potential fines. Timely access to medical information can be a matter of life and death, but ensuring that information is accessible, portable, and renewable only covers Title I of the Act. Title II, covering health care fraud and abuse, along with the enforcement-strengthening HITECH Act[II], imposes security and privacy rules on health care providers and the companies that support them. Compliance failures can result in fines of up to $1.5 million[III], and data breaches, which are increasingly common in healthcare[IV], can be even more expensive, particularly when reputational harm is considered.
Fortunately, virtualized environments can not only be HIPAA Compliant quickly but can make compliance easier.
There are different kinds of hypervisors, and the most appropriate for any given healthcare organization depends on the organization’s needs and other IT tools. What is common to each one is that the isolation and abstraction of the VMs they create give them robust access, security, and privacy compliance capabilities. Each VM set up by the hypervisor is self-contained, and keeps its data isolated from any other VMs and their data. An Introduction to Virtualization[V] offered by Intel Developer Zone puts it this way:
“Virtual machines are essentially isolated from one another in the same way that two physical machines would be on the same network. A virtual machine’s running operating system has no knowledge of other virtual machines running on the same machine.
This enables even VMs with different operating systems to run simultaneously on the same hardware. The separation the hypervisor provides between the instance and the physical server makes the system “agile.” It allows virtualized servers to be moved, for example, in the case of a hardware failure, which keeps whatever function is being “served” working. The hypervisor also manages the hardware resources available to it to run an organization’s VMs as efficiently as possible and to scale to maintain availability when demand on the network is high.
There are three hypervisors available to Atlantic.Net HIPAA cloud services customers: Proxmox, Hyper-V, and Cloud.
An open-source alternative based on the Linux Kernel Virtual Machine (KVM), Proxmox is managed with a web graphical user interface (GUI) and is known for solid performance and flexibility. It works reliably with different operating systems, but also supports different storage options[VI], including Linux containers. Any storage type used can be accessed only through the hypervisor layer, allowing access restrictions compliant with HIPAA’s Title II and HITECH rules.
When set up in a server cluster or utilizing “shared” storage, Proxmox allows live migration of running machines. This makes the system agile enough that maintenance or updates necessary to keep the virtual server compliant from a security perspective can be performed without downtime, preserving compliance with the availability rules of HIPAA’s Title I. First released publicly in 2008, Proxmox is updated about every six months. It is built to work flexibly with a variety of different products, rather than those from a particular company like Microsoft as is the case with Hyper-V, which could make Proxmox a better fit for some organizations. Proxmox sometimes requires IT teams to use the command line, which for some, may not be ideal.
Microsoft’s Hyper-V is designed for Windows server and desktops, making it a popular choice for organizations that predominantly use Windows. Unlike Proxmox, Hyper-V uses proprietary storage technologies[VII]. The separation and control of access through the hypervisor layer is very similar, however, as is support for live migration. As with Proxmox, this keeps data in a securely isolated environment to maintain compliance with rules for fraud, abuse, and privacy, while also enabling the constant access and portability HIPAA compliant cloud computing requires.
Hyper-V includes “dynamic memory management,” a feature making it easy to scale up the number of virtual machines in use. It also features Windows Active Directory for security and access management. Organizations considering Hyper-V should be aware that it tends to work best with the latest version of Windows, though it also works with other operating systems, including Linux and FreeBSD[VIII]. Hyper-V was originally launched with Windows Server 2008, and Microsoft maintains it with frequent updates.
Atlantic.Net’s HIPAA Cloud environment is based on Linux KVM, much like Proxmox. Data is therefore isolated in the same way, on an abstracted hardware layer available only via the hypervisor.
Cloud environments allow customers fine-grained control to pay only for the resources they use and scale up those resources to meet increases in demand. It is, therefore, an efficient and economical solution for organizations with high variations in IT workload. Atlantic.Net launched its first cloud servers in 2010 and has been steadily expanding the service since.
Software Secures Borders, Physical or Virtual
Just as the software borders between VMs are like the hardware boundaries between physical machines, the tools that secure a network against malicious traffic are similar. Traffic should be controlled with a firewall, all the elements of the site should be secured with two-factor authentication, and off-site backups must be maintained to meet the Title I standard of accessibility. Those and all of the other necessary features for HIPAA compliance in a server[IX] can be met with the appropriate implementation of any virtual environment from Atlantic.Net.
Regularly scheduled, automated backups are available or included with all Atlantic.Net virtualized HIPAA cloud environments, making continuous compliance not only possible but easier. Healthcare organizations can also provide auditors with automatically generated logs of network traffic created by either KVM or Hyper-V, easily demonstrating the security and privacy necessary for Title II and HITECH compliance in HIPAA compliant cloud computing.
Every healthcare organization needs to follow security and compliance best practices, and partner with an IT provider they can trust to deliver compliant services, regardless of the network environment. Fortunately, this means the flexibility, logging, automated backups, and other features of virtualized environments are an option for all.
If your organization has avoided or delayed moving HIPAA workloads to a virtualized environment out of compliance concerns, it is likely worth reconsidering the option. Contact our knowledgeable sales team today by phone 1.800.521.5881 or email [email protected] for information about HIPAA cloud services, including our HIPAA Cloud and Managed Cloud solutions, today!