Securing Your Virtualized Electronic Medical Records System (EMR)

Abstract:

Electronic medical records will soon be mandatory in all medical facilities in the United States. With the continued growth of virtualization, these applications will be run with VMware vSphere, and it’s important that they are properly designed in the datacenter and on the desktop to maintain compliance with the Health Insurance Portability & Accounting Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act). In this presentation, we will explore specific mandates by the Department of Health and Hospitals that address security and how to implement solutions with VMware and it’s partner products to secure the application and patient data, and the consequences of not being compliant.

Outline

• Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), a certified electronic medical record implementation is mandated by the United States federal government by 2015
• HITECH Act strengthens HIPAA data security requirements
• Perform a security risk analysis as per HIPAA rule CFR 45 164.308(a)(1)
• As a mission critical application, makes sense to virtualize application to maintain high availability
• Areas of Vulnerability
• External Communication: EMRs require interfaces with practice management applications, hospitals, clinical results, and other external providers to transmit protected health information (PHI). Need to further secure VM. Deploy vShield.
• Hardware Failure: Cluster servers with vSphere 5 HA
• Application Failure: Implement Symantec ApplicationHA to monitor key applications to ensure HA of application
• Hard drive Failure: As part of HA, it is necessary to use shared storage. Also good choice for integrity of application and patient data transmission of patient data to the desktop
• Use VMware View instead of desktop PCs to ensure all electronic patient information remains in the secured datacenter.
• Implement proximity badge (tap) solution to secure desktop sessions
• Natural disaster or damage to datacenter: perform offsite replication to secondary site. Using SRM or vCloud Connector, can have business operations restored with minimal downtime
• HIPAA security breach is nasty and expensive. HIPAA security violations can include criminal charges and fines can be up to $1.5 million per year. Additional embarrassment by showing up on Department of Health and Hospitals public breach list — a “wall of shame”

Key Takeaways