How to Achieve HIPAA Compliance

February 09, 2021

Carbon Black Cloud & Workspace ONE solutions for Microsoft Windows 10

VMware is excited to announce the availability of a 3rd party white paper that provides a detailed overview of VMware’s Carbon Black Cloud and Workspace ONE Unified Endpoint Management (UEM) platforms. Both were independently assessed for technical capabilities in securing Win10 workstations against the requirements of the Health Insurance Portability and Accountability Act (HIPAA)’s Security Rule. The third-party entity Coalfire vetted these solutions for meeting those requirements. The solutions are available for deployment and use by healthcare-related organizations, institutions, firms, and FedGov agencies that are required to comply with these applicable laws and guidance.

In the whitepaper, VMware’s integration and deployment of both solutions was shown to provide the essential and necessary elements for meeting the HIPAA Security Rule, which assist healthcare providers with satisfying the technical aspects of multiple requirements of Confidentiality, Integrity & Availability of patient e-PHI data and an explanation of the testing activities performed during Coalfire’s review in detail is included.

Background

HIPAA is legislation enacted in the USA in 1996 that provides data privacy and security provisions for safeguarding medical information. The HIPAA Security Rule provides requirements on the safeguarding of electronic Protected Health Information (e-PHI), which sets the standards for patient data security.

HIPAA Security Rule

The HIPAA Security Rule specifically focuses on the protection of e-PHI through the implementation of administrative, physical, and technical safeguards. Compliance is required of all organizations defined by HIPAA as a covered entity, business associate, or subcontractor. Organizations such as these are required to perform the following activities:

  • Ensure the confidentiality, integrity, and availability of all e-PHI that it creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule.
  • Ensure compliance by its workforce.

The requirements of the HIPAA Security Rule are organized according to safeguards, standards, and implementation specifications. The major sections include:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards

Whitepaper

Coalfire completed a multi-faceted technical assessment during the course of this project using security industry and audit best practices. Coalfire conducted technical lab testing in VMware’s hosted test environment from October 24, 2020, to November 11, 2020.

At a high level, testing consisted of the following tasks:

  • Technical review of the architecture of the full solution and its components.
  • Implementation of the VMware Carbon Black Cloud and Workspace ONE platforms agent software in the Coalfire lab environment.
  • Introduction of malware binaries on local systems with antivirus (AV) agent software installed.
  • Confirmation of the VMware Carbon Black Cloud’s ability to block and remove known malware samples.
  • Validation of the Workspace ONE system to ensure HIPAA compliance and security best practices for multiple implementation specifications of the HIPAA regulation.

The assessment scope focused on validating the use of VMware Carbon Black Cloud and Workspace ONE platforms in a HIPAA environment, including its impact on the HIPAA Security Rule’s Administrative and Technical Safeguards. Although both solutions can support multiple other OS platforms, the assessment scope limited it to Windows 10.

The VMware Carbon Black Cloud and Workspace ONE platforms, when properly implemented following guidance from VMware’s comprehensive defense-in-depth strategy, provides multiple layers of protection. And in order to follow industry cybersecurity best practices for Endpoint Detection & Response, it’s necessary to leverage these policies and configuration guidelines to meet the technical portions of multiple HIPAA requirements detailed in the testing tables within the report below:

VMware CB & WS1: HIPAA Compliance Coalfire Report

image-20210204161239-1Figures 1 & 2: Integrated VMware EUC Security, and SASE Security Model

VMware Security

VMware is committed to supporting healthcare and agencies’ IT compliance and security programs worldwide, and continues to expand our programs to meet the requirements of the most demanding missions. VMware has made a commitment to expanding the ever-dynamic domain of Zero-Trust Security & Architecture (ZTS/ZTA).

Additionally, VMware has made enhancements in Gartner’s Secure Access Service Edge (SASE) framework within our solution portfolio. This provides a breadth of intrinsic security solutions that enhance the security of each layer of the enterprise. Specifically, this enhancement includes the device and user security covered under HIPAA within ZTS/A alignment to our robust suite of solutions to cover each area of the architecture, including Unified Access Gateway (UAG), Horizon VDI, Network Virtualization & Security (NSX), SD-WAN by VeloCloud / NSX Advanced Load Balancer (AVI), LastLine, Tanzu App Service, and of course, Carbon Black and Workspace ONE UEM / Intelligence / Access / Tunnel.

image-20210204161239-2

Figure 3: Intrinsic Security Model

More information on VMware compliance can be found in the VMware Cloud Trust Center, SASE, and ZTS/ZTA:

VMware Carbon Black Cloud:

Configuring and enabling Workspace ONE:

Additional Workspace ONE UEM resources:

 

Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE UEM Blog Announcement Overview Windows 10

Andrew Osborn

Read More from the Author

Staff Technical Marketing Architect, Federal, End User Computing, VMware.
Andrew is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He's got over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from Univ. of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s TechZone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.