How to Achieve HIPAA Compliance

Carbon Black Cloud and Workspace ONE Solutions for Microsoft Windows 10

VMware is excited to announce the availability of a 3rd party white paper that provides a detailed overview of VMware’s Carbon Black Cloud and Workspace ONE Unified Endpoint Management (UEM) platforms. Both were independently assessed for technical capabilities in securing Windows 10 workstations against the requirements of the Health Insurance Portability and Accountability Act (HIPAA)’s Security Rule. The third-party entity Coalfire vetted these solutions for meeting those requirements. The solutions are available for deployment and use by healthcare-related organizations, institutions, firms, and FedGov agencies that are required to comply with these applicable laws and guidance.

In the whitepaper, VMware’s integration and deployment of both solutions was shown to provide the essential and necessary elements for meeting the HIPAA Security Rule, which assist healthcare providers with satisfying the technical aspects of multiple requirements of Confidentiality, Integrity & Availability of patient e-PHI data and an explanation of the testing activities performed during Coalfire’s review in detail is included.


This document is intended for IT administrators and product evaluators who are familiar with VMware's Anywhere Workspace powered by EUC and VMware Workspace ONE. Familiarity with the End-User Computing environment and modern management that include device, app and identity management is assumed. Knowledge of other technologies, such as VMware Horizon, Security, Secure Access Service Edge (SASE), and Zero Trust Architecture (ZTA) is also helpful.


HIPAA is legislation enacted in the USA in 1996 that provides data privacy and security provisions for safeguarding medical information. The HIPAA Security Rule provides requirements on the safeguarding of electronic Protected Health Information (e-PHI), which sets the standards for patient data security.

HIPAA Security Rule

The HIPAA Security Rule specifically focuses on the protection of e-PHI through the implementation of administrative, physical, and technical safeguards. Compliance is required of all organizations defined by HIPAA as a covered entity, business associate, or subcontractor. Organizations such as these are required to perform the following activities:

  • Ensure the confidentiality, integrity, and availability of all e-PHI that it creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule.
  • Ensure compliance by its workforce.

The requirements of the HIPAA Security Rule are organized according to safeguards, standards, and implementation specifications. The major sections include:

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards


Coalfire completed a multi-faceted technical assessment during the course of this project using security industry and audit best practices. Coalfire conducted technical lab testing in VMware’s hosted test environment from October 24, 2020, to November 11, 2020.

At a high level, testing consisted of the following tasks:

  • Technical review of the architecture of the full solution and its components.
  • Implementation of the VMware Carbon Black Cloud and Workspace ONE platforms agent software in the Coalfire lab environment.
  • Introduction of malware binaries on local systems with antivirus (AV) agent software installed.
  • Confirmation of the VMware Carbon Black Cloud’s ability to block and remove known malware samples.
  • Validation of the Workspace ONE system to ensure HIPAA compliance and security best practices for multiple implementation specifications of the HIPAA regulation.

The assessment scope focused on validating the use of VMware Carbon Black Cloud and Workspace ONE platforms in a HIPAA environment, including its impact on the HIPAA Security Rule’s Administrative and Technical Safeguards. Although both solutions can support multiple other OS platforms, the assessment scope limited it to Windows 10.

The VMware Carbon Black Cloud and Workspace ONE platforms, when properly implemented following guidance from VMware’s comprehensive defense-in-depth strategy, provides multiple layers of protection. And in order to follow industry cybersecurity best practices for Endpoint Detection & Response, it’s necessary to leverage these policies and configuration guidelines to meet the technical portions of multiple HIPAA requirements detailed in the testing tables within the following report: VMware CB & WS1: HIPAA Compliance Coalfire Report.


Figures 1 & 2: Integrated VMware EUC Security, and SASE Security Model

VMware Security

VMware is committed to supporting healthcare and agencies’ IT compliance and security programs worldwide, and continues to expand our programs to meet the requirements of the most demanding missions. VMware has made a commitment to expanding the ever-dynamic domain of Zero-Trust Security & Architecture (ZTS/ZTA).

Additionally, VMware has made enhancements in Gartner’s Secure Access Service Edge (SASE) framework within our solution portfolio. This provides a breadth of intrinsic security solutions that enhance the security of each layer of the enterprise. Specifically, this enhancement includes the device and user security covered under HIPAA within ZTS/A alignment to our robust suite of solutions to cover each area of the architecture, including Unified Access Gateway (UAG), Horizon VDI, Network Virtualization & Security (NSX), SD-WAN by VeloCloud/NSX Advanced Load Balancer (AVI), LastLine, Tanzu App Service, and of course, Carbon Black and Workspace ONE UEM/Intelligence/Access/Tunnel.


Figure 3: Intrinsic Security Model


Additional Resources

More information on VMware compliance can be found in the VMware Cloud Trust Center, SASE, and ZTS/ZTA:

VMware Carbon Black Cloud:

Configuring and enabling Workspace ONE:

Additional Workspace ONE UEM resources:


The following updates were made to this guide:


Description of Changes


  • Guide was published.

About the Author

Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 8 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.


Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at


Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE UEM Document WhitePaper Overview Win10 and Windows Desktop Public Sector