Securing a virtualized environment to achieve HIPAA compliance

How to prepare for your health care organization's virtualized environment: Pick the apps, lock down security, develop disaster recovery mechanisms, test, test and test some more.

Server virtualization might have seen its heyday a few years ago in the general business world, but economics,

space requirements in data centers and ease of disaster recovery are all combining to make a virtualized environment an attractive play in health care now. One other reason the technology's hot: Tidying up a physical server environment in preparation for server virtualization can be an intermediary step en route to outsourcing data to the cloud -- another storage strategy gaining traction among providers.

Erik Westerlind, who wrote a research report titled "Path to Cloud Computing Foggy: Perception Study 2011" for KLAS Research, said a majority of the 97 providers his team spoke with -- from small clinics with no beds up to 1,000-plus bed facilities -- were well aware of the benefits of a virtualized environment. A majority had at least tried it.

"It's almost as if you can't throw a rock without hitting somebody who is doing something like that," Westerlind said. In conversations with CIOs since the report came out, he added, he's found that mobile EHR deployment to devices such as the Apple Inc. iPad are a major driver of such projects.

Westerlind has also found that health care providers aren't afraid to mix virtualization software vendors to suit their specific network needs. One midsized hospital, he said, was virtualizing in order to share its EHR platform with two other hospitals in its market, and to pool IT resources.

How a virtualized environment addresses HIPAA security, data availability rules

As such projects scale up, so do HIPAA compliance requirements. That isn't always a negative, however. Not only can it be harder to steal data in a virtualized environment, but HIPAA mandates for data availability and backups can be easier to fulfill with server virtualization, since it's simpler to clone servers and quickly create redundancy.

That, in turn, makes it easy to quickly revert back to a snapshot of a virtual network taken right before a "disaster" -- which could be as simple as a vendor upgrade to a single application that crashes an entire network -- making data available more quickly than if it happened in a physical server-based environment. Physical servers can take hours to reconfigure and reinstall servers after a crash, whereas virtualized "clones" can be brought back up in minutes.

Of course, in a virtualized environment, it's also more straightforward to test upgrades thoroughly in cloned networks running parallel to their live counterparts before rolling out those upgrades, said Charles Buck, COO and co-founder of IndependenceIT. The company provides hosted cloud services in a virtual server environment for its clients, which include American Health Centers, Inc., a Bedford, N.H.-based radiology diagnostic imaging provider, as well as a number of other independent physician groups. In effect, Buck said, they virtualize applications and support it in their environment on behalf of the clients to replicate their physical network in a private cloud.

Scott Lundstrom, group vice president at IDC Health Data Insights, said that virtualization technology at its core is a method of improving data availability through concentration and sharing of computing resources. He added that most of the largest hospitals and integrated delivery networks, or IDNs, have already virtualized at least some applications on their networks. Middle-sized health care providers are following suit, he said, but it's tougher for them because IT resources for testing and implementation aren't as plentiful.

Virtualized environment can be precursor to migrating data to cloud

If your IT shop's contemplating a health care server virtualization implementation -- or simply sticking its toe in the pool by virtualizing an application such as an EHR or PACS system on a test farm -- detailed planning can make the difference between a lot of wasted time and IT resources, as well as understanding the limits of virtualization. It can also keep you on the right side of HIPAA compliance, especially when taking into account HIPAA security, IT risk assessment and risk management.

"Organizations that have been really successful at virtualization typically have a set of projects that they do as a precursor," said Lundstrom, adding that this process includes taking an inventory of all applications and platforms. In health care, those inventories can show many "islands" where an app might be the only one of its kind running on a particular platform. "Those unique assets create an additional level of complexity" when trying to move from a physical to virtualized server environment," he said.

Consolidating down to a few apps -- and upgrading as many legacy apps to newer ones currently supported by vendors -- helps make a smoother transition to a virtualized environment, and it can help HIPAA compliance on the data-availability front.

Lundstrom said server virtualization can also involve reallocating -- and retraining -- personnel as their roles change. Any implementation plan should include IT skills and HIPAA training.

Virtualizing an application is easy, Buck added; the hard part comes when trying to iron out all the conflicts when integrating multiple applications in a multi-user virtualized environment. "There are a lot of people who just give up."

Whether a virtualized environment is an end unto itself or used as a way to outsource data to a cloud provider, Lundstrom points out that head counts won't necessarily go down. Chances are, the compliance-driven technology goals happening around a particular health care provider will quickly take up the staffing slack created by virtualizing a room full of physical servers.

"Meaningful use and health care reform absolutely require that hospitals improve [IT] capabilities in a couple of areas, and virtualization makes most of that a lot easier," Lundstrom said, referring to areas such as collecting, reporting on and analyzing data for quality-based patient care incentive programs such as accountable care organizations.

There are regulatory demands for data security, archiving and discovery that span virtually across any business.

Charles Buck, COO and co-founder, IndependenceIT

Health care, Lundstrom continued, is moving toward a network-based, high-availability collaborative environment because of these quality programs. "There's huge liability around the economics of HIPAA violations, the economics of breaches of personal health information," he said. "They're really daunting. We're talking multimillion dollar settlements on this stuff at this point."

Lundstrom recommended that IT leaders planning virtualization projects read through guidance offered by IBM, Oracle Corp. and VMware Inc., all of which have health care-specific content.

Buck added that a virtualization implementation plan should include security protocols on how access to data will be controlled. His company makes sure clients can control access to data at both the application level as well as outside applications -- namely, the unstructured data in things such as word-processing files and text notes, or "anything that isn't controlled by another application."

And while all these compliance mandates might seem overwhelming, for Buck, whose company is going on a decade of serving clients in many markets outside of health care, it's not.

"I think health care providers believe that their data is special and different than others, but the fact is that there are regulatory demands for data security, archiving and discovery that span virtually across any business," he said.

"You have things like Sarbanes-Oxley and Gramm-Leach-Bliley -- those are U.S. issues, and certainly Europe and the Far East have their own set of rules and regulations on data and how it can be moved, managed and stored. They're all effectively the same in terms of the outcome they're trying to achieve."

Let us know what you think about the story; email Don Fluckinger, Features Writer or contact @DonFluckinger on Twitter.

This was first published in January 2012

Dig deeper on Electronic health care systems, data centers and servers

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.