The term private cloud has become something of an IT industry buzzword that gets overused and misused to the point that the term becomes ambiguous. For the sake of this article I am defining a private cloud as an on-premises Infrastructure as a Service (IaaS) cloud. Private clouds typically feature a Web interface through which authorized users can deploy and interact with virtual machines.
Private clouds and HIPAA requirements
The main challenge behind the creation of private clouds in health care environments is that the HIPAA requirements were created at a time when private clouds did not even exist. The flexibility that private clouds provide can also make it very difficult to adhere to HIPAA requirements.
In a normal IT environment (one that does not use private clouds), control over the organization's IT resources is centralized. An IT department oversees all of the systems and ensures HIPAA compliance. In a private cloud environment, the IT department retains both physical and logical control over the hardware resources, but the centralization of control ends there.
Typically a department will request hardware resources from the IT department. The IT department will use the private cloud's interface to allocate a specific amount of memory, CPU cores, disk space and other needed resources to the person who made the request. That person is then free to deploy virtual machines on an as-needed basis until the allocated resources have been consumed.
To prevent utter chaos (and HIPAA violations), the IT department must maintain some degree of control over the types of virtual machines that users can create. This is typically accomplished through the use of virtual machine templates.
When the IT department initially creates the private cloud they also typically create a number of virtual machine templates. These templates are used as a basis for creating various types of virtual machines. For example, an administrator might create a domain controller template, a file server template or a mail server template.
Obviously the templates themselves should be created in a way that takes the HIPAA requirements into account. For example, virtual machine templates should contain all of the appropriate security settings. However, it is equally important to be choosy about providing access to the templates.
Private cloud software is usually designed so that when administrators allocate hardware resources to a user, they also have the option of specifying which virtual machine templates the user is allowed to use to create virtual machines within the resources that they have been provisioned. Although this capability was originally introduced as a way of maintaining control over software license consumption, it also works well for maintaining a degree of control over health care organizations.
To give you an example of why regulating access to templates is so important, consider HIPAA requirement 164.312 (a)(2)(i), which requires that a unique name or number be used for identifying and tracking each user. With that requirement in mind, imagine what could happen if you allowed a user to access the template for domain controller creation. The user could potentially create a new domain in which everyone uses a common logon ID instead of using a unique ID as required by HIPAA.
A casual user is not likely to be asking the IT department for private cloud resources. Such requests will typically come from department heads who should ideally already be familiar with HIPAA. Even so, the IT department is ultimately responsible for ensuring that all systems are HIPAA compliant. As such, it is imperative for administrators to insist on performing compliance audits on virtual machines that were created within the private cloud. Doing so is the only way to guarantee that those machines are being configured and used in an appropriate manner.
Managing virtual machines in a private cloud
One aspect of private cloud management that is easy to accidentally overlook is the virtual machine lifecycle management process. Most private cloud software allows expiration policies to be set for virtual machines so that server resources are reclaimed if a virtual machine has not been used for a specific length of time. However, HIPAA requires certain types of data to be retained. As such, blanket virtual machine expiration policies cannot be reliably used. The IT department will need to adopt a procedure for reviewing and decommissioning virtual machines.
Maintaining HIPAA compliance can become much more challenging in a private cloud environment. The key to maintaining HIPAA compliance is to maintain strict control over how the private cloud resources are being used.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at firstname.lastname@example.org or contact @SearchHealthIT on Twitter.