Thursday, November 17, 2011

VMware vCloud Director Segmentation: PCI and HIPAA Firewall Controls

This came up last week and I thought I would post here to keep the information easily accessible.

Yes. You can use vCD to segment environments that are required to comply with HIPAA and/or PCI.

The firewall functions in vCD in no way preclude you from using vCD to host production Primary Account Number (PAN) or electronic Private Healthcare Information (ePHI) as long as you comply with all of the other controls required to host the information. Here are the details from the requirements along with specific comments.

PCI has an entire section devoted to firewall controls (Requirement 1: Install and maintain a firewall configuration to protect cardholder data), of which the most restrictive requirements are [1] the ability to implement ACLs, and [2] SPI/Dynamic Packet Filtering.

Requirement 1.3.6 
Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 

HIPAA has specific segmentation requirements for health care clearinghouse functions found here. Although they are specifically called out as Administrative Controls, the definition for this bill is defined as:

Sec. 164.304  Definitions 
Administrative safeguards are administrative actions, and policies  and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected  health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. 

Note the lack of any detailed requirements – intentionally – to allow a broad range of solutions to fit the requirement.

164.308(a)(4)(ii)(A)
(ii) Implementation specifications:
    (A) Isolating health care clearinghouse functions (Required). If ahealth care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Sec. 164.304 Definitions