Educause Security Discussion mailing list archives
Re: HIPAA architecture
From: Alexander Kurt Keller <alkeller () SFSU EDU>
Date: Tue, 21 Jun 2011 21:37:23 +0000
Hi Dave et al, I can't speak to the policy questions, but both NxTop (http://www.virtualcomputer.com/nxtop) and XenClient (http //www.citrix.com/xenclient) offer the end user easy switching between running VMs on a bare-metal hypervisor, with the former (NxTop) being a bit more polished. I believe MokaFive is another upstart in this client-side hypervisor market and VMware will make a similar offering shortly. Both NxTop and XenClient offer free stand-alone versions, but the server side management costs $$. Best, alex Alex Keller Systems Administrator Academic Technology, San Francisco State University Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Opitz Sent: Tuesday, June 21, 2011 11:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA architecture Hi, We are changing our network design for our HIPAA covered offices. I've read PCI requirements and they basically require anything that has access to credit card data to be totally isolated from any other part of your network, giving some specifics on how this must be accomplished. HIPAA isn't that specific - it does require a "risk analysis", but that is subjective and we aren't reaching agreement on what is acceptable risk. We are considering 3 different architectures, and I'm wondering what acceptable level of risk you would be comfortable recommending to your management. 1). Users have 2 computers (or perhaps a thin client) that use an A/B toggle switch to share keyboard/mouse/monitor, with one computer connected to the Internet (for email, web surfing, general use) and the other only to the HIPAA network (isolated via a VLAN or IPsec tunnel). 2). Users have 1 computer but it is a locked down configuration (no local admin rights for users, no incoming connections allowed by firewall/ACL rules, quickly patched, etc.). It is allowed to access both the Internet and HIPAA data. 3). One standard PC with a Type 1 (or bare metal) hypervisor running different instances of an operating system, one for Internet access, one for access to secured data. Actually, I'm not sure there is a product that would be easy for a user to use (quickly switch back and forth between OS's without rebooting). Do you know of such a product and would you consider the hypervisor adequate protection to provide this separation? Peace, Dave
Current thread:
- SANS Securing The Human aggregate buy Doug Pearson (Jun 20)
- HIPAA architecture David Opitz (Jun 21)
- Re: HIPAA architecture Alexander Kurt Keller (Jun 21)
- Re: HIPAA architecture Jones, Dan (Jun 21)
- HIPAA architecture David Opitz (Jun 21)