HIPAA architecture

[David Opitz <DOpitz () LOYOLA EDU>]

Hi,

We are changing our network design for our HIPAA covered offices.  I've read PCI requirements and they basically 
require anything that has access to credit card data to be totally isolated from any other part of your network, giving 
some specifics on how this must be accomplished.  HIPAA isn't that specific - it does require a "risk analysis", but 
that is subjective and we aren't reaching agreement on what is acceptable risk.  We are considering 3 different 
architectures, and I'm wondering what acceptable level of risk you would be comfortable recommending to your management.

1). Users have 2 computers (or perhaps a thin client) that use an A/B toggle switch to share keyboard/mouse/monitor, 
with one computer connected to the Internet (for email, web surfing, general use) and the other only to the HIPAA 
network (isolated via a VLAN or IPsec tunnel).

2). Users have 1 computer but it is a locked down configuration (no local admin rights for users, no incoming 
connections allowed by firewall/ACL rules, quickly patched, etc.).  It is allowed to access both the Internet and HIPAA 
data.

3). One standard PC with a Type 1 (or bare metal) hypervisor running different instances of an operating system, one 
for Internet access, one for access to secured data.  Actually, I'm not sure there is a product that would be easy for 
a user to use (quickly switch back and forth between OS's without rebooting).  Do you know of such a product and would 
you consider the hypervisor adequate protection to provide this separation?

Peace,
Dave