Citrix Solutions for Healthcare and HIPAA Compliance Brief · Citrix Solutions for Healthcare and...

Solutions Brief

citrix.com/healthcare

Citrix Solutions for Healthcare and HIPAA Compliance

citrix.com/healthcare 2

HIPAA Compliance

While most people are well aware of the repercussions of losing personal or organizational data – from identity theft to termination – penalties for losing patient data under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) are far more severe. Financial penalties range up to $1.5 million, and can be accompanied by potential damage to your brand.

To help you avoid these problems, Citrix® prepared this guide to take some of the guesswork out of how to apply our technologies to meet specific requirements of the HIPAA Security Rule. This document will also help you better understand how your investment in Citrix solutions can help you support broader enterprise governance, risk, and compliance (eGRC) initiatives going forward.

The matrix is based upon the HIPAA Security Standards rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160 and 164 Health Insurance Reform: Security Standards; Final Rule). The Department of Health and Human Services provides the HIPAA Security Standards on its website: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.

An overview of HIPAA and HITECHThe Health Insurance Portability Accountability Act of 1996 (HIPAA) is a U.S. law with the objective of providing privacy standards designed to protect patients’ medical records and specified health information provided to health plans, doctors, hospitals, and other healthcare providers.

At a high level, HIPAA breaks into the following categories:

• HIPAA Privacy Rule, which creates a minimum standard for the protection of health information and privacy rights for all in the U.S.

• HIPAA Security Rule, which establishes physical, technical, and administrative safeguards for electronic transactions of electronic protected health information (ePHI) and links closely to the Privacy Rule.

• Transaction and code sets standards, which are designed to achieve administrative simplification on a national scale.

These categories break into the following subcategories:

• Technical safeguards, which include access control, audit controls, integrity controls, and transmission security.

• Physical safeguards, which include facility access and control, as well as physical workstation and device security.

• Administrative safeguards, which include security management processes, security personnel, information access management, training, and assessment.

• Organizational policies/procedures and documentation requirements, which include covered entity responsibilities, business associate contracts, and policy/procedure and documentation requirements and updates.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html


HIPAA Compliance

Citrix IT solutions for healthcareThe tables below identify the specific requirements of the HIPAA Security Rule, what they call for to be successfully implemented, and the recommended Citrix

products that can help you achieve that. You’ll also find valuable information that estimates how much impact Citrix technology can have on compliance.

HIPAA Security Compliance with the rule is enhanced by the use of Citrix technologies; however, additional measures are required for full compliance.

Compliance with the rule is enabled by the use of Citrix technologies; however, compliance will depend on several factors within the customers’ exclusive control, including system design, deployment attributes, administrative settings, and inclusion of non-Citrix technologies.

Standard Section Number

Implementation Specifications R: Required; A: Addressable Description

Recommended Citrix Products

ADMINISTRATIVE SAFEGUARDS § 164.308

Security Management Process

§ 164.308(a)(1)

Conduct HIPAA/ePHI assessment and risk analysis (R)

Not applicable

Implement measures to manage/reduce HIPAA risks (R)

Enhanced: While this rule is administrative in nature, the Citrix product suite influences successful compliance in that XenApp, XenDesktop, XenMobile, and ShareFile each function to reduce risk associated with loss or exposure of ePHI, combining data containment strategies with encryption, auditing, and granular policy. As the delivery mechanism for the controlled applications and data, Citrix products are uniquely suited to improve compliance.

XenDesktop®, XenApp®, XenMobile®, ShareFile®,NetScaler®

Apply sanctions against non-compliant workers (R)

Not applicable

Conduct regular system review (logs, incidents, etc.) (R)

Enhanced: XenDesktop and XenApp bring unparalleled visibility into all applications and user sessions in a compliant environment. With the ability to determine who used an application, when, for how long, and what application-level errors or messages occurred, IT staff benefit from a much more granular set of audit logs than they would with traditional application delivery mechanisms. Audit information contained within Citrix logs can provide information to security and IT teams for both active incidents and investigations after the fact.

XenDesktop, XenApp, NetScaler

Assigned Security Responsibility

§ 164.308(a)(2)

Identify, assign, and train HIPAA security officer

Not applicable

Workforce Security

§ 164.308(a)(3)

Authorization and/or supervision of workforce (A)

Not applicable

Develop workforce clearance/verification procedure (A)

Not applicable


HIPAA Compliance




ADMINISTRATIVE SAFEGUARDS § 164.308 – continued

Workforce Security – continued

§ 164.308(a)(3)

Implement procedures for access termination (A)

Enhanced: Although access termination is an administrative task, XenDesktop and XenApp increase IT and security teams’ ability to remove access for terminated employees to both limit them from logging into protected applications and from seeing the applications. This is most beneficial when large numbers of applications are used that are not integrated into a central directory (such as Active Directory) and would require a complex process or individual application restrictions to a large number of applications. Additionally, use of XenMobile and ShareFile provide the same ability as XenDesktop and XenApp but extend control and access termination to corporate-provided or, more importantly, user-owned mobile devices. When properly configured, not only will access be terminated on mobile devices, but all controlled data will be removed, regardless of whether or not the device is on the network.

XenApp, XenDesktop, XenMobile, ShareFile, NetScaler

Information Access Management

§ 164.308(a)(4)

Isolate any healthcare clearinghouse functions (R)

Not applicable

Implement policies to authorize access to ePHI by job function (A)

Enhanced: Use of Citrix products and integration with a central user directory allows increased granularity of control when configuring access for users. While traditional delivery methods restrict the user’s ability to log in to controlled applications, XenApp and XenDesktop effectively remove the ability to even see the application unless the job function or role permits it. This increased granularity and control allows the IT and security teams to minimize their attack surface, provide a second mechanism to ensure that users who shouldn’t have access to applications don’t, and significantly reduce unauthorized access attempts from users or third parties.

XenDesktop, XenApp, XenMobile

Establish policies to review/modify user access rights (A)

Not applicable

Security Awareness and Training

§ 164.308(a)(5)

Implement and conduct periodic security updates/training (A)

Not applicable

Implement protection from malicious software; establish process for regular system patch and security updates (A)

Enhanced: Use of Citrix Provisioning Server with XenApp and XenDesktop ensures that malicious software is removed from systems upon reboot (typically automated) and that all servers and desktops based on the provisioned image maintain identical patch and security update configuration. This reduces the overall burden to IT and security staff and ensures significantly higher levels of compliance to this safeguard, especially when used at scale.

XenDesktop, XenApp, Provisioning Server


HIPAA Compliance




ADMINISTRATIVE SAFEGUARDS § 164.308 – continued

Security Awareness and Training – continued

§ 164.308(a)(5)

Establish/implement procedures for login monitoring (A)

Enhanced: When used in conjunction with application-level logging, XenApp, XenDesktop, and XenMobile enable increased granularity and monitoring capabilities down to the application level, providing additional data regarding who is logging into an application, from where, and for how long. This allows IT and security staff additional visibility into users’ access to controlled applications as well as faster correlation in the event of compromise or incident.


Establish/implement procedures and rules for strong password management (A)

Not applicable

Security Incident Procedures

§ 164.308(a)(6)

Implement policies and procedures to address and report security incidents (R)

Not applicable

Contingency Plan

§ 164.308(a)(7)

Implement procedures to make exact copies of ePHI data (R)

Not applicable

Implement plans/procedures to restore any loss of data (R)

Not applicable

Establish continuity plans to continue operations and protect ePHI in case of emergency mode operations (R)

Enhanced: When combined with NetScaler, XenApp, and XenDesktop provide significantly improved disaster recovery/business continuity capabilities in the event that normal operations are disrupted. By reducing the level of effort and complexity of delivery applications and data from a secondary location (on-premise or cloud-based), IT and security staff are free to focus on restoration procedures while clinical users have a much more robust user experience over traditional continuity plans.


Periodically test and revise contingency/emergency plans (A)

Not applicable

Assess criticality of applications and data in contingency plans for emergency mode operations (A)

Not applicable

Evaluation

§ 164.308(a)(8)

Perform periodic technical and non-technical evaluation of environment and operations as they pertain to ePHI

Not applicable

Business Associate Contracts and Other Arrangements

§ 164.308(b)(1)

Establish written contracts with business associates (R)

Not applicable


HIPAA Compliance




PHYSICAL SAFEGUARDS § 164.310

Facility Access Controls

§ 164.310(a)(1)

Provide for facility access for contingency operation mode (A)

Not applicable

Develop procedures for physical security of ePHI (A)

Not applicable

Control individual physical access to ePHI (employees/visitors/contractors) (A)

Not applicable

Document maintenance to physical components/facility (A)

Not applicable

Workstation Use

§ 164.310(b)

Implement policies for proper use and location of user devices that can access ePHI (on/off-premise laptops and workstations)

Enhanced: XenApp, XenDesktop, and XenMobile enable IT and security staff to have simpler and more effective policies regarding the location and authorization to access protected applications and infrastructure both on and off premise by allowing access to applications or machines housing ePHI by centralizing applications into the data center and granting access to interact only during active use. Combined with two-factor authentication, a properly deployed Citrix environment ensures that data stays within the data center regardless of the device type, ownership, or location.

XenDesktop, XenApp, XenMobile, NetScaler

Workstation Security

§ 164.310(c)

Implement physical safeguards for all workstations that access ePHI to restrict access only to authorized users

Enhanced: XenApp, XenDesktop, and XenMobile allow integration with HID, smart card, and other authentication technologies that restrict the ability to access ePHI even with physical access to the device. Working on the principle of granting access with something you know (username/password) and something you have (HID badge, smart card, etc.), Citrix combines physical and logical controls even on campus. Further, when configured to automatically secure applications and desktops that have been “idle” for a specified period of time, Citrix technologies help keep security intact even in the event of an abandoned session.


Device and Media Controls

§ 164.310(d)(1)

Implement procedures to address final disposal of media and devices containing ePHI, including internal/external (R)

Not applicable

Implement policies for reuse of media containing ePHI (R)

Not applicable

Maintain records of movement of hardware and media containing ePHI inside and outside of facility (A)

Not applicable

Create exact copy of ePHI before movement of equipment (A)

Not applicable


HIPAA Compliance




TECHNICAL SAFEGUARDS § 164.312

Access Control

§ 164.312(a)(1)

Assign a unique identifier to track user identity (R)

Enhanced: XenApp, XenDesktop, and XenMobile allow IT and security teams to leverage the unique identifier to determine whether a user should even see an application that contains ePHI or log in to said application. Additionally, robust logging of user activity in Citrix allows IT and security to track activity before and after access to ePHI applications further enhancing visibility.


Create procedures to access ePHI during an emergency (R)

Enabled: With the capability to provision Citrix presence to cloud services such as Amazon, Microsoft, etc., certain emergency circumstances can be mitigated, thereby enhancing the ability to provide emergency procedures and increase the clinician experience in the event of an emergency (for example, an ePHI export/repository hosted in a Citrix environment in the cloud with hotspots or other technology to provide access in the event that the network is down).


Terminate a user session after a certain period of inactivity (A)

Enabled: Citrix natively provides the ability to have granular timeouts and the ability to secure idle sessions. For example, if a session is abandoned or inactive, the session will time out and secure the user’s environment; however, because the session is in a disconnected state, it’s ready for the user to resume work where they left off, bringing the session back to an active state from the secured/disconnected state (and allowing for a more aggressive timeout for the initial disconnect/securing of the session). If the disconnected session is not used after a specified amount of time, the session will be terminated completely. This granular control provides a much more robust user experience with a high level of security and brings compliance of this rule beyond just the applications, securing the entire environment and all associated ePHI.


Implement a mechanism to encrypt/decrypt ePHI (A)

Enabled: Use of XenApp and XenDesktop can not only reduce the amount of data needed to encrypt by keeping all data in the data center and enforcing policies that do not allow export or removal of data outside of the data center (data that is typically cached or copied to distributed PCs/workstations) but also provides in-flight encryption capabilities for ALL information accessed. XenMobile and ShareFile ensure that ePHI distributed outside of the confines of an organization’s secured network or owned assets is encrypted and secure (for example, on mobile phones, tablets, personal computers, etc.).

XenDesktop, XenApp, XenMobile, ShareFile, NetScaler


HIPAA Compliance




TECHNICAL SAFEGUARDS § 164.312 – continued

Audit Controls

§ 164.312(b)

Implement systems that record, examine, and report on activity in all information systems that contain or use ePHI

Enabled: Citrix applications access audit records of application use and activity that when coupled with the audit capabilities of certified EMRs provides unparalleled audit records that enhance an organization’s ability to know and report on activity generated by a user that includes connecting username, device name, IP of connecting workstation (inside and outside the corporate network), application used, and for how long, as well as capture of all errors/notifications (such as invalid password or unauthorized access attempts) that the application containing ePHI generates. This information is particularly valuable in investigating potential breaches or unauthorized access.


Integrity

§ 164.312(c)(1)

Implement procedures to authenticate and protect ePHI from improper alteration or destruction (A)

Not applicable

Person or Entity Authentication

§ 164.312(d)

Implement procedures to verify that a person or entity attempting to access ePHI is the one claimed

Enabled: Citrix enhances the ability to ensure that the person or entity accessing is the one claimed through its support and integration with multifactor authentication such as smart cards, biometrics, etc. This can effectively limit access to Citrix, hosting the EMR application to those authorized with the second measure, disallowing access to even attempt to launch the ePHI-containing applications if the user is unable to properly authenticate. This specifically warrants against user account compromise or account sharing.

XenDesktop, XenApp, XenMobile, ShareFile

Transmission Security

§ 164.312(e)(1)

Ensure ePHI isn’t improperly modified during transmission (A)

Not applicable

Encrypt transmitted ePHI whenever deemed appropriate (A)

Enabled: XenApp and XenDesktop encrypt transmitted data and session information by default and support increased levels of encyption above and beyond default levels if desired. XenMobile and ShareFile allow transmitted data sent via email or file distribution to be encrypted during transmission, ensuring that current methods of distribution by clinical staff are secured.


ORGANIZATIONAL REQUIREMENTS (OMNIBUS RULE) § 164.314

Business Associate Contracts or Other Arrangements

§ 164.314(a)(1)

Implement BA agreements for any partners/subcontractors that create, receive, maintain, or transmit ePHI (R)

Enhanced: ShareFile provides a secure data storage enclave dedicated only for PHI. This secure enclave, ShareFile Cloud for Healthcare, enables covered entities and their business associates to leverage the protected ShareFile platform within a private cloud to process, maintain, and store PHI. ShareFile supports your HIPAA compliance and will enter into a business associate agreement (BAA) with customers that want to upload and share PHI using ShareFile.

ShareFile

Other arrangements needed to satisfy this requirement (R)

Requirements for Group Health Plans

§ 164.314(b)(1)

Group health plans must in general abide by all specifications of the HIPAA Security Rule, similar to other covered entities (R)


HIPAA Compliance




POLICIES, PROCEDURES, AND DOCUMENTATION REQUIREMENTS (OMNIBUS RULE) § 164.316

Policies and Procedures

§ 164.316(a)

Implement policies/procedures to comply with all standards and specifications of HIPAA rule. Document changes as needed.

Documentation

§ 164.316(b)(1)

Retain documentation for 6 years (R)

Make documents available for all responsible parties (R)

Review and update as needed (R)

Frequently asked questionsQ: What are the general requirements of the HIPAA Security Standards? (Ref: § 164.306 Security Standards: General Rules)

Covered entities must do the following:

1. Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits.

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.

4. Ensure compliance with this subpart by its workforce.

Q: How are covered entities expected to address these requirements?

Covered entities may use any security measures that reasonably and appropriately implement the standards; however, covered entities must first take into account the risks to protected electronic information; the organization’s size, complexity and existing infrastructure; and costs.

The final rule includes three “safeguards” sections outlining standards (what must be done) and “implementation specifications” (how it must be done) that are either “required” or “addressable.” If “required,” it must be implemented to meet the standard; if “addressable,” a covered entity can either implement it, implement an equivalent measure or do nothing (documenting why it would not be reasonable and appropriate).

• Administrative Safeguards: Policies and procedures, workforce security and training, evaluations, and business associate contracts.

• Physical Safeguards: Facility access, workstation security, and device and media controls.

• Technical Safeguards: Access control, audit controls, data integrity, authentication, and transmission security.

Q: What is Citrix doing to help customers address HIPAA regulations?

To facilitate our customers’ compliance with HIPAA security regulations, Citrix is providing detailed information about the security safeguards we have implemented into our healthcare solutions. This information is provided in this document, our security white paper, and other technical collateral. Additionally, our Client Services group is available to provide guidance and assistance in all deployments.

1114/PDF

Corporate HeadquartersFort Lauderdale, FL, USA

Silicon Valley HeadquartersSanta Clara, CA, USA

EMEA HeadquartersSchaffhausen, Switzerland

India Development CenterBangalore, India

Online Division HeadquartersSanta Barbara, CA, USA

Pacific HeadquartersHong Kong, China

Latin America HeadquartersCoral Gables, FL, USA

UK Development CenterChalfont, United Kingdom

About CitrixCitrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.

Copyright © 2014 Citrix Systems, Inc. All rights reserved. Citrix, XenDesktop, XenApp, XenMobile, ShareFile and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.


HIPAA Compliance

Learn moreWe hope that the information provided in these tables gives you a better understanding of how Citrix solutions for healthcare can help you meet HIPAA and HITECH security requirements. Our commitment to helping our customers comply with these important regulations is one of the reasons we’ve become a trusted solution partner of 90 percent of the largest healthcare providers, all of the US NEWS & World Report top hospitals, and the top healthcare IT vendors.

You can learn more about Citrix solutions for healthcare and HIPAA compliance on our website and by reading through the FAQs and white papers we’ve prepared around these topics.

Web: Citrix IT Solutions for Healthcare

www.citrix.com/healthcare

Citrix Security and Compliance Solutions

www.citrix.com/secure

FAQ: Citrix ShareFile Cloud for Healthcare

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-sharefile-cloud-for-healthcare-frequently-asked-questions.pdf

White Paper: Citrix ShareFile Cloud for Healthcare

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/what-is-the-citrix-sharefile-cloud-for-healthcare.pdf

http://www.citrix.com/solutions/healthcare/overview.html

http://www.citrix.com/solutions/security-and-compliance/overview.html

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-sharefile-cloud-for-healthcare-frequently-asked-questions.pdf?accessmode=direct



https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/what-is-the-citrix-sharefile-cloud-for-healthcare.pdf?accessmode=direct



Date post:	07-May-2018
Category:	Documents
Upload:	doankhanh
View:	217 times
Download:	2 times

Citrix Solutions for Healthcare and HIPAA Compliance Brief · Citrix Solutions for Healthcare and...

Documents