The Health Insurance Portability and Accountability Act (HIPAA) requires organizations holding health records and related personally identifiable information to keep that data private for extended periods of time. The ultimate goal is to provide a framework that, coupled with enforcement, ensures patient healthcare data is limited to those with a stated need to know.
As technologists, it’s easy to view HIPAA compliance as a technology challenge. In reality, compliance can only be achieved through a combination of training, business policies, and technology. The VAST Data Platform can provide the technology to enforce organizations' policies, as described below.
Encryption at Rest and in Flight
The HIPAA security rules require organizations to “implement a mechanism to encrypt ePHI whenever deemed appropriate” to guard against unauthorized access to ePHI (electronic personal health information) transmitted over an electronic communications network.
The VAST Data Platform allows customers to encrypt data when stored on the system's SSDs (encryption at rest) to ensure that the data on the system’s SSDs is unreadable without their encryption keys. A VAST system’s CNodes encrypt all the data and metadata they write to the system SSDs in software with no requirement for premium-priced self-encrypting SSDs. Data is encrypted with AES-256 using FIPS 140-2 validated libraries.
VAST systems can manage encryption keys internally or use an enterprise key manager like Thales CypherTrust using the Key Management Interoperability Protocol (KMIP) protocol. When internal keys are used, all system data is encrypted with a single set of keys. Utilizing a KMIP key manager, VAST systems can support tenant-managed encryption keys with different keys for each tenant.
VAST systems also support data encryption in flight between clients and the VAST system’s CNodes. Encryption in flight is supported for NFS v3 and 4.1 over TLS, NFS 4.1 with Kerberos encryption and S3 over HTTPS. SMB 3 encryption is planned for 2024.
Retention Locks and WORM Capabilities
HIPAA compliance isn’t all about security. HIPAA also requires providers to retain ePHI for 20 years or more. To support compliance with these requirements, VAST offers retention locks and WORM (Write Once, Read Many) capabilities to further bolster data integrity and preservation.
Retention locks prevent data from being deleted for a set period, which is essential for compliance with legal and regulatory requirements in healthcare. These locks can be enacted on folders or buckets using S3 Object Lock or the well-understood file locking mechanism of setting the retention date and then flagging the file Read-Only to prevent writing to or deleting the file until a predetermined date.
WORM functionality further ensures that once written, data cannot be overwritten. These two functional components are critical for maintaining the fidelity of medical records, protecting them from tampering or accidental deletion.
Client Isolation through VIP
The VAST architecture employs Virtual IP (VIP) technology to provide client isolation, a critical feature for creating secure multi-tenant environments. By isolating client environments within the healthcare network, VIP helps prevent unauthorized access and data leakage between clients, which is paramount for maintaining patient confidentiality and compliance. Further, VAST integrates with Lightweight Directory Access Protocol (LDAP) providers such as Microsoft’s Active Directory, OpenIDAP, and FreeIPA to provide role- and attribute-based access control (ABAC) to system resources.
Immutable Snapshots
VAST’s architecture incorporates immutable snapshots, which are crucial for preserving data integrity in healthcare. These snapshots prevent data from being altered or deleted once taken and are critical to establishing recovery as the number of ransomware attacks against healthcare institutions increases. This is particularly vital in a healthcare setting where patient data must remain unchanged once recorded, ensuring that historical health records are preserved accurately for ongoing medical care, billing, and auditing purposes.
Conclusion
Combining these features and the core tenets of Zero Trust within the VAST architecture provides a comprehensive suite of security measures that align with HIPAA regulations, ensuring that healthcare providers can confidently manage and protect patient data while complying with the stringent guidelines and enforcement. With VAST, healthcare IT infrastructures are not only compliant but are also positioned at the forefront of technological innovation, leveraging the best practices in data security and management.
