Health Care IT people -Can a database hosted on a virtual server be Hippa Compliant?

[TechBoyJK]

I have a client that needs to launch a hippa compliant application running on Windows 2003/Coldfusion/Oracle. They are also trying to save costs since this deployment will be a backup, and not the primary site. It still needs to be active though, so that it can receive updates to the data, etc. If there is ever a disaster, we can re-allocate resources to the server pretty quickly, in case capacity needs to grow.

Having said that, can a secure Virtual Machine be hippa compliant since the hardware is still shared? Nobody else would be getting into their OS, etc. but there would be multiple virtual machines running from the same NAS. So technically, the data is on a shared storage system.

Assuming all of their other practices are hippa compliant, would this still be applicable?

 

[ViviTheMage]

yes, but you should verify with them what you need to do exactly to secure it.

 

[skyking]

I'd say unless you can absolutely insure that no other user on that hardware can get to the data, the answer is no. HIPPAA requires strict logging and access control.

 

[ViviTheMage]

What containers are you using to virtualize? ZEN/HYPER V/VMWARE should be compliant, I wouldn't think OpenVZ would be.

 

[TechBoyJK]

vmWare

 

[ViviTheMage]

Yeah, you should be fine, just verify with HIPPA, that has to be pretty common.

 

[ravana]

I wish HIPPA had taken the time & come up with a name so they could've been HIPPO.

that is all.

 

[Genx87]

You should have a compliance officer on site no? I'd consult them. If not, go find one. Govt cracks down hard on people and ignorance wont get you out of it either.

 

[guyver01]

ok people.. it's not HIPPA .. it's

 

[GeekDrew]

ok people.. it's not HIPPA .. it's

yes, but i personally continue to call it HIPPA instead of HIPAA because everyone knows what i'm talking about, and it's closer to hippo, which is what it resembles.

 

[Red Squirrel]

I'm a L3 tech at a hospital and we have a couple DB servers on VMs in VMware, so I guess it's ok. I know for Meditech they have stricter requirements such as having to be raid 10, and the way it's setup in general is fairly strict. A typical compliant SAN will run you in the millions. There's not that much data (couple TB I think) but it has to be on a very fast and efficient SAN. That's not so much a hippa requirement then a technical requirement, though. We don't host the Meditech part, we just host the rest like misc apps like what HR, infection control etc use as well as email, domain, and so on. There's actually DBs on user's PCs... I HATE that, that's just not the way of doing things.

 

[JDMnAR1]

Yes, we have a number of databases housing PHI data that run on VMWare ESX and our HIPAA Compliance Office and Security Office don't have any issues with it. Standard practices that apply to physical hardware apply to virtuals as well.