SASE4 min read

How VeloCloud SD-WAN Helps Organizations Attain HIPAA Compliance

Richa Asarawala

Providing healthcare today is much more than making a diagnosis or prescribing medication. Advancements in medicine, increased regulations to protect patients and doctors, and the digitization of the entire process requires a scalable, secure, uninterrupted, and bandwidth-flexible healthcare IT network. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial for healthcare networks because it secures patient data. This blog answers your top questions about HIPAA and data security, and highlights how VMware VeloCloud SD-WAN can help customers maintain a HIPAA-compliant network.

What is HIPAA?

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients’ personal or protected health information. The U.S. government issued the rule to limit the use and disclosure of sensitive protected health information (PHI).

HIPAA sets forth standards to protect the confidentiality, integrity, and availability of individuals’ PHI that is collected, stored, and processed by healthcare institutions and other covered entities governed by HIPAA. Some organizations may be subject to HIPAA and its implementing regulations as a covered entity or business associate. With more medical professionals using technology to interact and collaborate on patient concerns, it is important for organizations to address HIPAA compliance.

Under HIPAA, customers have various security obligations with respect to electronic PHI. VMware VeloCloud SD-WAN includes a number of features and functions that customers can incorporate into their security compliance programs to safeguard their data. Failure to comply with HIPAA can result in severe penalties and damage to an organization’s reputation and trust.

What is the HIPAA security rule for networking and Internet?

The HIPAA Security Rule requires physicians to protect patients’ electronically stored, protected health information (known as “ePHI”) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information. Devices transporting data should support standards-based encryption, and prohibit access to those devices that do have the data at rest (servers and such sitting on the LAN).

What is VeloCloud SD-WAN?

VMware VeloCloud SD-WAN connects any device or any user to any application anywhere, in the cloud, at the edge, or in the data center with in-depth network analytics and security. VeloCloud SD-WAN simplifies branch WAN, edge, and work-from-home networking by automating deployment and improving performance over any link—including private, broadband Internet, satellite, and LTE—for today’s increasingly distributed enterprises. 

VeloCloud SD-WAN includes a choice of public, private or hybrid cloud network for enterprise-grade connection to cloud and enterprise applications; branch office enterprise appliances and data center appliances; software-defined control and automation; and virtual services delivery. There are three main components to the solution: 

  • Orchestrator for management plane  
  • Gateways for control and (optionally) data plane
  • Edges for data plane

What security functions does VeloCloud SD-WAN provide?

Each VeloCloud SD-WAN component provides a variety of security functions to aid with HIPAA compliance, including but not limited to:

Management security
  • TLS v1.2 authentication
  • Single sign-on (SSO) support
  • Multi-factor authentication
  • Role-based access
  • Rich dashboard with user association and bandwidth usage information
  • Logging of configuration changes to VeloCloud devices/networks
  • Administrator password complexity, expiration, and timeout requirement
  • 99.99 percent uptime service-level agreement, with 24×7 automated failure detection

Control plane security

  • TLS v1.2 with mutual authentication certificate
  • Secure HMAC token + serial for activation

Data plane security

  • AES 256-bit encryption with periodic key rotation
  • IKEv2 for key management
  • IPSec compliant VPN to non-VeloCloud site, e.g. Symantec, firewall, router
  • Layer 7 application-aware stateful firewall to prevent denial of service (DoS) and spoofing
  • Enhanced Firewall capability at the edge, i.e. IDS/IPS, IP reputation, URL filtering
  • 802.1x network access control for user-based authentication
  • RADIUS user authentication
  • MAC deny listing/allow listing
  • Virtual network isolation with multiple VRFs, SSIDs or VLANs
  • User authentication against customer on-premises RADIUS or Active Directory server

How does VeloCloud SD-WAN keep PHI data safe?

As you can see above, security is a critical part of the VeloCloud SD-WAN solution at all levels. With VeloCloud SD-WAN, sensitive data such as PHI is external to the system and only transits via the data plane, which is encrypted. For example, two branch locations or a branch to data center may form a tunnel to transmit PHI data. This tunnel is encrypted with IPSec standards of AES 256-bit encryption with periodic key rotation and integrity protected with SHA256, and thus the data is also encrypted and cannot be replayed. Customers can incorporate the choice of the above functions into their security compliance program to safeguard their data.

Does VeloCloud SD-WAN edge, gateway, or orchestrator store any PHI data?

Data itself is never stored on VeloCloud SD-WAN Edges or Gateways, and never makes its way to the Orchestrator for storage. The Orchestrator recognizes a tunnel flow from Edge to Edge, and L4-L7 protocols being used. The payload isn’t observed, stored, or reassembled within the system. 

Does VeloCloud SD-WAN firewall logging store any PHI data?

VeloCloud SD-WAN allows you to store firewall logs in on-prem DC using syslog. It also provides hosted firewall logging as-a-service via SSL/TLS encryption protocols, which is a secure and scalable solution designed for organizations of all sizes. Both on-prem and cloud-based firewall logging provide real-time visibility into network traffic and security events, allowing administrators to detect and respond to threats more quickly. Like other components of VeloCloud SD-WAN, firewall logging does not store any PHI data. 

In a nutshell, VeloCloud SD-WAN is not designed to accept, process, or store HIPAA data (e.g. PHI). All components protect data in motion by supporting standard-based encryption, and built-in additional security features like intrusion prevention and detection mean less overall risk to the entire organization. In addition to security, VeloCloud SD-WAN offers multiple benefits including but not limited to improved appliance performance, simplified deployment, continuous visibility of network performance, cloud-scale at presence and easier management. 

Learn more at sase.vmware.com.