August 12, 2003
Thin clients can aid in HIPAA
compliance
Jul 28, 2003 | Brien M. Posey MCSE | E-Mail
Compliance with the Health Insurance Portability and Accountability Act
(HIPAA) is becoming a major headache for corporations involved in the
medical field. HIPAA regulations demand that patient data be kept secure
and up to date. One way companies are making it easier to comply with
HIPAA regulations is by deploying thin clients instead of traditional
PCs.
Enhanced patient privacy
HIPAA consists of a set of regulations designed to maintain patient privacy
by preventing unauthorized disclosure of patient information. These regulations
address administrative procedures and physical security for data. Using
thin client appliances makes it easy to comply with the physical security
portion of the HIPAA regulations.
Keep in mind that most thin client devices are diskless machines that
are about as sophisticated as a low-grade PDA. Users running a thin client
appliance are allowed to log in to the terminal services and run applications
that the administrator has granted them access to. All applications run
on the server; nothing except the client OS is run locally. It's extremely
difficult for a user to copy data off the server. After all, there is
no disk or CD drive to copy the data onto.
And because these devices have no storage other than a flash ROM chip,
it's nearly impossible for them to become infected with a virus, spyware
module, or other type of Trojan. The fact that the data is centrally stored
at the server means that it can be backed up each night and its integrity
and confidentiality can be preserved.
Ease of record keeping
HIPAA regulations mandate that specific records be kept on all patients.
Thin client devices can be easily mounted in patients' rooms. There are
also wireless devices that are basically the thin client equivalent of
a tablet PC. These devices make it possible to update a patient’s
records at the time care is given. Since all data on a thin client network
is centrally stored, updates to patients' records take effect immediately
for anyone with access to them.
Easy to comply with ever-changing regulations
Experience has shown that when the government begins regulating an industry,
there are constant changes to the regulations. You can expect the HIPAA
regulations to continuously evolve with updated mandates. Thin client
appliances are perfect for environments that experience a lot of configuration
or policy changes.
Suppose a new security patch becomes available tomorrow for Microsoft
Office, and HIPAA regulations require everyone using the program to apply
the patch immediately. In a traditional PC environment, the new patch
would have to be applied to every PC. Sure, utilities will allow you to
push software updates to the client PCs, but there are problems with such
utilities. They can be expensive and often require complex scripting.
Even if these factors were not an issue, a PC must be turned on to receive
the updates. So, what happens if you roll out the updates and someone
has been on an extended leave for the last month? If that person’s
computer isn't turned on, it will not receive the update. If the government
did an inspection of the facility, the facility could be cited for noncompliance
because it hadn’t been updated. In a PC environment, you face not
only the challenges of continuously updating the software on every PC
in the organization, but also of being able to confirm that all PCs were
indeed updated.
Now, let’s look at the same situation in a thin client environment.
Since all applications run on the terminal server, the update could be
applied to the server. The instant that was completed, all the thin client
appliances would run the update. Remember that all software is technically
running on the server, and the server is merely sending screen refreshes
to the thin client devices. This means that unless the government mandated
that you update the client module itself, you would never have to worry
about updating the individual thin client appliances.
Continuity of business
Consider another scenario. Suppose you have a hospital in Miami and a
doctor's office in Los Angeles. The two locations are linked together
and all the data is mirrored. Now, suppose the Miami hospital is destroyed
by a hurricane. In such a situation, the organization could move to another
building, install a new server, and establish connectivity to the California
office to regain access to the data. It would then simply be a matter
of connecting some low-cost thin client devices to the new server, and
the organization would be back in business.
Good support for authentication hardware
Although there isn’t much to a thin client device, many devices
are expandable via a USB port. This makes it possible to connect smart
card readers, fingerprint scanners, or other authentication devices that
might be required for HIPAA compliance. Employees could go to a thin client
appliance in the organization, log in using their smart card or fingerprint
scanner, and gain access to their individual profile. So once security
has been established for the user at the server level, that authentication
information is accessible from any connected thin client appliance.
Cost savings
A final benefit to deploying a thin client environment is the cost savings
to the organization. While you still have to pay about $800 for a thin
client device, the savings come into play in other areas besides the initial
hardware costs. Thin client devices usually have no moving parts. Since
there are no fans, hard drives, etc., there is nothing to wear out. Thin
client devices therefore tend to be more durable and longer lasting than
PCs. This saves organizations money in the form of hardware maintenance
costs.
There is also the issue of obsolescence. How many times have you seen
organizations spend large sums of money on new PCs because they want to
run a new application? In a thin client environment, all applications
run on the server. Therefore, if you acquire a new, high-demand application,
you may have to update your server’s hardware, but you won’t
find yourself replacing 1,000 perfectly good PCs.
Back
to the August Newsletter
--------------------------------------------------
|
