VREALIZE OPERATIONS COMPLIANCE PACK FOR HIPAA

VREALIZE OPERATIONS COMPLIANCE PACK FOR HIPAA – Download

HIPAA (Health Insurance Portability and Accountability Act of 1996) provides data privacy and security provisions for safeguarding medical information.
The vRealize Operations Compliance Pack for HIPAA provides Alerts, Policies, and Reports to validate vSphere resources against the HIPAA hardening guide. The following resources are being validated using this compliance pack:

  • vCenter
  • ESXi Host
  • Virtual Machine
  • Distributed Port Group
  • Distributed Virtual Switch

The vRealize Operations Compliance Pack for HIPAA extends the SDDC compliance capabilities of
vRealize Operations Manager. This compliance pack provides Alerts, Policies, and Reports to validate vSphere resources against the HIPAA hardening guide.

Highlights

  • Alert definitions for vCenter, ESXi Host, Virtual Machine, Distributed Virtual Switch, Distributed Port group.
  • Policy to enable or disable the HIPAA alerts.
  • A report to generate a Non-Compliance report for HIPAA.

VROPS ESXi host HIPAA Hardening Rules for vSphere

1. HIPAA 164.312(a)(1) – Access Control – Time after which a locked account is automatically unlocked is not configured
2. HIPAA 164.312(a)(1) – Access Control – Count of maximum failed login attempts is not set
3. HIPAA 164.312(a)(1) – Access Control – Timeout value for DCUI is not configured
4. HIPAA 164.312(d) – Person or Entity Authentication – Password policy for password complexity is not set
5. HIPAA 164.312(a)(1) – Access Control – Default setting for intra-VM TPS is incorrect
6. HIPAA 164.312(c)(1) – Integrity – Firewall is not configured for NTP service
7. HIPAA 164.312(c)(1) – Integrity – NTP Server is not configured to startup with the host
8. HIPAA 164.312(b) – Audit Control – Persistent logging is not configured for ESXi host
9. HIPAA 164.312(c)(1) – Integrity – NTP time synchronization service is not configured on the host
10. HIPAA 164.312(c)(1) – Integrity – NTP time synchronization server is not configured
11. HIPAA 164.312(a)(1) – Access Control – Timeout is not set for the ESXi Shell and SSH services
12. HIPAA 164.312(d) – Person or Entity Authentication – Active directory is not used for local user authentication
13. HIPAA 164.312(d) – Person or Entity Authentication – Bi-direction CHAP authentication is not enabled
14. HIPAA 164.312(a)(1) – Access Control – Dvfilter network APIs is not configured to prevent unintended use
15. HIPAA 164.312(b) – Audit Control – Remote logging for ESXi hosts is not configured
16. HIPAA 164.312(a)(1) – Access Control – Timeout to automatically terminate idle sessions is not configured
17. HIPAA 164.312(a)(1) – Access Control – Access to DCUI is not set to allow trusted users to override lockdown mode
18. HIPAA 164.312(e)(1) – Transmission Security – BPDU filter is not enabled on the host
19. HIPAA 164.312(e)(1) – Transmission Security – Forged Transmits policy is set to reject
20. HIPAA 164.312(e)(1) – Transmission Security – Promiscuous Mode policy is configured to reject
21. HIPAA 164.312(e)(1) – Transmission Security – MAC Address Changes policy is set to reject
22. HIPAA 164.312(e)(1) – Transmission Security – Host firewall is not configured to restrict access
23. HIPAA 164.312(e)(1) – Transmission Security – SNMP Server is running on the host
24. HIPAA 164.312(c)(1) – Integrity – Image Profile and VIB Acceptance Levels are not configured to desired level
25. HIPAA 164.312(a)(1) – Access Control – Managed Object Browser (MOB) is enabled

VROPS Virtual Machine HIPAA Hardening Rules for vSphere

1. HIPAA 164.312(c) – Integrity – PCI pass through device is configured on the virtual machine
2. HIPAA 164.312(c) – Integrity – Intra VM Transparent Page Sharing is Enabled
3. HIPAA 164.312(c) – Integrity – Bios Boot Specification feature is enabled
4. HIPAA 164.312(c) – Integrity – Unity window contents is enabled
5. HIPAA 164.312(c) – Integrity – Unity Interlock is enabled
6. HIPAA 164.312(c) – Integrity – Independent non-persistent disks are being used
7. HIPAA 164.312(c) – Integrity – Unity taskbar feature is enabled
8. HIPAA 164.312(c) – Integrity – Unity feature is enabled
9. HIPAA 164.312(c) – Integrity – Autologon feature is enabled
10. HIPAA 164.312(a) – Access Control – Guests can receive host information
11. HIPAA 164.312(c) – Integrity – GetCreds feature is enabled
12. HIPAA 164.312(c) – Integrity – Virtual disk shrinking wiper is enabled
13. HIPAA 164.312(c) – Integrity – Trash folder state is enabled
14. HIPAA 164.312(a) – Access Control – Copy/paste operations are enabled
15. HIPAA 164.312(c) – Integrity – Memsfss feature is enabled
16. HIPAA 164.312(c) – Integrity – Users and processes without privileges can connect devices
17. HIPAA 164.312(a) – Access Control – Access to VMs are not controlled through dvfilter network APIs
18. HIPAA 164.312(a) – Access Control – GUI Copy/paste operations are enabled
19. HIPAA 164.312(c) – Integrity – Users and processes without privileges can remove, connect and modify devices
20. HIPAA 164.312(a) – Access Control – HGFS file transfers are enabled
21. HIPAA 164.312(c) – Integrity – Tray icon feature is enabled
22. HIPAA 164.312(c) – Integrity – Versionset feature is enabled
23. HIPAA 164.312(c) – Integrity – Shellaction is enabled
24. HIPAA 164.312(c) – Integrity – Unity push feature is enabled
25. HIPAA 164.312(c) – Integrity – version get feature is enabled
26. HIPAA 164.312(a) – Access Control – drag-n-drop – Copy/paste operations are enabled
27. HIPAA 164.312(c) – Integrity – Informational messages from the VM to the VMX file are not limited
28. HIPAA 164.312(c) – Integrity – Toprequest feature is enabled
29. HIPAA 164.312(c) – Integrity – Unity active feature is enabled
30. HIPAA 164.312(c) – Integrity – Protocolhandler feature is enabled
31. HIPAA 164.312(a) – Access Control – Access to VM console is not controlled via VNC protocol
32. HIPAA 164.312(a) – Access Control – Copy/paste operations are enabled
33. HIPAA 164.312(a) – Access Control – VIX messages are enabled on the VM
34. HIPAA 164.312(c) – Integrity – Virtual disk shrinking is enabled
35. HIPAA 164.312(a) – Access Control – Auto install of tools is enabled
36. HIPAA 164.312(c) – Integrity – launchmenu feature is enabled

Leave a Reply

Your email address will not be published. Required fields are marked *