Enterprise Software

Thin clients can aid in HIPAA compliance

For CIOs working in the healthcare sector, thin client appliances are an excellent alternative to PCs in organizations that must comply with HIPAA regulations. This article discusses the benefits of thin client computing from a HIPAA standpoint.


Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is becoming a major headache for corporations involved in the medical field. HIPAA regulations demand that patient data be kept secure and up to date. One way companies are making it easier to comply with HIPAA regulations is by deploying thin clients instead of traditional PCs.

Enhanced patient privacy
HIPAA consists of a set of regulations designed to maintain patient privacy by preventing unauthorized disclosure of patient information. These regulations address administrative procedures and physical security for data. Using thin client appliances makes it easy to comply with the physical security portion of the HIPAA regulations.

Keep in mind that most thin client devices are diskless machines that are about as sophisticated as a low-grade PDA. Users running a thin client appliance are allowed to log in to the terminal services and run applications that the administrator has granted them access to. All applications run on the server; nothing except the client OS is run locally. It's extremely difficult for a user to copy data off the server. After all, there is no disk or CD drive to copy the data onto.

And because these devices have no storage other than a flash ROM chip, it's nearly impossible for them to become infected with a virus, spyware module, or other type of Trojan. The fact that the data is centrally stored at the server means that it can be backed up each night and its integrity and confidentiality can be preserved.

Ease of record keeping
HIPAA regulations mandate that specific records be kept on all patients. Thin client devices can be easily mounted in patients' rooms. There are also wireless devices that are basically the thin client equivalent of a tablet PC. These devices make it possible to update a patient’s records at the time care is given. Since all data on a thin client network is centrally stored, updates to patients' records take effect immediately for anyone with access to them.

Easy to comply with ever-changing regulations
Experience has shown that when the government begins regulating an industry, there are constant changes to the regulations. You can expect the HIPAA regulations to continuously evolve with updated mandates. Thin client appliances are perfect for environments that experience a lot of configuration or policy changes.

Suppose a new security patch becomes available tomorrow for Microsoft Office, and HIPAA regulations require everyone using the program to apply the patch immediately. In a traditional PC environment, the new patch would have to be applied to every PC. Sure, utilities will allow you to push software updates to the client PCs, but there are problems with such utilities. They can be expensive and often require complex scripting. Even if these factors were not an issue, a PC must be turned on to receive the updates. So, what happens if you roll out the updates and someone has been on an extended leave for the last month? If that person’s computer isn't turned on, it will not receive the update. If the government did an inspection of the facility, the facility could be cited for noncompliance because it hadn’t been updated. In a PC environment, you face not only the challenges of continuously updating the software on every PC in the organization, but also of being able to confirm that all PCs were indeed updated.

Now, let’s look at the same situation in a thin client environment. Since all applications run on the terminal server, the update could be applied to the server. The instant that was completed, all the thin client appliances would run the update. Remember that all software is technically running on the server, and the server is merely sending screen refreshes to the thin client devices. This means that unless the government mandated that you update the client module itself, you would never have to worry about updating the individual thin client appliances.

Continuity of business
Consider another scenario. Suppose you have a hospital in Miami and a doctor's office in Los Angeles. The two locations are linked together and all the data is mirrored. Now, suppose the Miami hospital is destroyed by a hurricane. In such a situation, the organization could move to another building, install a new server, and establish connectivity to the California office to regain access to the data. It would then simply be a matter of connecting some low-cost thin client devices to the new server, and the organization would be back in business.

Good support for authentication hardware
Although there isn’t much to a thin client device, many devices are expandable via a USB port. This makes it possible to connect smart card readers, fingerprint scanners, or other authentication devices that might be required for HIPAA compliance. Employees could go to a thin client appliance in the organization, log in using their smart card or fingerprint scanner, and gain access to their individual profile. So once security has been established for the user at the server level, that authentication information is accessible from any connected thin client appliance.

Cost savings
A final benefit to deploying a thin client environment is the cost savings to the organization. While you still have to pay about $800 for a thin client device, the savings come into play in other areas besides the initial hardware costs. Thin client devices usually have no moving parts. Since there are no fans, hard drives, etc., there is nothing to wear out. Thin client devices therefore tend to be more durable and longer lasting than PCs. This saves organizations money in the form of hardware maintenance costs.

There is also the issue of obsolescence. How many times have you seen organizations spend large sums of money on new PCs because they want to run a new application? In a thin client environment, all applications run on the server. Therefore, if you acquire a new, high-demand application, you may have to update your server’s hardware, but you won’t find yourself replacing 1,000 perfectly good PCs.

Editor's Picks