Using ThinLinc in systems that need to conform to NIST 800-53/-171, HIPAA, FISMA or similar regulations

Apr, 19, 23
Written by: Robert Henschel

In short, ThinLinc has successfully been used in environments that conform to NIST 800-53/-171 and FISMA moderate guidelines.
While Cendio has not specifically worked on hardening ThinLinc for use in systems that handle electronically protected health information (ePHI) or controlled unclassified information (CUI), Cendio customers have successfully used ThinLinc in such environments.
Please inquire with for further information, and continue reading for more details.

There is an abundance of data that is sensitive, yet not considered classified under federal law in the United States. A few examples of this type of data include a variety of medical records, personal identifiable information (PII) and certain types of financial records.
Depending on the agency and use case, handling of such data is governed by regulations such as NIST 800-171 or FISMA. Complying with these regulations may be a legal requirement for organizations working with federal agencies in the United States.
While the specific regulations are different in Europe, the European Union and its member states require similar compliance.

Using ThinLinc in an environment that provides access to ePHI or CUI data can significantly improve the usability of the system by enabling graphical applications like SAS, STATA, SPSS or MATLAB.
A system handling protected data is sometimes called an enclave. Adding ThinLinc to such an enclave requires implementing further security and privacy controls, but doesn’t pose any major obstacle.
For example, ThinLinc uses the standard SSH protocol to transmit data between the server and the client. If SSH is already available to access the enclave, then ThinLinc can inherit those controls.
In addition, certain ThinLinc features, such as “Shared Folder”/ThinDrives can be disabled, reducing the amount of functionality that needs to be documented.

ThinLinc is the Linux remote computing solution that enables users to access Linux applications and desktops remotely, using a secure and high-performance protocol. It is designed for organizations seeking a reliable and efficient way to provide remote access to their systems and applications.

NIST 800-171 is a publication from the National Institute of Standards and Technology (NIST) titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” In very short terms, it is a set of guidelines and requirements designed to ensure the protection of Controlled Unclassified Information (CUI) when it is stored, processed, or transmitted by non-federal entities, such as contractors or other organizations working with the U.S. government. The purpose of NIST 800-171 is to enhance the security of sensitive information and reduce the risk of unauthorized access or disclosure.

HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. law passed in 1996 that establishes national standards for protecting sensitive patient health information and ensures the privacy and security of such data.

FISMA is a US legislation enacted in 2002 to improve federal agencies’ cybersecurity by establishing a comprehensive framework for protecting government information and systems against cyber threats.

PII, or Personally Identifiable Information, refers to any data that can be used to identify a specific individual, such as names, addresses, Social Security numbers, or phone numbers.

ePHI, or Electronic Protected Health Information, is any health-related information that is created, stored, or transmitted electronically and is subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations.

CUI, or Controlled Unclassified Information, is sensitive data that requires safeguarding or dissemination controls according to U.S. federal laws, regulations, and policies, but is not classified information.