HIPAA Remote Access Data Security
Posted April 14th, 2011
As job roles change, more medical professionals are using portable data storage devices and employing remote systems to access EHRs. HIPAA compliance must remain a high priority, especially in regard to ‘willful neglect’ violations, when remote access is an option.
The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities must comply with the Security Rule, which says the confidentiality, integrity, and availability of EPHI must be protected. Ensuring the security of all data that is created, received, maintained or transmitted is paramount.
Remote access is a high-risk issue for providers that have staff or contractors who use computerized PHI offsite. Permitting remote access to EHRs increases the risks of data theft and data tampering in two ways:
1) APPLICATION VULNERABILITIES: Hackers exploit vulnerabilities in network protection (e.g. firewalls), operating systems, and applications. When an application is made available online to remote users, vulnerabilities in the application become especially significant. Hackers can access the application with automated tools to exploit flaws in the design, logic and coding of the application.
This risk can be substantially reduced by allowing remote access only through a Virtual Private Network (or VPN).With a properly configured firewall, hackers are unable to send any data or commands to the application and therefore cannot access sensitive information.
In areas where a VPN is not a viable option, remote users can access the application using an Internet connection. Any application supporting Internet connectivity must be protected from design flaws and code faults that would expose it to intentional attacks. To reduce this risk:
• Verify the EHR application will support secure Internet access.
• Ensure that the vendor has a support person assigned to oversee security of the EHR system, who can be easily contacted.
• Make sure the vendor has a procedure in place for responding to security incidents involving the EHR system.
2) VULNERABILITIES AT THE REMOTE ACCESS LOCATION: Remote access exposes the EHR system and its data to risks associated with a compromised workstation. Home machines are often compromised. If they are used by multiple family members for both personal and business purposes, they can be infected by malware that provides opportunity for hackers to gain control of the computer or intercept user credentials and data. Other types of software may give the hacker complete control of the home machine and allow the hacker to access all aspects of the remote EHR session. These risks are significant because personal computers used for remote access are not subject to organizational control. There is no oversight for the computer’s configuration, usage, virus protection, or other basic security measures.
What can you do to protect against these risks?
• Implement two-factor authentication for granting remote access to systems that contain EPHI: users must input information, such as answering a security question, in addition to typing in a username and password.
• Employ a technical process for creating unique user names and performing authentication when granting remote access to a workforce member.
• Develop and employ proper clearance procedures and verify training of workforce members prior to granting remote access
• Establish remote access roles specific to applications and business requirements. Different remote users should have different levels of access based on job function.
• Establish appropriate procedures for session termination (time-out) on inactive remote devices.
• Install personal firewall software on all laptops that store or access EPHI or connect to networks on which EPHI is accessible.
• Ensure that the issue of unauthorized access of EPHI is appropriately addressed in the required sanction policy.
In general, HIPAA-covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. Remote access to EPHI should only be granted to authorized users based on their role within the organization and their need for access to EPHI.
For more information on finding the remote access data security professionals you need, contact the IT staffing professionals at Bayside Solutions.
