2

I have some more questions on HIPPA Compliance.

  1. I'm considering presenting the idea of a RDS server to my clients who are family practice. If they use Home PCs to remote in, do these PCs have to be encrypted?

  2. Right now the use a VPN to load Medent (a software package) that doesn't store data locally, but has the potential. In this case the PCs should be encrypted, correct?

  3. Does anyone know of some resources I could use to further my knowledge of HIPPA compliance?

Thanks!

Douglas Lawson
  • 57
  • 6
  • It's HIPAA, not HIPPA, by the way. – vcsjones Jul 30 '15 at 17:36
  • 1
    Not a lawyer nor an american, but from what I've heard about HIPAA, I would strongly suggest to get an actual expert on this topic on board (or become one!). Claiming "but I've asked on SF" if you or your client are investigated for a rule violation will not fly very well with the investigators. – Sven Jul 30 '15 at 17:37
  • Thanks for the Typo Fix. And that's a valid point Sven. I'll have to see what I can find. An actual expert would clarify quite a bit... – Douglas Lawson Jul 30 '15 at 17:46
  • 2
    With all due respect, hire a consultant to help you out. As I mentioned in your previous question, HIPAA is not easy to get right, and for a small practice, getting it wrong and having a breach will bankrupt the business, and then they'll go after you as well. – EEAA Jul 30 '15 at 18:07
  • Additionally, there is much more to HIPAA than securing a few computers. Policies and Procedures also have to be written and implemented, audits performed, records generated and retained, training plans and materials implemented, etc. – EEAA Jul 30 '15 at 18:10
  • I couldn't agree more with Sven and EEAA. But being prepared and educated is the only way to truly understand the consultant. Regardless how you go about it, you can't get compliance certified without having developed, deployed, and audited your strategy, so the thought of ever being sued is only possible if you lie about your certification. – Lance Jul 30 '15 at 18:11

2 Answers2

2

The following is the law and will be a dry read.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf

As I understand the law doesn't require you to implement any specific system but rather requires the system to anticipate and protect the privacy of medical information. It is on the you to interpret what it means to protect the privacy of medical information.

In your example your client is connecting to a server over a VPN, which I assume that traffic is encrypted, to pull medical information. Your question is whether the computer needs to have its drives be encrypted?

That to me would hinge on whether the data is stored (file saves, copy and paste, temporary files) on the drive of the computer. If so then encryption would be my recommendation.

Additionally access control is a consideration. It would circumvent encryption and passwords if the operating system and/or software were configured to auto decrypt the drive and store the passwords allowing unauthorized access by individuals who don't represent the company to the data. This would extend to the user keeping stickies with their passwords attached to their monitor or under their keyboard.

In summary you're asking what HIPPA's requirements are. Those requirements, as I interpret them, is for a company or organization to develop procedures to reasonably prevent unauthorized leaks of private medical information. What I think you're looking for is best practices for solving this problem. Lance's links are very good at answering that question. The ultimate goal is to prevent medical information to be leaked.

Vex Mage
  • 86
  • 4
  • Thanks for the info. I think I'm getting a much clearer grasp on all of this. – Douglas Lawson Jul 30 '15 at 18:36
  • It's not only about data protection - it's also about ensuring that the data is always *available* as well. – EEAA Jul 30 '15 at 18:47
  • It was also mentioned that you should hire a auditor or become certified. Certification programs exist and I believe aren't expensive. It would also look good on your CV and business portfolio. – Vex Mage Jul 30 '15 at 21:11
1

I think it is reasonable to expect that any system that touches data needs to be encrypted, simply because it is not just the storage of the data that needs to be protected, but also the access.

Here are some resources for telecommuting and home offices regarding HIPAA:

http://www.all-things-medical-billing.com/hipaa-compliance-and-the-home-office.html

http://smallbusiness.chron.com/hipaa-telecommuting-1168.html

Lance
  • 126
  • 3
  • In the regards of access being protected, the remote users would be required to have a password to access the RDS server. You would think the password for RDS is not enough and would require encryption too? – Douglas Lawson Jul 30 '15 at 17:45
  • The challenge is the ability to demonstrate: security of data at rest as well as data in motion. When considering that the NIST requirements are applicable, security to ensure that the "home computer" attack vector, which is huge, is reduced to as reasonably secure as possible. A good article is: http://www.netop.com/fileadmin/netop/resources/products/administration/remote_control/whitepapers/Remote-Control-HIPAA_Encryption_US_01.pdf – Lance Jul 30 '15 at 17:52
  • We're working on a quad-factor security suite, and one of the issues we've come across is that it is the combination of security factors that makes the case for authentication, not simply the tiers/layers. Without digging too deep, the physical, visual, subjective, and relative are all required factors in any authentication strategy. On home computers that use two factor or worse just un/pw, there are too many options for obtaining that user's credentials when the system itself is unmanaged beyond simple antivirus. By running an encrypted host (even virtual), you secure the edges. – Lance Jul 30 '15 at 18:03