We frequently receive questions from our customers in the healthcare software arena about HIPAA compliant remote access for software support. HIPAA, as you may know, is an industry regulation that includes requirements for protecting sensitive patient information.
No product is HIPAA compliant by itself. However, proper utlization of products like Enexity SecureLink lead to compliance with HIPAA for remote software support.
One challenge in meeting the guidelines of HIPAA, or any other regulation is that there are not specific measurements used to gauge compliance. One can not simply say “this product weighs 6.8 pounds and is smaller than 45 cubic centimeters, and is therefore compliant.” We believe that compliance with HIPAA, and any other regulation can be concisely reduced to the following three guidelines:
1) Implement standard operational policies and procedures to ensure the security and privacy of information.
2) Control and restrict what information can be accessed by whom.
3) Maintain an audit trail of information accessed.
As simple as these three are, you’d be surprised how many healthcare software companies and their customers fall well short of any of these three!
Here are a few of the relevant, specific components of HIPAA that pertain to remote support access for software vendors:
Access Control - § 164.312(a)(1) – Unique User Identification, emergency access procedure, automatic logoff, encryption and decryption- Note that there are no specifics on how to accomplish this, only the conceptual elements of compliance. Most healthcare software companies use some combination of PC support tools and VPN connections to support their customers. PC support tools are great for end-user PC support and probably meet this requirement of access control, provided a policy is in place for the healthcare entity to monitor the vendor’s access when these tools are being used. VPN connections, while perceived as secure by the hospitals likely fall well short of “unique user identification” since generic accounts are frequently issued to a vendor, who shares the login among many users. I would estimate that 5% of hospitals have a clearly defined policy and process for enabling vendors to use their VPN.
Audit Controls - § 164.312(b) - ‘Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information” Again, no specifics as to the level of audit, but a general guideline that you should know what’s happening. PC support tools essentially offer nothing in this arena, although a small minority of software vendors have access to recordings of desktop sharing sessions. Storing this information offsite may conflict with other elements of HIPAA compliance! VPNs typicall offer basic logging of utilization, but tend to lack the ability to tie specific actions to individuals.
Data Integrity - § 164.312(c)- “Implement policies and procedures to protect electronic protected health information from improper alteration and destruction” See note above. While most healthcare entities have policies in place for their employees, few we’ve encountered have a documented policy regarding vendor network access for software support.
Transmission Security - § 164.312(e)(1) - ‘Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This one is fairly easy to understand and implement, as most every PC support tool and VPN include encryption.
For information on how Enexity’s SecureLink VSN addresses compliance with HIPAA and other regulations, please visit the downloads section of our website.
