Business Associate Agreement
Under the final Omnibus Rule passed in early 2013, Managed Service Providers (MSP’s) may now be considered Business Associates under HIPAA. We have been strengthening our overall information security program to comply with the new HIPAA guidelines. If you would like us to sign a Business Associate Agreement with you; please, Download, Print and Sign our Business Associate Agreement (BAA), return to us via email A fully executed copy will be returned to you by email.
Is Remote Desktop Protocol (RDP) HIPAA and PCI Compliant?
NO; however, it can be HIPAA and PCI compliant if you use RDP across a VPN or SSL-VPN. HIPAA and PCI Compliance rules are very clear;
- Any access from the Internet or a remote location must be encrypted, Passwords must be stored in a central manageable location like a managed firewall or windows server,
- Remote access must be tracked and attempts to connect need to be logged,
- Login and Password are sent as encrypted data,
- Unlimited attempts to guess or crack a password are stopped by the VPN device.
Many organizations allow users to access their PC’s and Servers via RDP connections by opening a port on a router or firewall and allowing the user to directly access their office computer or server from home. This practice is not secure, and is definitely NOT HIPAA nor PCI compliant. Setting up a remote desktop with a weak password is just asking for trouble and opening a remote desktop port on the router or firewall encourages hackers to hack you and is very risky. Some cloud providers just open a firewall port and provide the customer with a RDP client, this is also NOT compliant; all traffic must be encrypted via a VPN or SSL-VPN.
So how can a healthcare facility or any other business allow remote access without violating HIPAA or PCI security standards?
- We recommend installing a SonicWALL Firewall.
- SonicWALL’s line of firewalls come with an SSL VPN, which is a secure way to create an encrypted connection to your office network before initiating a remote desktop connection.
- SonicWALL’s are affordable for almost any business starting at about $500 Installed.
- We also offer Basic SonicWALL monitoring that stores logs offsite, sends reports and threat alerts.
- SonicWALL’s SSL-VPN feature provides easy access to work data from any Internet enabled device by downloading a small SSL-VPN client.
- For Physicians and executives who need to access sensitive data from multiple locations in a hurry this product fits the bill perfectly.
Another issue that many business owners overlook is the patching of the windows operating systems. The healthcare law states that you must take preventative measures to protect the patient data, PCI sensitive data and customer’s personal information. If you fail to keep your PCs and servers patched to the latest Microsoft security patches, then your organization could be accused of negligence and this failure can lead to virus attacks, data theft and other intrusions. ComputerStuff4You helps our medical customers protect themselves from HIPAA violations but qualify for “Meaningful Use” and the thousands of dollars that come with upgrading to EMR/HER. If your practice or business is at risk, please contact us. We offer a free initial consultation
HIPAA: What It is And What it Means for the IT Customer
The Health Insurance Portability and Accountability Act is a bill that was enacted by Congress in 1996. It consists of two parts, Title I and Title II. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title II is also known as the Administrative Simplification Divisions, and they also address the security and privacy of a patient’s medical data. The bill was partly meant to encourage the use of electronic medical records, and other forms of EDI (Electronic Data Interchange).
This bill has numerous implications for the IT business, and for you as an IT client. We are required to ensure that any client of ours that deals with peoples private medical data is adequately protected, and that any services we offer fall within the boundaries of what is allowed by the HIPAA guidelines. For example, a user who works for a health clinic and wishes to work remotely must be using proper methods to access their office’s files, like SSL-VPN. Also, the firewall which they are doing the SSL-VPN connection to must be fully PCI-Compliant, which is why we offer SonicWALL firewalls.
SonicWALL’s meet all compliance standards, and you can read more about some of those standards in the following guides by the National Institute of Standards and Technology:
NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems
NIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule
NIST Special Publication 800-77: Guide to IPsec VPNs
NIST Special Publication 800-88: Computer Security
NIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User Devices
NIST Special Publication 800-113: Guide to SSL VPNs
HIPAA: Why do I need a timeout on my EMR/Cloud Solution/Desktop/Virtual Desktop/Remote Desktop?
-HIPAA is written intentionally vague. For example, §164.312(a)(2)(iii) specifically just states that you will automatically logoff an electronic session after a predetermined time of inactivity as part of your technical safeguards.
-HIPAA Administrative Simplification from https://www.hhs.gov/hipaa/for-professionals/
-HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework from https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/
How does this help you?
You can look up §164.312(a)(2)(iii) on the crosswalk and see that it maps to several controls from NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations [PDF]. From there we are shown the following control:
AC-11 SESSION LOCK
Control: The information system:
Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
Retains the session lock until the user reestablishes access using established identification and authentication procedures.
Supplemental Guidance: Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7.
(1) SESSION LOCK | PATTERN-HIDING DISPLAYS
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
Supplemental Guidance: Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. References: OMB Memorandum 06-16
References: OMB Memorandum 06-16.
And then if you chase down the references you will see that OMB is recommending Federal Agencies to have a timeout of no more than 30 minutes.
Realistically and ultimately, its up to your organization and the results of your risk assessment to determine a “reasonable or appropriate” timeout period. High traffic areas that the public could access easily (read: not in a locked office) probably need a shorter timeout than that.
When your organization gets a no-kidding audit from OCR there is a protocol they follow (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html). They’ll ask to see the documentation on your controls, they’ll test the effectiveness of the controls, they’ll ask for the procedures and policies driving the controls, and they’ll question how you arrived to the decision you did.
Basically, if you do a risk assessment use a known and well accepted framework. If you implement controls, base them on an industry standard. Using NIST as the basis of your policy standards is a fairly safe move in the U.S. but the crosswalk also highlights COBIT, ISA, ISO/IEC, and CCS CSC.
Additional information regarding HIPAA can be found here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html